DIY GDPR audit: the 12 points we check first at every SME

In recent years we have carried out IT security audits at several dozen SMEs in Bavaria. Part of these audits also included a review of the GDPR implementation — not as legal advice, but as a technical and organisational inventory. The same twelve points have repeatedly proven to be the most critical: the places where companies regularly have gaps, often without knowing it.

We share this list here. Not as a substitute for professional GDPR advice, but as a guide for managing directors who want a first assessment of their own status.

The 12 points we check first at every SME

1. Records of processing activities present and current? The records of processing activities (Art. 30 GDPR) are mandatory for companies with more than 250 employees — but recommended for smaller operations as well, when sensitive data is regularly processed. We find them at about half of the audited companies either not at all, or in a state from 2018 that does not reflect tools and processes introduced since.

2. Data processing agreements (DPAs) with all relevant providers? Cloud services, email newsletter software, tax advisor tools, accounting software as SaaS — all of these are potential processors. Many companies have DPAs with their main provider, but not with the twelve other tools that have accumulated over the years.

3. Website privacy policy complete and current? Sounds trivial, but it is not. We check concretely: are all tracking tools used named? Is there a legal basis for every processing purpose? Has the privacy policy been updated since the last relaunch? In one in three cases: no.

4. Consents demonstrably documented? Anyone who sends newsletters, sets cookies outside the strictly necessary category, or uses form data for advertising purposes needs documented consents. "They agreed back then" is not enough — there must be a log with timestamp, content version and revocation option.

5. Access rights in Active Directory or user management current? We find former employees with active accounts in almost every audit. Sometimes with admin rights. Sometimes these accounts have access to customer data. That is a GDPR problem and an IT security problem at the same time.

6. Backup concept GDPR-compliant? Backups often contain personal data. The questions are: how long are they retained? Where are they — especially with cloud backups: in which country? Are they encrypted? Are deletion requests propagated into the backups? This last point is technically demanding and is mostly not implemented.

7. Data protection officer appointed where required? From 20 employees regularly working with personal data, an in-house data protection officer is mandatory. In Bavaria, small companies can contact the LDA Bavaria to clarify whether the obligation applies. We see many companies misjudging the threshold — in both directions.

8. Technical and organisational measures (TOMs) documented? The TOMs describe how the company technically protects personal data: encryption, access controls, pseudonymisation, physical server security, employee training. This document must exist and must reflect reality — not what one would like, but what is actually implemented.

9. Notification obligation for data breaches known and practised? Art. 33 GDPR requires notification of personal data breaches within 72 hours to the supervisory authority. We ask: who in the company knows what constitutes a notifiable breach? Who makes the decision? Who reports? Mostly there is no clear answer to any of these questions.

10. Employees trained and training documented? Nobody opens phishing emails on purpose — but those who don't know the signals click anyway. GDPR training for new employees and regular refreshers are not nice-to-haves, they are part of the TOMs. The training must be documented.

11. Deletion concept in place? Data that is no longer needed must be deleted. That sounds simple. In practice it means: someone must define which data are deleted when, who does it, and how the proof is provided. Without a concept, things happen either too early (data gone that was still needed) or too late (data lying around that should have been deleted long ago).

12. Provider transfers outside the EU reviewed? Cloud services with servers in the US, analytics tools with US parent companies, support tickets that flow through US systems — all of this is a third-country transfer. Since Schrems II, this is a sensitive topic. The question is not whether US services may be used (often yes, with the right safeguards), but whether this has been deliberately reviewed and documented.

What the next step is

This list is not a complete GDPR audit — it is a first filter to quickly assess where the biggest gaps are. If more than four of these points are unclear or open, a structured review is sensible.

We offer GDPR-technical audits as part of our IT security consulting — with a focus on the technical and organisational measures, not legal advice. For legal assessments we always recommend a complementary review by a data protection lawyer. What distinguishes us from IT consulting projects: we don't write reports that end up in a drawer, we accompany the implementation.

---