What is a data protection audit? Is it mandatory?

Share on linkedin
Share on email
Share on whatsapp
Share on facebook
Share on twitter

With the changes that have occurred in recent months, today we will explain what does the new GDPR audit consist of, and most importantly, if your company is obliged to perform it.

What is a GDPR audit?

The GDPR audit is an instrument through which the personal data processing managed by the company is evaluated, who are the controllers and for what purpose is the data collected.

Conducting an audit will facilitate the adaptation of your company to the GDPR, since due to it you will know in depth the character of data that you manage and its adequate processing and the security measures that you must implement.

Why perform a GDPR audit?

The audit is performed to check the level of security and adapt the level of security of the personal data that is managed.

Once the audit is conducted, the auditors will provide you with a report. In this document you will be informed about security measures that your company must adopt to comply with the regulation. Among these measures, it will be explained which faults occur and which improvements can be implemented. Also, you will be informed about how to prepare your workers in the field of data protection or if there is a requirement to appoint a data protection officer.

In short, the objectives of the audit are:

  1. Meet the obligation of verifying security measures.
  2. Determine possible deficiencies in the company’s information system and establish corrective actions.
  3. Consider improvement opportunities and recommendations on audited security measures themselves in a process of continuous improvement.
  4. Study in detail the personal data flow or internal procedures in which the GDPR has a special impact in order to adjust them to the regulation.
  5. Raise awareness and prepare the personnel about the importance of personal information, ensuring the protection and rights of those affected in this way.

Is it mandatory to perform a GDPR audit?

Performing a GDPR audit itself is not mandatory. Nonetheless, for having peace of mind and ensuring that our organization complies with the new regulation we must analyze what level of security does our company present and whether it is sufficient or not.

In Spain, currently there is an obligation that the companies with a medium level of security must perform an audit, at least every two years.


The sanctions may occur when the data processing does not comply with the European Data Protection Regulation or any personal data leakage is detected, among other reasons.

One of the novelties with respect to the previous LOPD (Spanish Organic Law on personal data protection) is the monetary increase of the sanctions. Fines may reach up to 20,000,000 euros, with the possibility between 10 and 20 million or between 2 and 4% of the company’s global turnover. However, we would like to clarify that not performing the audit is not the reason for the sanction itself.


Share this article


Share on linkedin
Share on email
Share on whatsapp
Share on facebook
Share on twitter

Article written by

Lisa Hoffman

Chief of Legal Operations at Pridatect and certified data protection officer

Related articles


Would you like to receive regular updates on data protection and GDPR? Subscribe to our newsletter and you will be the first to receive our new blog articles, webinars and ebooks.

Free Webinars