Internal GDPR Audit: The 7-Step Method
CNIL doesn't only sanction violations: it also penalizes the absence of a compliance approach. A documented annual internal audit is your best protection — it proves you acted in good faith. Here's the 7-step method.
The 7 Steps of the Internal GDPR Audit
Exhaustively list all personal data processing in your organization: web collection (forms, analytics), CRM, billing, HR management, CCTV, marketing emails. For each processing: purpose, data collected, legal basis, internal owner.
For each processing: where does the data come from? Who accesses it? Where is it stored? Is it shared with third parties? Are transfers outside the EU involved? This mapping reveals hidden risks (unidentified sub-processor, undocumented US transfer).
Scan each page of your site to identify cookies deposited before consent, active third-party trackers, unblocked advertising or analytics scripts. This is often the main CNIL risk source for SMEs.
For each SaaS tool and provider identified: DPA signed? Further sub-processors listed? Legal transfer mechanism documented? Satisfactory security measures? Breach procedure defined? Finish with a list of missing DPAs to obtain.
Art. 32 GDPR requires 'appropriate' technical and organizational measures. Check: encryption of sensitive data, HTTPS everywhere, password policy, access control (least privilege), tested backups, internal incident reporting procedure.
Does your site allow people to exercise their rights (access, rectification, erasure, objection, portability)? Is there a documented procedure? Are requests processed within the 1-month deadline? Does the privacy policy mention these rights?
Consolidate all information in your processing register (Art. 30). Document each identified gap with: risk level (red/orange/green), corrective action, responsible person, target date. This compliance plan is your proof of good faith in case of inspection.
Accelerate step 3 with RGPDScan
Cookie audit typically takes 1-2 days manually. RGPDScan does it in 60 seconds per page: trackers, cookies before consent, advertising scripts.
What CNIL Prioritizes in Inspections
Going Further
- Processing register: Art. 30 guide
- GDPR sub-processors: DPA Art. 28
- Complete GDPR checklist 2026
- Transfers outside EU: complete guide