GDPR audit and stamp of approval.
Independent verification of your GDPR compliance efforts.
- Discover improvements
- Achieve compliance
- Independent verification
What is the CRANIUM GDPR Audit?
The CRANIUM GDPR Audit is an independent framework that demonstrates and assures your organisation’s commitment towards privacy. More than just a compliance check, the GDPR Audit also serves as a comprehensive tracker, pinpointing potential areas of improvement within your organisation.
A mature organisation produces mature products. Instead of solely focussing on a singular product, we prioritise the evaluation of the management system as a whole. We will check if the correct measures are set in place to guarantee governed and compliant processing of personal data. This examination is based on our very own GDPR compliance framework.
Benefits of the GDPR Audit.
Continuous Improvement
Gain valuable insights in your organisation’s GDPR status and improve its maturity.
Independent Stamp of Approval
Get external verification of your efforts towards GDPR compliance and showcase it to the world.
Demonstrate Accountability
Demonstrate GDPR compliance and accountability towards management, clients and authorities.
What does the Compliance Framework used in the GDPR Audit consist of?
The CRANIUM GDPR Framework consists of 8 key domains, each broken down into chapters and specific controls. These domains cover crucial aspects of GDPR compliance.
In total, we examine approximately 75 measures through the framework.
Aside from this, we also offer guidance on how you can be compliant with each control.
01 - Privacy Management System
This framework defines and assigns responsibilities for data protection, serving as a foundation for reporting and follow-up with higher management.
02 - Awareness & Communication
Consists of educating and informing employees and stakeholders about GDPR requirements and data protection practices. This can involve training programs, awareness campaigns and communication strategies to ensure that everyone in the organisation is aware of their obligations and the importance of protecting personal data.
03 - Records of Processing Activities
Does the organisation have the required records of all processing activities involving personal data?
04 - Rights of the Data Subject
A data subject has many rights under the GDPR, including the right to request access, rectification or erasure of their personal data, they have the right to data portability, and they can object to certain processing activities or request its restriction. Is there an adequate system in place?
05 - Relationship with External Parties
An organisation that has a lot of third-party relationships with vendors, partners and service providers needs to conduct due diligence to ensure that data processing agreements (DPAs) and Joint Controller Agreements (JCAs) are in place.
06 - International Transfers
GDPR imposes strict rules on transferring personal data outside the European Economic Area (EEA). Are the necessary mitigation measures in order to comply with GDPR in place?
07 - Data Breach Management
Organisations must have an incident response plan in place to detect, investigate and report data breaches.
08 - Data Protection by Design & Default
Data Protection is a mindset that should be integrated into the design and operation of IT systems, business processes and services from the start. Has this been integrated into the culture of the organisation?
The outcome of the CRANIUM GDPR Audit.
- Scope Statement
- Report & executive summary
- Stamp of Approval for your website or in your communication efforts
- Assurance statement
Our CRANIUM GDPR Experts.
BJORN SUCAET
Principal Privacy Consultant & Domain Lead
RANI VAN KWIKKELBERGHE
Senior Privacy Consultant & Domain Lead
BAVO VAN DEN HEUVEL
Founder & Chief Knowledge Officer
Frequently Asked Questions.
What is the timing of a GDPR Audit?
The time needed to conduct a full GDPR audit, depends on the size of your organisation and the amount of processing activities. We aim to carry out the audit in 7-14 days, and need on average 12.
What is expected of my organisation during the auditing process?
- Sufficient internal capacity to participate in consultations and interviews to provide the necessary information;
- Timely ability to define and validate the audit plan;
- Timely delivery of documentation necessary to obtain a clear picture of the processing activities covered by the audit.
While we manage the bulk of the auditing work, your team’s insights and cooperation are crucial for a successful, tailored outcome. We’ll work with you to schedule engagements that minimise disruption to your daily operations.
What is the seal of verification?
Our GDPR audit is an independent verification of your privacy maturity, not an official certification. We do, however, offer you a seal that you can use in your external communications to show that CRANIUM has audited your privacy practices.
What is the difference with a privacy scan?
The GDPR Audit is a solution for organisations that are mature in their privacy practices and want to verify and document their compliance. The audit is meant as an independent verification of your privacy efforts, which can be used to build trust towards stakeholders.
The privacy scan, on the other hand, provides a high-level overview of privacy practices and compliance with data protection laws. Its purpose is mainly diagnostic; identifying gaps and areas of improvement. It shows you where you stand and where you can improve.
Interested in a GDPR Audit?
Do you want more information on our Privacy solutions, an offer or a commitment-free conversation about your needs?