Read about two fundamental types of GDPR audits: for company and for applications. These are two complementary and necessary verifications that are worth introducing in business.

From the article you will learn:

  • about the differences between the GDPR audit of the organization and application;
  • the most important steps during the audit;
  • what questions the audits answer and what knowledge you can get from them.

Verification of the security of organizations or systems are complex processes that require work and time. All you need to know here that there are about two fundamental types of GDPR audits: for company and for applications. Learn about the differences and why business resources should be secured in these times.

It might be quite confusing what is the difference between these two: Organization GDPR Audit vs Application GDPR Audit. Many specialists DO NOT know the key differences and use these terms interchangeably or incorrectly. Here at Lemlock there were several times of explaining this difference during application security verification and application GDPR checks for various web and mobile systems. We always try to resolve any doubts in what is it audit and whether should it be taken into account because in many cases both audits are necessary there are many differences in the audit scopes of both audits, and the companies are not aware of it.

Differences between Organization GDPR Audit vs Application GDPR Audit

The best way to picturize the confusion in IT auditing is when Lemlock team had a conversation with a Client once and we have asked if the application was checked in terms of GDPR. The Client claimed that it was confirmed by lawyers. We were wondering how lawyers can verify GDPR compliance of the IT system without deep understanding of IT system architecture, databases, programming languages or server configurations. It was obvious for us that lawyers would have analysed the outcome of such audit however not necessary be able to prepare one. In that moment we realized that Client had in mind the preparation of the organization to be compliant with GDPR and not about technical verification of the IT application. The most important differences between the aforementioned and obligatory audits for business will be explained below.

GDPR compliance of the organization

Such audit and audit steps are usually either specific verification for the organization in terms of the GDPR or it can be a part of the larger Data Governance process. Such audit helps to answer the following questions:

  • Is my company able to manage the data protection of my clients, employees, and subcontractors?
  • Where can I store personal data in digital (e.g. systems, databases) and analogue (e.g. paper documentation) form?
  • Is there any risk in my organization as part of the processing of personal data?
  • Do I have to prepare internal procedures/processes (security policies) that my employees must follow to reduce the risk?
  • Do my employees require additional training to understand how to deal with personal data?
  • Do I need a Data Protection Officer in my organization and what will be his/her duties?

The audit may include Data audit and it can involve analysis of the organization's assets in terms of the requirements specified by GDPR. Then recording of organizational processes related to the processing of personal data and recording of digital assets. Interviews with employees should be conducted to extend previous recordings to more accurate information on digital assets. It is also important to create Data Protection Impact Assessment, DPIA (if necessary). And last but not least conducting Risk analysis and preparation of documents required by GDPR and Risk management activities - procedures, recommendations, security policies.

Technical GDPR audit for application

In the case of this verification and audit steps, we focus on other areas as part of the application control, and the audit allows us to answer such questions as:

  • How does my web/mobile/IoT application process personal data?
  • Does the system architecture of my IT platform meet the principle of Privacy by Design?
  • Does the domain model (database structure) of my application allow me to handle GDPR provisions (ie the Right to be forgotten, Right to rectification, etc)?
  • How does the source code of the application deal with personal data?
  • Does my system import / export personal data from / to other systems, and if so, how does it support data management and consent management between data processors and data controllers?
  • Does the API interface of my application correctly adress the Privacy by default principle?
  • How does my application support user consents, especially if consent is changed?
  • Are there any system vulnerabilities that can compromise the privacy of my users?
  • How are personal data stored as private (are there multi storage, data minimization, encryption, etc.)?
  • What is my data backup policy and how does it relate to GDPR provisions?
  • What does my server configuration and system logs look like regarding the GDPR requirements?

There are several permanent steps that should be included in the application GDPR-compliance audit. First of all, verification of the system's API in terms of UI and security by default. You must identify the data for which the system is a controller or processor. Then it is necessary to analyze the domain model security mechanism in regards to data protection by design. You also need to remember about the analysis of the system architecture in regards to profiling process. Next step is to verify the system architecture in regards to data subject provisions. The key action is to analyze the source code of consent management system and checking on how the system informs data processors when the user consents change. It is worth emphasizing here that when the application is constantly developed, it is necessary to take into account the process of Continuous Pentesting. Thanks to this, you can always be sure that regardless of the level of application development, it does not endanger business or its users.

Below you can find a quick comparison of both audits and activities that answers the question “what do auditors do” during such verification:

Lemlock types of audit.

We hope that it is now more clear to you what the difference between these two audits is. If you would like to find out what the result of the GDPR technical audit for the application looks like, please contact us and we will provide you with an example report.

Lemlock ebook. Expert Guidebook: Three vievs on cybersecurity
Are you interested in a comprehensive solution
for your data security?
Consent to  data processing for contact purposes
I confirm that I have read the  information clause of Sagiton Sp. z o.o.

I hereby give consent to the processing of my personal data by the Personal Data Controller (hereinafter: "PDC") – Sagiton Sp. z o.o. ul. Fabryczna 19, 53-609 Wrocław, within the scope of: full name, e-mail address or telephone number, for the purpose of sale of products and services of Sagiton Sp. z o.o. and for the purpose of sending me feedback and making contact with me by Sagiton Sp. z o.o.

At the same time, I acknowledge that: at any time I can request the removal of my personal data from the PDC Sagiton Sp. z o.o. database, by sending an e-mail to, or a letter to Sagiton Sp. z o.o., ul. Fabryczna 19, 53-609 Wrocław, with a statement containing the relevant request, which shall result in the deletion of my personal data from the PDC Sagiton Sp. z o.o. database; I have the right to access my data; providing my data is voluntary, however refusal to provide it is tantamount to not receiving information regarding sale of products and services of Sagiton Sp. z o.o., as well as not receiving feedback and making contact with me by Sagiton Sp. z o.o.

In accordance with Art. 13 section 1 of the General Data Protection Regulation of 27 April 2016, (GDPR), we would like to inform you that the controller of your personal data is Sagiton Sp. z o.o. with its registered office at ul. Fabryczna 19, 53-609 Wrocław, e-mail:

Your personal data shall be processed within the scope of: full name, e-mail address and/or telephone number in order to answer your question/request for contact and send feedback – pursuant to Art. 6 section 1 (a) of the GDPR, i.e. consent to the processing of personal data.

The data controller would like to inform you that your personal data shall not be disclosed to third parties.

Your data shall not be transferred outside of the European Economic Area or to international organizations.

Your personal data shall be processed until you withdraw your consent to the processing of data, as well as if the purpose for processing this data shall no longer be applicable.

You have the right to access your personal data, rectify it, delete it, restrict its processing, the right to transfer it, as well as the right to object.

In the case of giving your consent, you have the right to withdraw it at any time. Exercising the right to withdraw the consent does not affect the processing carried out before the consent was withdrawn.

You have the right to lodge a complaint with the supervisory body, i.e. the President of the Office for Personal Data Protection, ul. Stawki 2, 00-193 Warsaw.

Providing your personal data is a prerequisite for making contact with you by Sagiton Sp. z o.o. with its registered office at ul. Fabryczna 19, 53-609 Wrocław. In the case of not providing your personal data, Sagiton Sp. z o.o., shall not be able to contact you.

The Data Controller, Sagiton Sp. z o.o., would like to inform you that they shall not use your personal data for automated decision-making, which is based solely on automated processing, including profiling, and has legal effects for you or affects you significantly in a similar way.

Let's stay in contact