# GDPR Compliance Audit Checklist

## Organization Information
| Field | Value |
|-------|-------|
| Organization Name | |
| Role | Controller / Processor / Joint Controller |
| DPO Name and Contact | |
| Lead Supervisory Authority | |
| Assessment Date | |
| Assessor | |

---

## Article 5: Data Processing Principles
- [ ] Lawfulness: All processing has documented lawful basis (Art. 6)
- [ ] Fairness: Processing is fair and does not cause unjustified adverse effects
- [ ] Transparency: Privacy notices provided at point of collection (Art. 13/14)
- [ ] Purpose Limitation: Data collected for specified, explicit, and legitimate purposes
- [ ] Data Minimization: Only data necessary for the purpose is collected
- [ ] Accuracy: Processes exist to keep personal data accurate and up to date
- [ ] Storage Limitation: Retention periods defined and enforced for all data categories
- [ ] Integrity and Confidentiality: Technical and organizational security measures in place
- [ ] Accountability: Ability to demonstrate compliance with all principles

## Article 6: Lawful Basis
- [ ] Lawful basis identified for each processing activity
- [ ] Consent is freely given, specific, informed, and unambiguous where used
- [ ] Consent withdrawal mechanism available and easy to use
- [ ] Legitimate interest assessments documented where Art. 6(1)(f) relied upon
- [ ] Legal bases recorded in ROPA

## Articles 13-14: Transparency
- [ ] Privacy notice provided at time of data collection (Art. 13)
- [ ] Privacy notice provided when data obtained indirectly (Art. 14)
- [ ] Notices include: controller identity, purposes, lawful basis, recipients, retention, rights, DPO contact
- [ ] Notices are concise, transparent, intelligible, and in plain language
- [ ] Notices available in appropriate languages

## Articles 15-22: Data Subject Rights
- [ ] Process for receiving and handling DSRs documented
- [ ] Identity verification procedure before fulfilling requests
- [ ] Response within one month (extendable by two months for complex requests)
- [ ] Right of access (Art. 15): can provide copy of personal data
- [ ] Right to rectification (Art. 16): can correct inaccurate data
- [ ] Right to erasure (Art. 17): can delete data across all systems including backups
- [ ] Right to restriction (Art. 18): can restrict processing when contested
- [ ] Right to portability (Art. 20): can export data in machine-readable format
- [ ] Right to object (Art. 21): can cease processing when objected to
- [ ] Automated decision-making (Art. 22): safeguards for solely automated decisions

## Article 25: Data Protection by Design and Default
- [ ] Privacy considerations integrated into system design processes
- [ ] Default settings are most privacy-protective
- [ ] Only personal data necessary for each purpose is processed by default
- [ ] Data protection integrated into development lifecycle

## Article 28: Processors
- [ ] All processors identified and documented
- [ ] Data Processing Agreements (DPAs) in place with all processors
- [ ] DPAs include required Art. 28 provisions
- [ ] Processor security measures verified
- [ ] Sub-processor notification process in place

## Article 30: Records of Processing Activities (ROPA)
- [ ] ROPA maintained and up to date
- [ ] All processing activities documented
- [ ] Controller details, purposes, data categories, recipients, transfers, retention, security measures recorded
- [ ] Available for supervisory authority on request

## Article 32: Security of Processing
- [ ] Risk-appropriate technical measures:
  - [ ] Encryption of personal data (at rest and in transit)
  - [ ] Pseudonymization implemented where appropriate
  - [ ] Access controls and authentication
  - [ ] Logging and monitoring of access to personal data
  - [ ] Data loss prevention controls
- [ ] Risk-appropriate organizational measures:
  - [ ] Information security policies
  - [ ] Staff training on data protection
  - [ ] Confidentiality agreements
  - [ ] Access review processes
- [ ] Ability to restore availability and access after incident
- [ ] Regular testing and evaluation of security measures

## Articles 33-34: Breach Notification
- [ ] Breach detection and assessment procedures documented
- [ ] 72-hour notification to supervisory authority process in place
- [ ] Data subject notification process for high-risk breaches
- [ ] Breach register maintained
- [ ] Breach response plan tested within last 12 months

## Article 35: Data Protection Impact Assessment
- [ ] DPIA criteria documented (when DPIA is required)
- [ ] DPIA process documented
- [ ] DPIAs conducted for all high-risk processing
- [ ] DPO consulted on DPIAs
- [ ] DPIAs reviewed when processing changes

## Articles 44-49: International Transfers
- [ ] All international transfers identified and documented
- [ ] Transfer mechanisms in place (adequacy, SCCs, BCRs)
- [ ] Transfer Impact Assessments conducted for non-adequate countries
- [ ] Supplementary measures implemented where required
- [ ] Standard Contractual Clauses (new 2021 modular version) executed

## Articles 37-39: Data Protection Officer
- [ ] DPO appointed (if required: public authority, core activity large-scale monitoring, core activity special categories)
- [ ] DPO has expert knowledge of data protection law
- [ ] DPO involved in all data protection matters
- [ ] DPO reports to highest management level
- [ ] DPO contact details published and communicated to supervisory authority

---

## Summary

| GDPR Area | Items | Compliant | Non-Compliant | N/A |
|-----------|-------|-----------|---------------|-----|
| Principles (Art. 5) | | | | |
| Lawful Basis (Art. 6) | | | | |
| Transparency (Art. 13-14) | | | | |
| Data Subject Rights (Art. 15-22) | | | | |
| Privacy by Design (Art. 25) | | | | |
| Processors (Art. 28) | | | | |
| ROPA (Art. 30) | | | | |
| Security (Art. 32) | | | | |
| Breach Notification (Art. 33-34) | | | | |
| DPIA (Art. 35) | | | | |
| International Transfers (Art. 44-49) | | | | |
| DPO (Art. 37-39) | | | | |
| **Total** | | | | |

## Sign-off
| Role | Name | Signature | Date |
|------|------|-----------|------|
| DPO | | | |
| CISO | | | |
| Legal Counsel | | | |
| Senior Management | | | |