A GDPR audit sounds like something to fear. In practice it is housekeeping - someone external reviews your processes and tells you what works and what needs to change before a regulator knocks. Here is how a GDPR audit step by step looks for a B2B company in Poland and what you actually receive in the report.

When a GDPR audit makes sense

You commission an audit in one of three situations:

  • First-time implementation - the company has grown and the documentation drafted "in a rush" in 2018 no longer reflects reality.
  • Business-model change - new product launch, new partner integration, EU market expansion.
  • Periodic re-audit - every 12-24 months, to verify procedures still work and catch new gaps.

Audits are not reserved for large corporations. In our experience, micro and small companies have the biggest gaps - not from lack of intent, but because nobody looks at these topics systematically.

The first stage is a conversation, not code-review. The auditor asks:

  • Which categories of personal data do you collect? (customers, employees, candidates, suppliers)
  • Where does it come from and who has access?
  • Where do you send it - which systems, vendors, integrators?
  • What is the legal basis for each of those flows?

The output is a processing map. That map is the backbone of the Records of Processing (Art. 30 GDPR).

The most common discovery here: the company uses 8-12 systems (Google Workspace, Slack, Mailchimp, recruitment tools, hosting, accountancy), but Art. 28 data processing agreements have been signed with three. The rest process data "on a handshake".

Stage 2 - IT audit

Stage two is a practical inspection of safeguards:

  • System access - who has access to what, and whether ex-employees are still listed.
  • Password policy - actually enforced or only on paper.
  • Security event logging - who, when, what they did with data.
  • Backups and encryption - where copies live, who can reach them.
  • Breach response procedure - does the team know there is a 72-hour clock under Art. 33 GDPR.

This stage usually surprises clients. A typical hit: a shared info@ inbox available to 15 people, all of whom see full CVs of every candidate, while HR is handled by one person.

Stage 3 - Gap detection

The auditor compares the as-is state with GDPR requirements and produces a gap list. Each entry has three things:

  1. What is missing or non-compliant.
  2. Which article creates the obligation.
  3. Priority: critical / high / medium / low.

Critical gaps typically include: missing privacy notice for customers, missing record of processing, missing 72h procedure, data on foreign servers without SCCs.

Stage 4 - Final report and recommendations

The report you receive is not just a list of problems - it is an implementation plan. Each gap comes with:

  • a concrete recommendation (e.g. "sign a DPA with the hosting provider using template from annex 4"),
  • an effort estimate (hours, days, weeks),
  • a decision: who handles it - the auditor as part of the package, or the client in-house.

Together with the report you usually get a pack of templates - privacy notices, policies, records of processing, DPAs, all in editable form.

What the audit does NOT cover

An audit is not a rollout. It will not draft every procedure for you, fix server configuration or train employees. Those are subsequent stages - priced separately. Any auditor promising "audit + rollout + training" for a single fixed price usually shortens each of those parts.

Red flags when choosing an auditor

  • A quote given without first discussing your company's scale.
  • No references from companies of your size.
  • A promise of "100% compliance" - nobody can guarantee that in a living business.
  • An audit conducted exclusively remotely, with no conversation with your IT lead.
  • Reluctance to specify scope and timeline in the contract.

Next step

If you are wondering whether your company is ready for a regulator visit, book a free conversation. In 30 minutes we review the current state and tell you whether you need a full audit, a mini-audit of a specific area, or just a one-document refresh.

See our full GDPR offering or write to us - we reply within one business day.