How to Prepare for a GDPR Audit in 48 Hours
You just received notice that a data protection authority wants to audit your GDPR compliance. Or a major client is requiring evidence of compliance before signing. Or your legal team realized an upcoming deadline requires documentation you don't have.
Whatever the trigger, you need to assess your compliance status and document your position - fast. This guide provides a 48-hour action plan.
The Reality Check
Let's be clear: you cannot achieve full GDPR compliance in 48 hours if you're starting from zero. What you can do is:
- Assess your current compliance status
- Document what you have in place
- Identify critical gaps
- Create a remediation roadmap
- Demonstrate good faith effort
Regulators and auditors recognize that compliance is a journey. Showing organized documentation and a clear plan carries significant weight.
Hour 0-4: Assemble Your Team
Identify Key Stakeholders
- Pull together people who know:
- Data flows: Where does personal data enter, move through, and exit your systems?
- Technical architecture: How is data stored, processed, and protected?
- Legal/contractual: What agreements govern data processing?
- Customer-facing processes: How do you handle data subject requests?
Gather Existing Documentation
- Collect everything you already have:
- Privacy policy
- Cookie policy
- Data processing agreements (DPAs)
- Subprocessor lists
- Security policies
- Incident response procedures
- Previous audit reports
Even incomplete documentation demonstrates effort.
Hour 4-12: Data Mapping Sprint
GDPR Article 30 requires records of processing activities. If you don't have this, create a basic version now.
For Each System Handling Personal Data
Document:
| Field | What to Record | |-------|---------------| | System name | CRM, email platform, analytics, etc. | | Data categories | Names, emails, payment info, health data, etc. | | Data subjects | Customers, employees, prospects, etc. | | Purpose | Why you process this data | | Legal basis | Consent, contract, legitimate interest, etc. | | Retention period | How long you keep it | | Recipients | Who receives the data (internal/external) | | Transfers | Any transfers outside EU/EEA | | Security measures | Encryption, access controls, etc. |
Priority Systems
- Start with highest-risk systems:
- Customer database / CRM
- Email marketing platform
- Payment processing
- Employee HR systems
- Analytics and tracking
- Support ticket systems
A partial data map showing your main systems is better than nothing.
Hour 12-20: Technical Controls Assessment
Access Controls
- Document:
- [ ] Role-based access control implemented
- [ ] Principle of least privilege applied
- [ ] Access reviews conducted (when?)
- [ ] Terminated employee access revocation process
- [ ] Multi-factor authentication status
Encryption
- Document:
- [ ] Data encrypted at rest (which systems?)
- [ ] Data encrypted in transit (TLS version?)
- [ ] Encryption key management process
Security Monitoring
- Document:
- [ ] Logging enabled (what events?)
- [ ] Log retention period
- [ ] Security monitoring/SIEM in place
- [ ] Vulnerability scanning frequency
- [ ] Penetration testing (last date?)
Backup and Recovery
- Document:
- [ ] Backup frequency
- [ ] Backup encryption
- [ ] Recovery testing (last date?)
- [ ] Backup retention period
Hour 20-28: Process Documentation
Data Subject Rights
GDPR Articles 15-22 grant individuals specific rights. Document how you handle:
- Right of Access (Art. 15)
- How do subjects request their data?
- Who handles requests?
- What's your response timeline?
- What format do you provide data in?
- Right to Rectification (Art. 16)
- How can subjects correct their data?
- What's the update process?
- Right to Erasure (Art. 17)
- How do subjects request deletion?
- What's your deletion process across systems?
- How do you handle backups?
- Right to Data Portability (Art. 20)
- Can you export data in machine-readable format?
- What format (JSON, CSV)?
- Right to Object (Art. 21)
- How can subjects opt out of processing?
- How do you handle marketing opt-outs?
Consent Management
- If you rely on consent as a legal basis:
- [ ] Consent is freely given, specific, informed, unambiguous
- [ ] Clear record of when and how consent was obtained
- [ ] Easy withdrawal mechanism
- [ ] Consent not bundled with other agreements
Breach Response
- Document your incident response process:
- [ ] Breach detection mechanisms
- [ ] Incident classification criteria
- [ ] 72-hour notification process for authorities
- [ ] Communication process for affected individuals
- [ ] Post-incident review process
Hour 28-36: Third-Party Assessment
Data Processing Agreements
GDPR Article 28 requires written contracts with processors. Inventory:
| Processor | Service | DPA Status | Last Review | |-----------|---------|------------|-------------| | AWS | Cloud hosting | Signed | 2025-06 | | Mailchimp | Email marketing | Using standard DPA | 2024-12 | | Stripe | Payments | Using standard DPA | 2025-01 |
International Transfers
- If you transfer data outside EU/EEA:
- [ ] Adequate country decision applies, OR
- [ ] Standard Contractual Clauses in place, OR
- [ ] Binding Corporate Rules approved, OR
- [ ] Specific derogation applies
Post-Schrems II, document your transfer impact assessments.
