Turn compliance obligations into clarity, control, and confidence
A data protection audit is not about paperwork. It is about knowing where you stand, understanding your risks, and proving accountability.
My audits are: ✓ independent and objective, ✓ legally grounded and regulator-oriented, but always practical and proportionate. ✓ The goal is not theoretical perfection, but effective, sustainable compliance that works in your operational reality.
Understanding an data protection audit
A data protection audit is a systematic assessment of your organisation’s compliance with applicable data protection laws and frameworks, including: ✓ GDPR, ✓ ePrivacy, ✓ sector-specific or contractual obligations, and, ✓ where relevant, AI-related data protection requirements.
It evaluates governance, processes, documentation, and practices, not just policies on paper.
Data protection audits are particularly suited for: ✓ for companies seeking to analyse and assess the compliance of their organisation, it tools, and projects ✓ framework contract bidders and holders, ✓ public sector bodies and service providers, ✓ organisations handling sensitive or large-scale data, ✓ companies deploying innovative or AI-driven solutions, ✓ organisations seeking to professionalise or reset their compliance approach.
A data protection audit is particularly valuable when you: ✓ are bidding for or performing a framework contract or public procurement, ✓ need to demonstrate GDPR accountability (Article 5(2)), ✓ face regulatory scrutiny, inspection, investigation or internal risk exposure, ✓ are introducing new technologies, data flows, processing operations or AI systems, ✓ want an independent, expert view of your compliance posture, or
From audit to action
An audit is not the end, it is a starting point. I can support you beyond the audit with: ✓ remediation and implementation, ✓ governance structuring, ✓ DPIAs and risk assessments, ✓ ongoing advisory and compliance support. ✓ trainings
My working process
I follow a clear, structured, and pragmatic audit methodology, adapted to your size, sector, and risk profile.
Scoping and context analysis
I start by setting a clear baseline: ✓ your activities, services, and business model ✓ your processing operations and data flows (including key tools and systems) ✓ your roles and responsibilities (controller, processor, joint controller) ✓ your contractual setup (clients, subcontractors, framework contracts, tenders) ✓ your regulatory landscape (gdpr, eprivacy where relevant, sector rules) ✓ your risk exposure and priorities (what matters most, and why) ✓ key assumptions, constraints, and audit boundaries
The audit scope is always tailored to your reality, never generic.
Compliance assessment
I assess your organisation against the applicable requirements, in particular: ✓ governance and accountability mechanisms, with clear roles and formalised processes ✓ records of processing activities (RoPAs) and related documentation, kept up to date, consistent, and usable ✓ legal bases for processing and compliance with transparency obligations ✓ handling of data subject rights, from receipt of requests to their processing and traceability ✓ security measures, their alignment with risks, and the management of incidents and data breaches ✓ processors and third parties, including assessment (DPR/IAs), contractual safeguards, and ongoing supervision ✓ data protection by design and by default, integrated into projects, tools, and internal processes
Gap and risk analysis
I focus on what really matters in practice: ✓ gaps between documented compliance and actual practices ✓ missing, outdated, or inconsistent documentation ✓ legal risks linked to weak or incorrect legal bases ✓ operational risks linked to tools, access rights, or workflows ✓ areas of over-compliance creating unnecessary burden ✓ areas of under-compliance creating real exposure ✓ weaknesses in processor and third-party management ✓ risks related to international transfers and subcontracting chains ✓ security or organisational weaknesses that increase incident impact ✓ gaps in day-to-day handling of data subject rights ✓ lack of training or awareness among teams, with a direct impact on daily practices
The analysis is concrete and risk-based. No theory, no box-ticking, only issues that have real legal or operational consequences.
Clear findings and actionable outcomes
You receive results you can actually use: ✓ a structured and defensible audit report with clear qualification of findings (critical, high, medium, low) ✓ links between findings, risks, and legal requirements ✓ concrete and prioritised recommendations and clarity on what must be fixed, what can wait, and what is acceptable ✓ practical remediation actions, not abstract advice ✓ identification of quick wins versus structural fixes ✓ input you can reuse for external audits, tenders, or regulator dialogue
The output is legally grounded and regulator-oriented, but pragmatic. The objective is effective, sustainable compliance that works in your operational reality.
GET IN TOUCH
Planning something serious? Let’s lock in compliance.
