RGPD

GDPR Audit: How to Assess Your Level of Compliance in 2026

A practical guide for company directors, e-merchants, startups and VSEs/SMEs Published by the firm Mirabile Avocat | Updated: April 2026

Contents
Schedule a discussion

Reading time:

14 min

A practical guide for company directors, e-merchants, startups and VSEs/SMEs Published by the firm Mirabile Avocat | Updated: April 2026

In 2026, compliance with the General Data Protection Regulation (GDPR) is no longer optional. It is a legal obligation enforced with growing vigour by the French Data Protection Authority (CNIL). The penalty imposed on France Travail in January 2026, a 10,000,000 euro fine for breach of Article 32 of the GDPR, is a reminder that even large public organisations are not immune. For private companies, VSEs, SMEs, startups and e-merchants, the question is no longer whether to comply, but rather where your organisation actually stands.

This is precisely where the GDPR audit comes in. A genuine snapshot of your situation in light of the requirements of the European regulation and of the French Data Protection Act of 6 January 1978, the audit is the first step in any serious compliance process. This guide explains how to conduct it methodically, which points to check as a priority, and why surrounding yourself with specialised legal counsel can make all the difference.

What is a GDPR audit and why is it essential in 2026?

What is the purpose of a GDPR compliance audit?

The GDPR audit is a procedure for the systematic assessment of all personal data processing activities carried out by an organisation. It makes it possible to identify the gaps between the current situation and the obligations imposed by Regulation (EU) 2016/679 of 27 April 2016, known as the GDPR, and by French Act No. 78-17 of 6 January 1978 as amended. In concrete terms, the audit answers a simple question: to what extent does my organisation respect the rights of the individuals whose data it processes?

A well-conducted audit produces an action plan ranked by level of criticality. It also constitutes evidence in the event of a CNIL inspection or a user complaint. The principle known as "accountability", set out in Article 5(2) of the GDPR, indeed requires data controllers not only to comply with the rules, but also to be able to demonstrate this at any time.

What risks does a company that does not carry out an audit run?

The risks are multiple and concrete. First, the risk of an administrative penalty: the GDPR provides for two levels of penalties in Article 83. The most serious breaches (violation of fundamental principles, lack of a legal basis, unlawful transfers) are punishable by fines of up to 20,000,000 euros or 4% of total worldwide annual turnover. Less serious breaches (failure to inform, absence of a register, failure to designate a mandatory DPO) are penalised up to 10,000,000 euros or 2% of turnover.

Second, the reputational risk: a data breach made public or a CNIL conviction is a severe blow to customer trust. CNIL decisions are systematically published. The penalties imposed in January 2026, in particular those related to security failures (Article 32 of the GDPR), show that the absence of appropriate technical and organisational measures is one of the most frequently identified breaches. Finally, in the event of a contractual dispute or litigation with a processor or a business partner, the absence of any documented compliance process considerably weakens your position.

What are the steps of a complete GDPR audit?

Step 1: map all personal data processing activities

The first step consists in identifying all the personal data processing activities carried out by your organisation. Processing means any operation performed on personal data: collection, recording, storage, consultation, use, disclosure, erasure. Every data flow must be considered: contact form, newsletter, online payment, HR file, CRM tool, website analytics, cookies.

This mapping work must be formalised in a record of processing activities, an obligation set out in Article 30 of the GDPR for organisations with more than 250 employees, but strongly recommended, and often imposed by supervisory authorities, for all structures whenever they process high-risk data or do so on a non-occasional basis. For each processing activity, the register must indicate:

  • The purpose of the processing (why is this data collected?),
  • The applicable legal basis (consent, performance of a contract, legal obligation, legitimate interest, etc.),
  • The categories of data processed,
  • The data subjects (customers, employees, prospects, etc.),
  • The recipients and processors,
  • The retention periods for each category of data,
  • The security measures in place.

Good to know: An e-merchant who collects email addresses, telephone numbers and purchase histories carries out several distinct processing activities. Each must be the subject of an entry in the register with its own legal basis. The performance of a sales contract is the basis for invoicing, but not necessarily for sending a commercial newsletter, which requires separate consent.

Step 2: check the legal bases and the information obligations

Each processing activity must rely on one of the six legal bases listed in Article 6 of the GDPR. The most common error observed during audits is the systematic recourse to consent as the legal basis, when another basis (performance of a contract, legal obligation) would be more appropriate and more robust. Consent must be freely given, specific, informed and unambiguous; it cannot be a pre-ticked box.

