Beyond the legal risk, it is a question of its credibility with its audience, its users, its customers. Conducting a compliance audit means both checking that your website is in accordance with the legislation , and it also means ensuring the trust of Internet users . This article explains what an audit should cover and provide.
GDPR audit of a website. In the photo we see the acronym GDPR in front of servers for websites
Audit the quality of information provided to Internet users
Whatever the nature of a web project, it is likely that it will be affected by the European GDPR legislation. Let us briefly recall that this regulation aims to protect fundamental rights, including the privacy of European citizens . In short, it is up to web players (of which you are a part as a company, association or other private or public entity) to be perfectly transparent about the use made of Internet users' data.
Also read our article: Protection of personal data: the impact of the GDPR on web projects .
Thus, a first point to check in an audit is the degree of "transparency" that an entity actually sends, through its web device(s), to its users, customers, Internet users. This "transparency" is measured as an "ease" of access to information concerning the use of personal data. The user, the visitor, must be able to be informed directly about the moj database personal data collected and the processing that is done with it.
Concretely, under this audit criterion are analyzed the pages of legal notices specific to the processing of personal data, on their substance and form, and on their positioning in the user experience path. The information must be of excellent quality, and easily accessible.
E-BOOK
GDPR: All the best practices to comply
Download the e-book
Audit the possibilities of exercising one's rights
Immediately linked to this duty of information, another important point to audit is that concerning the means for a person to exercise their rights relating to this data .
Let us recall that the GDPR guarantees European citizens that their personal data belongs to them and that it must be able to be accurate, rectified if necessary, portable, and permanently deleted if desired.
A website, an application, must therefore provide all the information necessary to carry out a procedure in order to exercise one of these rights over personal data. Concretely, a GDPR audit will verify that Internet users have access to a clear procedure (possibly a tool directly online) to contact a manager and make a request concerning their personal data. This information must also be straightforward and not pose any particular difficulty in exercising rights.
In fact, it is also appropriate to audit the ability of the company or institution responsible for the website to process requests efficiently and transparently. Therefore, in this part of the audit, we seek to analyze the internal organization, the quality of the procedure and the skills of the stakeholders in terms of personal data protection.
Photo of a magnifying glass with the word audit in it.
Technical audit
Checking that the digital device complies with the GDPR from an organizational point of view is not enough. A website, a web or mobile application, have technical implications in terms of the protection of personal data. And in particular in terms of their security . It is necessary to ensure that no technical flaw jeopardizes the personal data of visitors and users. On this point, the GDPR audit joins the challenges of a security audit.
From a technical point of view, we also check two important points:
The mechanisms relating to cookies , the personal data they capture and the ability of users to consent or not to the use of these cookies, in full knowledge of the facts. The GDPR audit focuses in particular on the implementation of a cookie and consent management tool ( Consent Management Platform );
The backend mechanisms for effectively implementing the rectification or erasure of personal data, at the level of technical storage components such as databases.
Depending on the volume of data processed and their level of sensitivity, the security audit accompanying the GDPR audit must be sized accordingly.
The GDPR checklist in summary
In summary, the audit is based on a checklist of essential points:
Presence, quality and completeness of legal notices concerning the protection of privacy
Completeness and accuracy of a list mentioning the data processing operations carried out and their purpose
Presence of a clear procedure with identification of the relevant contact to obtain information or exercise rights
Implementation of a technical and functional tool for consent (or not) to the use of cookies
Level of knowledge and skills of the Data Protection Officer (DPO)
Completeness and quality of the company's data processing register
In conclusion, at Adimeo, we conduct a GDPR audit along several axes: legal, organizational, technical . The issues are distinct but related. The work of recording the facts, analyzing them and then making recommendations therefore calls on several areas of expertise that Adimeo knows how to mobilize in its own workforce and its various skill centers. This is the sine qua non condition for complete compliance of your Web project with the GDPR and its multiple implications.
