GDPR Audit Program for Small and Medium Enterprises 


Bookstore Purchase the Download:  Member US $25 | Non-Member US $49

  Provide feedback on this document
Knowledge Center  Visit the Audit community

Related Links 

GDPR Audit Program Bundle
How To Audit GDPR


As of 25 May 2018, GDPR gives EU residents control over their personal data wherever in the world they or their data may reside. It not only standardizes regulation across the EU and the European Economic Area (EEA); GDPR also affects all enterprises that process data from EU/EEA countries. All EU businesses are subject to GDPR, but its effect goes even further. Given the global scope of today’s digitally based commerce, the impact of GDPR certainly will be felt by many businesses across the world and located outside the physical borders of the EU.

GDPR replaces Data Protection Directive 95/46/EC and is designed to:

  • Harmonize data privacy laws across Europe
  • Protect and empower all EU citizens with respect to data privacy
  • Reshape the way organizations across the region approach data privacy

GDPR represents the most important change in data privacy regulation in 20 years. It fundamentally reshapes the way personal data are handled across every sector, from healthcare to banking and beyond--not only throughout the whole of Europe, but around the globe, depending on what data are processed and where. Compliance with GDPR is mandatory.

Therefore, it is vital for enterprises to be able to provide evidence of their governance framework and transparency with regard to their data processing practices related to data collection, use, storage and deletion across the life cycle of data management. Over the years, organizations have invested in control frameworks to increase data protection compliance. Business applications existing outside these frameworks can jeopardize the overall security and compliance posture of an organization.

Audit Objectives

The objective of a GDPR audit is to provide management with an evaluation of how effectively GDPR is being governed, monitored and managed. The review will focus on GDPR governance and response mechanisms as well as supporting processes which can help manage the risk associated with noncompliance.

Accordingly, the audit program seeks to:

  • Provide management with an assessment of GDPR policies and procedures and their operating effectiveness
  • Identify control weaknesses which could result in increased use of unsanctioned GDPR solutions (and higher likelihood that the solutions are not detected)
  • Evaluate the effectiveness of the organization’s practices and ongoing management of, GDPR