At the same time, the information obligations provided for in Articles 13 and 14 of the GDPR must be checked. Is your privacy policy accessible, readable, complete? Does it mention the retention periods? Are the rights of individuals (access, rectification, erasure, portability, objection) clearly indicated together with the means of exercising them? These notices must appear at each point of collection: web form, mobile application, contract signed at the point of sale.

Step 3: audit the contracts with processors

The GDPR requires that any relationship with a processor that processes personal data on your behalf be governed by a Data Processing Agreement (DPA), in accordance with Article 28 of the GDPR and Article 96 of the French Data Protection Act. This contract must define the subject matter of the processing, its duration, its nature and purpose, the types of data processed, the processor's security obligations, and its obligation to act only on the controller's instructions.

The typical processors of a digital SME include: the website host, the emailing solution (Mailchimp, Brevo, etc.), the CRM tool (HubSpot, Salesforce, etc.), the payment provider (Stripe, PayPal, etc.), the audience analytics tools. The absence of a DPA with one of these providers constitutes a characterised breach. The audit must verify that these contracts exist, that they are up to date, and that they cover all the processing actually carried out.

Step 4: assess the security of processing

Article 32 of the GDPR requires the implementation of appropriate technical and organisational measures to ensure a level of security adapted to the risk. It is on this basis that France Travail was penalised in January 2026 with a fine of 10 million euros, that several operators were convicted at the end of 2025, and that the CNIL recalled in its recent decisions that a breach of the security obligation may be established independently of any data breach actually having occurred.

The audit must therefore focus on the security measures in place: encryption of sensitive data, management of authorisations and access, password policy, access logging, data backup, incident management. For more advanced structures, penetration tests or code audits may be commissioned. These technical documents may moreover constitute evidence in the event of an inspection.

Step 5: identify the processing activities requiring an impact assessment (DPIA)

Certain processing activities that are particularly risky for the rights and freedoms of individuals must be the subject of a Data Protection Impact Assessment (DPIA), provided for in Article 35 of the GDPR. This is notably the case for processing relating to sensitive data (health, ethnic origin, political opinions, etc.), processing involving systematic large-scale monitoring, or scoring and profiling processing. The CNIL publishes a list of the types of processing that systematically require one.

If a DPIA is necessary and has not been carried out, this constitutes a specific breach. The DPIA must describe the processing, assess its necessity and proportionality, identify the risks to the rights of individuals, and specify the measures envisaged to address them.

Dashboard – GDPR Audit
The control points of a complete GDPR audit
Control pointWhat to check
Mapping of processing activitiesIdentify all processing activities (collection, storage, disclosure, erasure, cookies, CRM).
Record of processing activitiesFormalise the register (Art. 30): purpose, legal basis, data, individuals, recipients, periods, security.
Legal basesEach processing relies on one of the six bases (Art. 6), without improper recourse to consent.
Information obligationsPrivacy policy, retention periods, rights of individuals (Art. 13 and 14).
Processor contracts (DPA)Existence and updating of contracts (Art. 28): host, emailing, CRM, payment.
Security of processingEncryption, authorisations, passwords, logging, backups, incidents (Art. 32).
Impact assessment (DPIA)Identify high-risk processing: sensitive data, monitoring, scoring, profiling (Art. 35).
Data breach procedureProcedure for notifying the CNIL within 72 hours (Art. 33).
Cookie consentNo analytics cookies without prior valid consent (CNIL recommendations).
Designation of a DPOCheck the obligation (Art. 37) and, failing that, the appropriateness of designating one.
Provided for information purposes only, does not constitute legal advice.

What penalties are incurred in the event of non-compliance?

Since the 2018 reform, the CNIL has had strengthened enforcement powers. In 2025 and 2026, it imposed several dozen administrative penalties, some of them very significant. The decisions handed down in January 2026 against several telecom operators and service providers show that the absence of adequate security measures remains the main driver of conviction. These decisions also specify that a breach of the security obligation may be established independently of any data breach actually having been found, which is a strong signal sent to companies: do not wait for an incident to act.

In addition to financial penalties, the CNIL may issue compliance orders accompanied by periodic penalty payments, formal notices, or even the temporary restriction of processing, which may lead to the interruption of a commercial activity. It may also publish its penalty decisions, which constitutes considerable reputational harm. In criminal matters, Article 226-16 of the French Criminal Code penalises certain violations of the GDPR with up to 5 years' imprisonment and a fine of 300,000 euros.

Concrete cases: what does a GDPR audit look like for an e-merchant or a startup?