Subprocessor Management
- [ ] List of subprocessors maintained
- [ ] Notification process for subprocessor changes
- [ ] Right to object to new subprocessors
Hour 36-44: Gap Analysis and Roadmap
Categorize Gaps
- Critical (address within 30 days):
- No data processing records
- No breach response process
- Missing DPAs with major processors
- No legal basis documented for processing
- High (address within 90 days):
- Incomplete data subject rights processes
- Missing consent records
- Inadequate security documentation
- No privacy impact assessments
- Medium (address within 6 months):
- Incomplete data mapping
- Training not documented
- Policies need updating
- Audit trail gaps
Create Remediation Roadmap
- For each gap, document:
- Issue description
- Required action
- Owner
- Target completion date
- Dependencies
This roadmap demonstrates commitment to compliance even when gaps exist.
Hour 44-48: Package Your Documentation
Compliance Binder Structure
Organize documentation for presentation:
- ```
- Executive Summary - Compliance overview - Key strengths - Known gaps and remediation plan
- Data Processing Records - Processing activities inventory - Data flow diagrams - Retention schedules
- Legal Basis Documentation - Consent records - Legitimate interest assessments - Contract requirements
- Technical Measures - Security policies - Access control documentation - Encryption status
- Organizational Measures - Privacy policy - Training records - DPO appointment (if applicable)
- Third-Party Management - DPA inventory - Subprocessor list - Transfer mechanisms
- Individual Rights - Request handling procedures - Response templates - Request log
- Incident Response - Breach response plan - Incident log - Notification templates
- Remediation Roadmap - Gap analysis - Action plan - Timeline ```
Using Auditi for Compliance Documentation
Auditi by BetterQA helps organize compliance evidence:
- Multi-standard testing: GDPR requirements alongside WCAG accessibility and security standards
- Journey-based auditing: Test complete user flows for privacy compliance (consent flows, data access requests, deletion processes)
- Evidence capture: Document compliance status for each requirement
- Version tracking: Demonstrate compliance improvement over time
For organizations needing to document both accessibility and data protection compliance, Auditi provides a unified platform.
What Auditors Actually Look For
Based on BetterQA's experience supporting clients through audits:
Good Signs
Red Flags
Common Audit Questions
- Prepare answers for:
- "Show me your records of processing activities"
- "How do you handle data subject access requests?"
- "What's your breach notification process?"
- "How do you ensure processor compliance?"
- "What training have employees received?"
After the 48 Hours
This sprint gets you prepared for an immediate audit. Long-term compliance requires:
- Regular audits: Quarterly internal reviews
- Continuous documentation: Update as processes change
- Training: Annual privacy training for all staff
- Vendor management: Regular DPA reviews
- Privacy by design: Build compliance into new features
Frequently asked questions
What documentation must you produce before a GDPR audit?
According to the GDPR (Article 30), every organisation must maintain records of processing activities. At minimum you need a ROPA (Records of Processing Activities), a legal basis log for each data type, your Data Protection Impact Assessments for high-risk processing, signed Data Processing Agreements with vendors, and evidence of your consent mechanism. The European Data Protection Board's guidance states that supervisory authorities expect to inspect these records during any audit.
How long does GDPR audit preparation typically take?
The 48-hour sprint in this guide addresses emergency situations. Realistically, thorough GDPR audit preparation requires 2-4 weeks for organisations with 50-500 employees, according to the International Association of Privacy Professionals (IAPP). Organisations that maintain ongoing compliance programmes can typically produce audit documentation within 24-48 hours because records are kept current.
What are the maximum GDPR fines for non-compliance?
GDPR Article 83 establishes two tiers of fines. The lower tier covers infringements of data controller obligations: up to EUR 10 million or 2% of global annual turnover, whichever is higher. The upper tier covers infringements of core principles (consent, data subject rights, transfers): up to EUR 20 million or 4% of global annual turnover. The Irish DPC fined Meta EUR 1.2 billion in 2023 under the upper tier for unlawful data transfers to the US.
About the author: Elena Vasquez is Compliance Specialist at BetterQA, where she leads accessibility and regulatory compliance testing programs. She writes for Auditi, a BetterQA project.
Built by BetterQA
© 2026 Auditi. A BetterQA project. | auditi.ro