Every GDPR obligation checked against evidence.
Lawful basis, records, transparency, data subject rights, transfers, security, breach response, accountability. Each article gets a finding, a severity rating and a remediation owner.
SERVICE PRACTICE · GDPR AUDIT
Independent GDPR audit.
Article-by-article assessment by senior privacy specialists. Records of processing, DPIA inventory, transfer mechanism, data subject rights workflow, vendor contracts and incident plan. Audit report and remediation tracker in four weeks.
AUDIT.DESK · LAST 12 MONTHS● LIVE
GDPR audits delivered84
Article 30 records reviewed127
DPIAs reviewed211
Median audit cycle4 weeks
Pre-inspection audits23
Findings cleared in follow-up94%
TRUSTED BY 300+ EU ORGANISATIONS
ROCHESIEMENSIKEAASTRAZENECAVODAFONEPHILIPSJUST EAT
FREE 30-MIN CONSULTATION
Talk to a senior advisor.
One business day reply. Clear next steps and indicative pricing.
1 BUSINESS DAY REPLY·NDA ON REQUEST·NO OBLIGATION
§ 01 / PRIMER
What the audit covers.
Documents, samples and operational tests.
We read the actual records, sample DSR responses, review DPIAs, interview process owners and test the workflow end to end. The report cites the evidence inline.
Output written for the supervisory authority.
The audit report and action plan are structured so that the supervisory authority can read them directly. Where the regulator already opened a file, the audit feeds into the response.
REGULATORY EXPOSURE
Up to €20M or 4% of turnover
The upper tier of GDPR Article 83 applies to consent, transfer and data subject rights failings — the audit's highest-risk areas.
AVERAGE BREACH COST
€4.6M per incident
Independent audits surface preventable control gaps that drive breach risk and breach cost upward.
§ 02 / WHERE IT BITES
The articles we test.
ARTICLE · WHAT WE CHECK
ART. 6 + 9Lawful basisMapping of every processing purpose to a lawful basis and special-category condition where applicable.
ART. 12-22Data subject rightsDSR intake, identification, handling timelines, exception logic and outbound response samples.
ART. 13-14TransparencyPrivacy notice content, placement, layered disclosure, just-in-time notices and language coverage.
ART. 7ConsentConsent capture, granularity, withdrawal mechanism, evidence retention.
ARTICLE · WHAT WE CHECK
ART. 30Records of processingController and processor ROPAs against actual processing. Coverage, accuracy, currency, sign-off.
ART. 32Security of processingTechnical and organisational measures, vendor confirmation, evidence on file.
ART. 33-34Breach responseIdentification, triage, notification template and 72-hour readiness.
ART. 44-49TransfersTransfer mechanism, SCCs 2021, transfer-impact assessments and supplementary measures.
§ 03 / ENGAGEMENT MODELS
Engagement models.
MODEL AAUDIT
Full GDPR audit
Four-week audit covering every GDPR article. Report, finding register, remediation plan and board paper.
- →Article-by-article evidence review
- →DSR workflow walk-through
- →Sample DPIA and ROPA review
- →Finding register and remediation owners
MODEL BPRE-INSPECTION
Pre-inspection audit
Targeted audit when a supervisory authority has opened a file or scheduled an on-site visit.
- →Open finding mapping to the regulator's letter
- →Document pack assembly
- →Interview rehearsal for process owners
- →Response draft for the supervisor
MODEL CFOCUSED
Focused audit
Single-area deep dive: ROPA, DPIA, transfers, DSR workflow, breach plan or controller-processor mapping.
- →Targeted scope, fixed fee
- →Evidence sampling and recommendations
- →Remediation tracker for the area
- →Optional follow-up validation
§ 04 / SCOPE
Scope of work.
01 / 04
Records & lawful basis
- Article 30 records of processing
- Lawful basis mapping per purpose
- Special-category and criminal-data review
- Retention schedule and disposal
02 / 04
Rights & transparency
- Data subject rights workflow
- Sample DSR response review
- Privacy notice review
- Consent capture and withdrawal
03 / 04
Security & breach
- Technical and organisational measures
- Vendor processor evidence
- Article 33 and 34 breach plan
- Tabletop test
04 / 04
Transfers & accountability
- Transfer mechanism per third country
- SCC 2021 implementation and TIA
- DPO function and reporting line
- Board oversight and audit trail
§ 05 / IN PRACTICEBook a scoping call30 MIN
How we run the audit.