Case No. 1: an e-commerce site that collects customer data

Let us take the example of an e-merchant who runs a site on Shopify or PrestaShop, uses Mailchimp for newsletters and Stripe for payments. An audit typically reveals the following points:

  • Absence of a formalised record of processing activities (non-compliance with Article 30),
  • The privacy policy does not mention the retention periods or the rights of users in an accessible manner,
  • The analytics cookies (Google Analytics) are placed without prior valid consent, in breach of the CNIL's recommendations,
  • No DPA signed with Mailchimp or Stripe, although they are processors within the meaning of Article 28,
  • No internal procedure in the event of a data breach (notification to the CNIL within 72 hours, Article 33).

This non-compliance profile, very common, exposes the company to a fine that may exceed several tens of thousands of euros and to a compliance order. Correction generally takes 2 to 3 months with appropriate legal support.

Case No. 2: a SaaS startup that processes the data of its business customers

A startup that markets SaaS software to companies often plays a dual role: data controller for its own users (team, sales staff), and processor with respect to its customers who entrust it with the data of their own customers or employees. This dual status is often poorly understood and poorly governed contractually.

The audit must verify that the GTC and the customer contracts incorporate processing clauses compliant with Article 28 of the GDPR, that the data of your customers' customers is properly partitioned, and that specific security measures (encryption, isolation of test environments) are implemented. Neglecting this point exposes the startup to actions for contractual liability from its own customers.

Practical guide
GDPR audit: obligations according to profile
Profile / situationObligationStatus
E-merchant collecting customer dataKeep a formalised record of processing activities (Art. 30).Mandatory
E-merchant collecting customer dataSign a DPA with each processor (Art. 28).Mandatory
E-merchant collecting customer dataProcedure for notifying a breach within 72 h (Art. 33).Mandatory
E-merchant using analytics cookiesPrior valid consent before placing cookies.Conditional
SaaS startup (dual status)Processing clauses compliant with Art. 28 in GTC and customer contracts.Mandatory
SaaS startup (dual status)Partition the data and isolate the test environments.Mandatory
Organisation with more than 250 employeesKeep the record of processing activities (Art. 30).Mandatory
Large-scale processing or sensitive dataDesignate a DPO (Art. 37).Conditional
Provided for information purposes only, does not constitute legal advice.

GDPR obligations according to your profile

Mandatory

Conditional / likely

Depending on the activity

Not mandatory

This table is indicative. The exact obligations depend on your activity and the processing carried out. In case of doubt, consult a data protection officer or the CNIL documentation.

Should you designate a Data Protection Officer (DPO)?

The designation of a Data Protection Officer (DPO), provided for in Article 37 of the GDPR, is mandatory in three situations: for public authorities, for organisations whose core activity consists of large-scale processing requiring regular and systematic monitoring of data subjects, and for those that process on a large scale so-called sensitive data (health, religious beliefs, biometric data, criminal offences, etc.).

Outside these cases, the designation of a DPO remains strongly recommended. The DPO may be an internal employee or an external provider. They must have the necessary legal and technical knowledge, be independent in the exercise of their duties, and have sufficient resources. The CNIL maintains a public register of designated DPOs. Since 2024, it has increasingly checked during its inspections whether structures subject to the obligation have indeed made this designation.

How does the Mirabile firm support you in your GDPR audit?

The firm Mirabile Avocat works alongside company directors, e-merchants, startups and SMEs at every stage of the GDPR compliance process. Our approach is both legal and operational: we do not produce unworkable deliverables, but concrete action plans adapted to the reality of your structure.

The initial audit: a precise snapshot of your situation

We carry out a documentary and operational audit covering all of your organisation's processing activities. This audit results in a detailed report identifying the non-compliances in order of criticality, the associated legal risks, and the priority corrective measures. This report is directly usable and constitutes evidence of your good faith in the event of an inspection.

The drafting and securing of your GDPR documents

The firm handles the drafting or updating of your privacy policy, your legal notices, your record of processing activities and your data processing agreements (DPAs) with your processors. We also check the legal validity of your consent-collection mechanisms, in particular regarding cookies, in compliance with the CNIL's recommendations.

Assistance in the event of an inspection or litigation

In the event of a CNIL inspection, a complaint filed by a user or a formal notice, the Mirabile firm assists you at every stage: preparation of responses to the supervisory authority, organisation of the compliance process within the required timeframes, representation before the competent authorities, and if necessary, litigation before the administrative or civil courts.

Training and raising awareness among your teams

GDPR compliance does not lie solely in the documents. It also relies on the daily practices of your staff. The firm offers awareness sessions tailored to your sector and your size, to make data protection an integrated reflex in your corporate culture.

