Data Privacy Audit

A data privacy audit (also known as a protection or compliance audit) checks for the use of first-party cookies, third-party cookies and third-party requests on your website. This helps determine if the site collects and shares data in accordance with privacy regulations and displays a low, medium or high risk level for privacy noncompliance.

Once you have identified which cookies and requests are being used by your website for data collection, you can begin to ask your website visitors for consent. A consent management platform (CMP) manages the gathering and storing of consents to help you achieve privacy compliance.

We can’t provide specific legal advice, but there are some best practices. Appoint representatives for data privacy and protection initiatives. Know what data you collect and how it’s managed. Have a provable legal basis for data processing. Set up data processing agreements with third parties. Provide clear information to enable users’ consent choices. Download our GDPR Compliance Checklist for more information.

Data privacy audits can identify your website as a low risk level. A low risk level means that the data privacy audit found that your website sets first-party cookies without explicitly asking users for consent, which can violate some data privacy laws. No third-party cookies or third-party requests were found.

A medium risk level means that the data privacy audit found that your website is definitely not privacy compliant. Your website sets either an above average number of first-party cookies OR third-party cookies and/or third-party requests, without explicitly asking users for consent. You may be at risk of noncompliance penalties.

A high risk level means that the data privacy audit found that your website has substantial privacy compliance failures. Your website sets a large number of third-party cookies and third-party requests without explicitly asking users for consent. You may be at risk of noncompliance penalties.

Cookies are small files set in web browsers that enable user identification tracking, personalized marketing and other functions. Some types of cookies share user data with third parties. Website operators should know which cookies they use and what data they collect. Valid consent can’t be requested from users without accurately communicating about cookie usage.

First-party cookies are set by websites while the user is on-site. They enable website providers to collect customer activity and analytics data, remember language and other preference settings, and carry out other useful user experience functions.

The riskiest type of cookies for privacy compliance, these are usually set for tracking and retargeting marketing campaigns. They are set by third-party servers, such as ad servers on publishers’ websites, and user data is shared.

Third-party requests are files that are loaded from a website other than the one that the user is currently visiting. They usually are from vendors whose technology is implemented on the website where the user is active, or who use that website for advertising and tracking purposes.

The first step is to set the parameters of the audit, including:

• what you’ll evaluate, e.g. websites, apps, etc.
• which privacy laws and requirements you’ll check against
• who will conduct the audit
• how frequently you’ll conduct audits

Once you have your methodologies in place, examine your data inventory, processes, and privacy policy. Evaluate these to see if they comply with current relevant regulatory requirements, and check that any vendors you share data with are also compliant. Remember that the data controller is responsible for the privacy compliance of their data processors under many data privacy laws. Document any places where security and data handling are not compliant or can be strengthened, and create a report with recommendations for changes to enable compliance.

Privacy compliance refers to collecting, storing, processing, and use of customer data in a way that aligns with the requirements of relevant data privacy and protection laws and your internal policies. If an organization collects and uses personal data from people in regions where there are data privacy laws like the GDPR, LGPD, POPIA, CCPA, etc., typically the organization must comply with those laws, even if the organization is located elsewhere.

A data privacy audit evaluates whether you collect, use, and share data in compliance with privacy laws and identifies where you can make improvements. It determines if your website’s risk of noncompliance is low, medium, or high, based on various factors, including how you collect consent and the data security controls and access controls in place. The Usercentrics data privacy audit enables you to see if your website is employing cookies and trackers and collecting user data in a way that is likely to comply with data privacy laws or not.

A GDPR data audit is an evaluation of your compliance with the GDPR, the data privacy and protection law for the European Union (EU) and European Economic Area (EEA). Websites and apps that process data from users in the EU must comply with GDPR requirements, even if the company collecting the data is a non-EU company. The GDPR has one of the most rigorous data protection requirements, and noncompliance can result in hefty fines, data loss, and damage to brand reputation.

There’s no specific provision in the GDPR that requires you to conduct a GDPR audit. That said, it’s good practice to do so at regular intervals to ensure you are and remain compliant with that law and any other relevant regulations, including using a lawful basis for collecting user data under the GDPR.

A privacy policy is a statement, usually located on your website, that shares information about your data processing policies and how you handle user data. It specifies what data you’re collecting, for what purpose(s), who you may share it with, and how you secure it. Typically it also includes information about users’ rights regarding personal data and how to exercise them. The legal requirements for what information a privacy policy should contain depend on where your website’s users are located. Read our blog post on privacy policies to know more about how to write a good privacy policy.