Personal data protection audit – the very word itself makes many entrepreneurs' hearts race. It conjures up images of control, stress, and nitpicking. But what if we told you that an audit is actually your best friend in ensuring company security? It's a chance to take a hard look at your processes and catch errors before the President of the Personal Data Protection Office (UODO) finds them.
For years, we've been helping companies navigate GDPR audits. We've noticed that certain mistakes recur with surprising regularity, regardless of industry or organization size. Today, we're sharing a list of the 5 most common mistakes. Check if they apply to your organization!
Documentation? What documentation?
It's an absolute classic. We ask the company about data protection documentation, and the response is an awkward silence. No security policy, no record of processing activities, no procedures... In short: a documentation Wild West.
Why is this a mistake? GDPR explicitly requires you to have and maintain specific documentation. This isn't just "paper for the sake of it," but a map of your data. It shows what data you collect, why you do it, where you store it, and how you protect it. Without it, you're operating in the dark and unable to prove you're meeting your obligations. This is also one of the first questions the President of the Personal Data Protection Office will ask during a potential inspection.
How to fix this? Start with the basics: create a Processing Activities Register. This is the foundation. Describe key company processes, such as recruitment, customer service, or newsletter distribution. Then gradually build the rest of the documentation. The first step is the Personal Data Protection Policy, a company "constitution" defining who is responsible for data and the general principles of data protection. Equally important are detailed instructions, i.e., procedures that explain step-by-step how to proceed in specific situations—for example, what to do when a customer requests the deletion of their data or an employee loses a company laptop. Maintaining additional records, such as a register of authorized data processors and a breach register, is also essential. A proactive approach, i.e., conducting a risk analysis to identify potential threats to data and planning how to counteract them, is crucial. This category also includes absolutely crucial IT procedures that constitute the technical backbone of security: from access management (i.e., how to efficiently grant and revoke employee privileges), through creating and restoring backups, strong password policies, to procedures for updating software and securely deleting data from decommissioned computers. Without these technical guidelines, even the best general provisions will remain on paper. Information clauses complement this whole process—clear notices placed everywhere you collect data, such as on your website or in recruitment forms, informing people of their rights and the purposes of processing.
An (un)trained employee, i.e. the weakest link
You can have the best systems, the most expensive antivirus software, and strongboxes for your documents, but all it takes is one unsuspecting employee to click on a suspicious link, steal a flash drive with customer data, leave an unlocked computer on their desk, or send a bulk email to multiple recipients without the BCC function.
Why is this a mistake? People are and always will be a key element of any security system. A lack of regular, practical data protection training is asking for trouble. Auditors will immediately spot this by asking employees about basic rules, such as a clean desk policy.
How to fix this? Organize training! Not just every three years, but regularly. Speak in simple language, use real-life examples, and test knowledge. Show them that the slogan "Firma123!" is a bad idea, and that emails from "unknown senders or with suspicious links" are not to be responded to.
"Friendly" accounting and other demons, or the lack of entrustment agreements
"Our accounting is handled by a friendly company run by Kasia, and we've known each other for years." That's great, but does Kasia have a signed data processing agreement with you? What about the hosting company, marketing agency, or invoicing software provider?
Why is this a mistake? If any external entity has access to personal data for which you are responsible (e.g., employee or customer data), you must have a signed data processing america phone number list agreement with them. This agreement governs what they can do with the data and how they are to protect it. Without it, you are fully responsible for any mistakes they make. Additionally, you must document the verification of the contractor's compliance with GDPR regulations. You should only work with entities that guarantee the processing of entrusted personal data in accordance with the obligations arising from the Regulation.
How to fix this? Make a list of your suppliers and partners. Check which of them have access to your data. Make sure you have signed a valid data processing agreement with each of them. Consult with your legal department or an auditor.
The CEO's computer uses the password "admin1" and other technical sins
An audit isn't just about documents, but also a quick glance at daily practices. What does the auditor see? Computers without passwords, password tags stuck to monitors, documents with data lying around in a public place, and a lack of up-to-date antivirus software.
Why is this a mistake? GDPR requires the implementation of "appropriate technical and organizational measures" to ensure data security. The password "123456" is certainly not such a measure. It's basic digital hygiene, the lack of which signals that no one in the company takes security seriously.
How to fix this? Implement a strong password policy. Force the screen to automatically lock after a few minutes of inactivity. Encrypt laptop drives. Make sure your antivirus is up to date and your systems are regularly updated. These are simple steps that significantly improve security.
“I want to delete my data!” – panic in the customer service department
A client calls and says they're requesting the deletion of all their data under GDPR. What does the employee do? They often panic because they don't know what to do, who to report it to, or if they can even do it.
Why is this a mistake? Every person whose data you process has certain rights: the right to access, rectify, erase ("the right to be forgotten"), and so on. Your company must be prepared to exercise these rights within the statutory deadline (usually one month). Ignoring such requests is a straightforward path to filing a complaint with the Personal Data Protection Office.
How to fix this? Create a simple process for handling such a request. Every customer-facing employee must know what to do and who to immediately escalate the matter to. Add a procedure for handling data subject requests to your personal data protection policy.
An audit is not the end of the world!
As you can see, most audit mistakes aren't the result of malicious intent, but rather of oversight and lack of awareness. The good news is that all of these errors can be relatively easily corrected.
Also consider whether your organization requires or simply finds it useful to appoint a Data Protection Officer to oversee the entire system.
Remember, this isn't about creating documents for their own sake. It's about building a real security system. Treat data protection not as a chore, but as an investment in customer trust and the stability of your business. Trust is one of the most valuable currencies today.