Four weeks. Week one is scoping and document collection. Weeks two and three are evidence review and interviews. Week four is reporting, board paper and the remediation tracker. Findings cite the evidence inline so the report stands up to follow-up review.
Median audit cycle
4 weeks
Evidence files reviewed
≥ 80 per audit
Interviews per audit
8 to 12
Findings cleared in follow-up
94%
CLIENT · AUDIT STATUSQ2 2026
Total findings21
High severity3
Medium severity9
Low severity9
Closed in follow-up20 of 21
Vision Compliance · audit practice
§ 06 / SELECTED WORK
See all case studies →Recent audits.
AUD-22HEALTHCARE
Pre-inspection audit closed the supervisory file in 60 days.
17 → 0
FINDINGS
60
DAYS
Closed
OUTCOME
SCOPEPre-inspection audit, evidence pack, response draft for the regulator
AUD-18SAAS
Full audit ahead of EU expansion. Programme cleared for launch.
31
FINDINGS
30
REMEDIATED
4 weeks
CYCLE
SCOPEArticle-by-article audit, ROPA rebuild, transfer review, DSR workflow
AUD-12RETAIL
Focused DPIA audit on loyalty programme and marketing.
14
DPIAS
22
ACTIONS
Lowered
RISK SCORE
SCOPEFocused DPIA audit, residual-risk register, board paper
§ 07 / LANDSCAPE
GDPR enforcement.
€5.8B
Cumulative GDPR fines issued since 2018
1,500+
Public enforcement decisions in 2024
62%
of audits surface Article 30 record gaps
72h
Article 33 breach notification window
TREND 01
Records and transfers stay the top finding areas
Article 30 records and Article 44 transfers remain the most cited issues in supervisory decisions and audit reports across the EU.
TREND 02
Supervisors compare answers to evidence
Inspections move past questionnaires into evidence sampling. The audit report has to align with what an examiner finds on site.
TREND 03
Board accountability is visible in the file
Authorities check that the data protection programme is sponsored at board level. Audit reports increasingly reference governance evidence.
§ 08 / FAQ
Common questions.
01How is your audit different from a self-assessment or a checklist?+
We read the documents, sample the operational workflow, interview process owners and test the controls. The report cites the specific evidence behind each finding so it stands up to a supervisory review. A checklist gives you a score; an audit gives you a defensible file.
02Can you audit a single area instead of the whole programme?+
Yes. The focused-audit model covers one of: Article 30 records, DPIA programme, transfer mechanism, DSR workflow, breach plan, vendor and processor mapping. Fixed fee, 2 to 3 weeks per area.
03How fast can you run a pre-inspection audit?+
When a supervisory file is open or an on-site is scheduled, we mobilise within 5 business days. Day one to day five is scoping, document collection and interview plan. Weeks two and three deliver the evidence pack and the response draft.
04Who delivers the audit?+
A senior privacy lead with CIPP/E certification runs the audit. Larger programmes include a second reviewer for ROPA and DPIA samples. The board paper is signed off by the audit lead.
05Do you support the remediation after the audit?+
Yes if you want it. We deliver the finding register and remediation owner map with the report. From there, we can either hand off to your internal team or continue as a remediation retainer for a defined period.
06How do you bill?+
Fixed fee on a defined scope. The scoping call lets us write the scope letter, which fixes the price. There are no time-and-materials charges inside the scope.
§ 09 / RESOURCES
Templates and guides.
TEMPLATE10 PAGES
GDPR audit scope letter
Scope letter template for a full GDPR audit, including evidence list, interview plan and deliverable definition.
Open ↓PDF / TEMPLATE
CHECKLIST8 PAGES
Pre-inspection readiness checklist
Document and evidence checklist used when a supervisory authority opens a file or schedules an on-site visit.
Open ↓PDF / TEMPLATE
GUIDE14 PAGES
Article 30 ROPA review
Field-by-field review questions and sample evidence for a controller and processor record of processing.
Open ↓PDF / TEMPLATE
§ 10 / RELATED
Related practices.
Data Protection (DPO)
External DPO service and ongoing GDPR programme support for organisations under Article 37 obligation.
Open practice →EU Representative
Article 27 representative for non-EU controllers and processors offering goods or services to people in the EU.
Open practice →Vendor Risk
Third-party due diligence, contracts and ongoing monitoring across critical service providers.
Open practice →11 / GET STARTED
Talk to a senior auditor.
Send the brief. We respond with a scoped agenda for the first call.