Good to know: Practical example: an SME in the digital health sector contacted us after receiving a formal notice from the CNIL. In less than six weeks, we set up the record of processing activities, formalised the DPAs with three processors, drafted a new privacy policy and brought the consent mechanisms into compliance. The CNIL closed the procedure without penalty.

In conclusion: the GDPR audit, an investment to secure your activity

In 2026, the European supervisory authorities and the CNIL have clearly signalled their intention to strengthen the enforcement of the GDPR, including towards VSEs and SMEs. The penalties imposed in recent months confirm this: compliance is no longer reserved for large companies. It applies to any structure that collects, processes or stores personal data, whether it is an e-merchant, a startup, a craftsperson, a professional or an association.

The GDPR audit is the indispensable first step. It allows you to know where you stand, to act as a priority on the most significant risks and to document your process so that you can account for it. It is also a strong signal sent to your customers and partners: that of an organisation that takes seriously the protection of the data entrusted to it.

The firm Mirabile Avocat is at your disposal to assess your situation, carry out your compliance audit and support you over the long term in managing your obligations under the GDPR and digital law.

To learn more

What is a GDPR audit?

The GDPR audit is a snapshot of the organisation's situation in light of the requirements of the European regulation and of the French Data Protection Act. It assesses the level of compliance, identifies the gaps and guides the corrective actions to be put in place.

Why carry out a GDPR audit in 2026?

In 2026, GDPR compliance is an obligation enforced with growing vigour by the CNIL. The audit makes it possible to know where the organisation actually stands, to identify breaches and to reduce the risk of penalty before a possible inspection.

Which GDPR penalty illustrates the stakes in 2026?

The penalty imposed on France Travail in January 2026, namely a 10 million euro fine for breach of Article 32 of the GDPR, is a reminder that even large organisations are not immune. It illustrates the growing vigour of inspections.

What does a GDPR audit check?

The GDPR audit examines the processing activities, the register, the legal bases, the information of individuals, data security, the management of rights and the documentation. This complete review measures compliance and identifies the priority corrective actions.

Are VSEs and SMEs concerned by the GDPR audit?

Yes. For private companies, VSEs, SMEs, startups and e-merchants, the question is no longer whether to comply, but where the organisation stands. The GDPR audit responds precisely to this need for assessment, whatever the size.

What happens after a GDPR audit?

At the end of the audit, the organisation has a review of the situation and a plan of prioritised corrective actions. The implementation of these actions makes it possible to close the gaps identified and to raise the level of GDPR compliance.

Does a GDPR audit reduce the risk of penalty?

Yes. By identifying breaches before an inspection, the audit makes it possible to correct them and to demonstrate a compliance process. This reduces the risk of a penalty from the CNIL, whose fines can reach high amounts.

Is a lawyer useful for a GDPR audit?

A lawyer helps to carry out a complete GDPR audit, to interpret the gaps in light of the regulation and the French Data Protection Act, and to structure the action plan. This support secures compliance and limits the risk of penalty.

Still have questions?

Our team is available!

Have a question?

Vos informations restent strictement confidentielles.
Thank you! We will get back to you shortly. If you'd like to speed things up, schedule a time with me directly here:
Schedule a 15-minute call
Oops! Something went wrong while submitting the form.
Homme en costume bleu foncé avec cravate et pochette blanche, bras croisés, regardant vers l'avant.

Ressources

Aller plus loin

00
article(s) affiché(s) sur
00

4 min

Regulatory developments in franchising in 2025: what franchisors and franchisees absolutely need to know
The world of franchising is constantly experiencing legal developments that can significantly impact the relationships between franchisors and franchisees. In 2025, several major regulatory changes have reshaped the landscape of this popular business model.

6 min

Inter-trade reserves in the wine sector: price regulation under debate
In a context where agricultural markets, and the wine sector in particular, are experiencing significant price fluctuations, the issue of inter-trade reserves is emerging forcefully. The French Competition Authority was recently asked to assess the possibility of putting in pl

10 min

Video games: French law redefines digital items
The SREN Act introduces an experimental framework specifically dedicated to digital items in video games.

7 min

Restaurants: rights and obligations of professionals
In restaurants, it is essential to know the rights that protect you as a consumer and the obligations of professionals.

6 min

Service level in a consumer contract
In our increasingly digital world, the contractual service level and software updates have become essential aspects of consumption.

17 min

GTC of Use and GTC of Sale: differences, articulation and mistakes to avoid to secure your digital business
For any director of a digital company, e-merchant, platform publisher or online service provider, the General Terms of Use (GTU) and the General Terms and Conditions of Sale (GTC) constitute the daily contractual foundation of the business. Yet these two documents are the subject of
Prendre rendez-vous
Book an appointment