← All articles
GDPR8 min

GDPR checklist for an auditable company

A GDPR audit does not rest on one privacy policy. You need a processing inventory, processor contracts, a data subject rights process, and evidence of security measures.

Records of processing

ROPA is the operational map of personal data. For each processing activity, record the purpose, legal basis, data categories, recipients, retention period, and transfers outside the EU.

The most common weak spot is an outdated tool list. CRM, analytics, helpdesk, accounting, and HR systems change more often than legal documentation.

  • Customer data and CRM
  • HR and payroll
  • Marketing tools
  • Analytics and support

Processors and security

Every significant supplier that handles personal data needs a documented relationship: contract, DPA, security description, and ideally a recurring risk review.

Security controls should cover MFA, access rights, backups, incident response, and encryption where it matches the processing risk.

Incidents and 72 hours

For a personal data incident, time matters. You need a log, a decision on notification duty, a list of affected data, and a prepared notification template for the data protection authority.

Turn this article into a control checklist

Splnit.eu maps obligations to controls, evidence, and deadlines so they can be checked continuously.

View platform

Cookies

We use required cookies and optional traffic measurement to improve Splnit.eu.

GDPR checklist for an auditable company | Splnit.eu Blog