GDPR Assessment by a
Global Audit Firm
CertPro conducts independent GDPR assessments for data processors, evaluating data protection policies, control design, and supporting evidence against applicable GDPR obligations under Regulation (EU) 2016/679. Findings are documented in a formal assessment report based on evidence gathered during the engagement.
The EU Regulation Governing Personal Data Protection
GDPR meaning: The General Data Protection Regulation, Regulation (EU) 2016/679, is a comprehensive data protection framework enacted by the European Union and in force since May 25, 2018. It governs how organizations collect, process, store, and transfer the personal data of individuals in the EU and European Economic Area, regardless of where the organization is located.
GDPR is not a framework organizations opt into — it is enforceable EU law with substantive consequences for non-compliant controllers and processors operating in or processing data from the EU and EEA. GDPR establishes clear obligations for data controllers and data processors, covering lawful basis for processing, data subject rights, security measures, breach notification, data transfer mechanisms, and accountability obligations.
CertPro conducts independent GDPR assessments for data processors, evaluating documented controls and supporting evidence against applicable regulatory requirements. Findings are documented in a formal assessment report, providing an independent, evidence-based view of conformity with GDPR obligations.
Clauses 5–6: PIMS Requirements (Controllers & Processors)
Establishes requirements and guidance for a Privacy Information Management System covering accountability, governance, and privacy controls for PII processing.
Purpose Limitation
Personal data collected for specified, explicit, and legitimate purposes must not be processed in ways incompatible with those purposes. Documented processing records with consistent purpose definitions are required.
Data Minimization
Only personal data that is adequate, relevant, and limited to what is necessary for the stated processing purpose may be collected and retained.
Storage Limitation
Personal data must not be retained for longer than necessary. Documented retention schedules, defined deletion procedures, and evidence of operational implementation are required.
Accuracy
Personal data must be accurate and kept up to date. Organizations must implement processes to identify and correct inaccurate data without delay.
Data Controller and Data Processor: Understanding Your GDPR Obligations
GDPR establishes distinct obligations for data controllers and data processors. Understanding which role applies determines the scope of applicable requirements and the controls that need to be documented and operational.
Determining the Purpose and Means of Processing
A data controller determines the purposes and means of processing personal data. Controllers bear primary responsibility for establishing a lawful basis for processing, issuing privacy notices, responding to data subject rights requests, conducting DPIAs, and maintaining records of processing activities under Article 30(1).
Processing Personal Data on Behalf of a Controller
A data processor processes personal data on behalf of a controller, acting only on documented instructions. Processors are subject to specific obligations under GDPR, including maintaining records of processing activities under Article 30(2), implementing appropriate security measures, appointing a DPO where required, supporting controllers in fulfilling data subject rights requests, and notifying controllers of breaches without undue delay.
Four Phases. Structured Process. Evidence-Based Engagement.
Every CertPro GDPR assessment follows a structured four-phase process governed by the applicable requirements of Regulation (EU) 2016/679.
Kick-off and Assessment Scoping
A 30-minute kick-off call confirms the assessment scope, personal data processing activities, applicable GDPR obligations, and engagement timeline. The organization's role as a data controller, data processor, or both is confirmed in writing. In-scope processing activities, systems, and organizational units are defined before any evidence review begins.
Evidence Access and Initial Review
The client provides access to the evidence repository, including data protection policies, Article 30 processing records, consent management documentation, data transfer agreements, security control records, and breach response procedures. A structured gap list is compiled and issued to the client upon completion of the initial evidence review, identifying areas requiring clarification or additional evidence before the control assessment proceeds.
Gap Clarification and Control Assessment
A Zoom session reviews identified gaps collaboratively. Additional evidence is submitted or controls are demonstrated live. CertPro assesses the effectiveness of control implementation for all in-scope GDPR compliance controls through inquiry, observation, and inspection. Findings are documented with the applicable GDPR article reference, severity classification, and factual basis.
Report Compilation and Issuance
The formal GDPR compliance report is compiled incorporating all findings, assessed controls, and documented observations from Phases 1 through 3. The final GDPR assessment report is issued upon completion of the QA review and client factual accuracy review, documenting organizational conformity based on evidence gathered during the engagement.
Is Your Organization Ready for a GDPR Compliance Assessment?
The areas below reflect nonconformities commonly identified across CertPro's GDPR compliance assessments. Each maps directly to an applicable obligation under Regulation (EU) 2016/679.
Records of Processing Activities
A complete and current record of processing is mandatory for controllers and processors. It must cover data categories, purposes, legal bases, retention, recipients, and transfers. Missing or outdated records are the most common gap.
Lawful Basis and Consent Records
Each processing activity must have a documented lawful basis. Where consent is used, records must prove it was informed, specific, and withdrawable. Missing or unverifiable records are material findings.
Data Processing Agreements with Subprocessors
Executed DPAs with all subprocessors are required. Agreements must include audit rights, security obligations, and breach notification clauses. Missing or incomplete DPAs are consistently flagged.
