Method 11 min read·

Internal GDPR Audit: The 7-Step Method

CNIL doesn't only sanction violations: it also penalizes the absence of a compliance approach. A documented annual internal audit is your best protection — it proves you acted in good faith. Here's the 7-step method.

The 7 Steps of the Internal GDPR Audit

1
Processing Inventory

Exhaustively list all personal data processing in your organization: web collection (forms, analytics), CRM, billing, HR management, CCTV, marketing emails. For each processing: purpose, data collected, legal basis, internal owner.

Tool: shared spreadsheet or register software (Didomi, Privasee, OneTrust Starter)
2
Data Flow Mapping

For each processing: where does the data come from? Who accesses it? Where is it stored? Is it shared with third parties? Are transfers outside the EU involved? This mapping reveals hidden risks (unidentified sub-processor, undocumented US transfer).

Tool: flow diagram (Miro, Lucidchart), interviews with department heads
3
Cookie and Tracker Audit

Scan each page of your site to identify cookies deposited before consent, active third-party trackers, unblocked advertising or analytics scripts. This is often the main CNIL risk source for SMEs.

Tool: RGPDScan (60s/page), Cookie Monster (Chrome), Network DevTools analysis
4
Sub-Processor and DPA Review

For each SaaS tool and provider identified: DPA signed? Further sub-processors listed? Legal transfer mechanism documented? Satisfactory security measures? Breach procedure defined? Finish with a list of missing DPAs to obtain.

Tool: provider comparison table, SaaS legal pages (DPA section)
5
Security Measures Assessment

Art. 32 GDPR requires 'appropriate' technical and organizational measures. Check: encryption of sensitive data, HTTPS everywhere, password policy, access control (least privilege), tested backups, internal incident reporting procedure.

Tool: ANSSI SME checklist, SSL scan, SaaS account access audit
6
Rights Exercise Verification

Does your site allow people to exercise their rights (access, rectification, erasure, objection, portability)? Is there a documented procedure? Are requests processed within the 1-month deadline? Does the privacy policy mention these rights?

Tool: dedicated contact form or DPO email, real-situation testing
7
Register Update and Action Plan

Consolidate all information in your processing register (Art. 30). Document each identified gap with: risk level (red/orange/green), corrective action, responsible person, target date. This compliance plan is your proof of good faith in case of inspection.

Tool: spreadsheet or project management tool (Notion, Asana, ClickUp)

Accelerate step 3 with RGPDScan

Cookie audit typically takes 1-2 days manually. RGPDScan does it in 60 seconds per page: trackers, cookies before consent, advertising scripts.

What CNIL Prioritizes in Inspections

Cookies without consentVery High
Absence of privacy policyHigh
Undocumented transfers outside EUHigh
Non-response to rights requestsHigh
Missing DPA with sub-processorsModerate
Missing processing registerModerate

Going Further

Frequently Asked Questions

How often should an internal GDPR audit be conducted?
At minimum once a year. And necessarily after a major change: new data processing, new SaaS tool accessing personal data, security incident, change in activity or legal structure.
Does an internal audit suffice or is an external firm needed?
For an SME under 50 employees, a rigorous internal audit is generally sufficient. Beyond that or for sensitive processing (health, fintech, large-scale HR), an external audit (DPO firm, privacy lawyer) provides independent validation essential in case of CNIL inspection.
How long does a GDPR audit take for an SME?
For an SME of 10-50 employees: 2-5 working days the first time, 1-2 days for subsequent ones. The RGPDScan tool covers the cookies/trackers step in 60 seconds, which often represents 30% of audit time.
What to do with gaps identified during the audit?
Prioritize by risk level: critical (fix within 30 days), important (within 90 days), minor (to plan). Document each gap, the corrective action, the responsible person and target date. This is your compliance plan — keep it updated.
Must the GDPR audit be sent to CNIL?
No, the internal audit is not to be spontaneously sent to CNIL. It's confidential. However, in case of CNIL inspection, you'll need to demonstrate your compliance approach — the audit and action plan are your main evidence.
Who should conduct the internal GDPR audit?
The DPO if one exists. Otherwise, the legal department, CTO or general management depending on the structure. The audit must have a management-level sponsor to have the necessary access (all SaaS tools, all supplier contracts).

Start step 3 of your audit now

Cookie and tracker audit in 60 seconds. Detailed report, recommendations, PDF export. Free.