Audit of personal data protection

The main assumption of the audit is to assess the degree of preparation of the organization to meet the obligations resulting from the provisions of the General Data Protection Regulation (RODO / GDPR).

The scope of the GDPR audit

As part of the personal data protection audit:

  • we identify the processes under which personal data is processed,
  • we define the client’s status in terms of roles among entities processing personal data (administrator, co-administrator, processor, subprocessor)
  • we examine the premises for the legality of personal data processing specified in the GDPR for individual processes carried out by the client,
  • we review the applicable consent clauses for data processing,
  • we review the applicable information clauses (e.g. towards employees, customers and suppliers),
  • we analyze documentation regarding the processing of personal data (including documentation from the risk assessment process for personal data processing activities
  • we verify the content of data processing agreements concluded by the client,
  • we review the procedures for fulfilling the obligations incumbent on the client in accordance with the GDPR (e.g. in the scope of reporting violations or fulfilling requests from data subjects)
  • we check the technical and organizational measures used to secure personal data in terms of compliance with the provisions of the GDPR and internal risk analysis.

Result of work: Report

The result of the audit work is a report with a list of recommendations and an implementation plan presented to the management of the entity where the audit was carried out.
In practice, audit reports include, among others:

  • description of the facts,
  • description of the irregularities found with the reference to the evidence that confirms them,
  • the level of implementation of the standards resulting from the GDPR,
  • recommended remedial actions to increase the level of data protection in the organization,
  • the proposed schedule for further work on the implementation of the recommendation.

Among the examples of issues indicated in the reports by the Juvo team, the discussion of which is aimed at making the client comply with the GDPR, there are, among others:

  • determination of the need to carry out an impact assessment for the processing of personal data,
  • assessment of the obligation to appoint a Data Protection Officer (DPO),
  • suggestions on how to adapt the IT environment to the GDPR requirements.