Technical and Organizational Security Measures
Security measures must align with processing risks and include encryption, access control, and testing. Policies without implementation evidence across systems are a recurring finding.
Breach Detection and Notification Procedures
Procedures must define breach detection, escalation, and notification timelines. Processors must notify controllers without delay. Missing procedures or breach logs increase compliance risk.
Readiness Score
Based on a review across applicable GDPR obligations under Regulation (EU) 2016/679. Four nonconformity areas identified across applicable GDPR obligations.
Independent GDPR Assessment. Formal Report.
Evidence-Based Methodology.
Six principles govern how CertPro conducts every GDPR assessment engagement, from scoping through final report issuance. These commitments are structural, documented in every engagement file, and applied consistently across all organizations assessed against Regulation (EU) 2016/679.
Assessment Independence and Objectivity
CertPro does not provide data protection policy drafting, implementation support, or advisory services to organizations it assesses. A pre-engagement independence check is documented for every GDPR compliance assessment engagement without exception. Assessment conclusions are derived solely from objective evidence reviewed during the current engagement.
Assessed Against Regulation (EU) 2016/679
Every CertPro GDPR audit is conducted against the applicable provisions of Regulation (EU) 2016/679, with findings documented by article reference. The formal assessment report documents conformity observations based exclusively on evidence gathered during the engagement.
Evidence-Based Control Assessment
Every assessment conclusion is supported by sufficient and appropriate objective evidence. GDPR compliance controls are assessed through inquiry, observation, and inspection of documentation, processing records, system configurations, and operational evidence. Our team independently verifies a risk-based sample of controls through direct evidence review.
Credentialed Assessment Team
Every GDPR compliance assessment engagement is led by professionals with demonstrated expertise in data protection regulation and privacy management systems, supported by CISA-certified information systems auditors with sector experience across technology, financial services, and healthcare.
Structured Communication Throughout
Assessment findings are communicated in precise, unambiguous language at every stage. Each finding is documented with the applicable GDPR article reference, severity classification, factual basis, and specific evidence reviewed. Clients track progress in real time through Asana, with milestone notifications at each phase completion.
Global Assessment Capability
CertPro professionals are based across the USA, India, UK, Oman, Lebanon, and Ghana. Remote GDPR compliance assessments are conducted for organizations across all major technology and regulated markets, covering processing environments in the EU, EEA, and third countries subject to GDPR extraterritorial scope under Article 3.
GDPR Compliance: Questions We Hear Most
GDPR meaning: The General Data Protection Regulation, Regulation (EU) 2016/679, is EU law governing the protection of personal data of individuals in the EU and EEA. It applies to any organization that processes personal data of EU individuals, regardless of where the organization is located, including both data controllers and data processors.
A data controller determines the purposes and means of processing personal data and bears primary accountability obligations under GDPR, including issuing privacy notices, establishing lawful bases, conducting DPIAs, and notifying supervisory authorities of breaches. A data processor processes personal data on the instructions of a controller and has specific obligations under Articles 28, 30, and 32, including executing DPAs, maintaining processing records, implementing security measures, and notifying controllers of breaches without undue delay.
A CertPro GDPR compliance assessment evaluates documented data protection policies, control design, and supporting evidence against applicable GDPR obligations under Regulation (EU) 2016/679. The assessment covers Article 30 processing records, lawful basis documentation, consent management, data subject rights procedures, Article 32 security measures, breach detection and notification procedures, and DPAs with subprocessors.
The seven GDPR principles under Article 5 are: Lawfulness, fairness, and transparency, requiring a valid legal basis and transparent processing; Purpose limitation, restricting use to specified and documented purposes; Data minimization, limiting collection to what is necessary; Accuracy, maintaining correct and current data; Storage limitation, retaining data only as long as necessary; Integrity and confidentiality, applying appropriate security measures; and Accountability, requiring controllers to demonstrate compliance with all GDPR principles through documented controls and governance structures.
GDPR Article 42 provides for approved certification mechanisms, which must be issued by accredited certification bodies recognised under Article 43 by the relevant national supervisory authority. Such certification can be used as one element to demonstrate compliance with the regulation, but it does not replace legal obligations or a full privacy review. It is important to note that a third-party assessment — while useful for identifying gaps and documenting findings — is distinct from a formal Article 42 certification. The latter carries specific regulatory recognition, whereas a private assessment reflects the findings of the engaging firm based on evidence gathered during the engagement.
GDPR can be assessed alongside related privacy and information security frameworks to support a broader control view. Where relevant, organizations often use ISO-based privacy and security frameworks together with a GDPR assessment to document governance, control evidence, and accountability.
Begin Your Compliance Audit with a
Licensed CPA Firm.
Schedule a 30-minute scoping call with a credentialed auditor. We will identify the right framework, discuss audit scope and outline a clear path based on your current state.