RGPD
A practical guide for company directors, e-merchants, startups and VSEs/SMEs Published by the firm Mirabile Avocat | Updated: April 2026
Reading time:
14 min
A practical guide for company directors, e-merchants, startups and VSEs/SMEs Published by the firm Mirabile Avocat | Updated: April 2026
In 2026, compliance with the General Data Protection Regulation (GDPR) is no longer optional. It is a legal obligation enforced with growing vigour by the French Data Protection Authority (CNIL). The penalty imposed on France Travail in January 2026, a 10,000,000 euro fine for breach of Article 32 of the GDPR, is a reminder that even large public organisations are not immune. For private companies, VSEs, SMEs, startups and e-merchants, the question is no longer whether to comply, but rather where your organisation actually stands.
This is precisely where the GDPR audit comes in. A genuine snapshot of your situation in light of the requirements of the European regulation and of the French Data Protection Act of 6 January 1978, the audit is the first step in any serious compliance process. This guide explains how to conduct it methodically, which points to check as a priority, and why surrounding yourself with specialised legal counsel can make all the difference.
The GDPR audit is a procedure for the systematic assessment of all personal data processing activities carried out by an organisation. It makes it possible to identify the gaps between the current situation and the obligations imposed by Regulation (EU) 2016/679 of 27 April 2016, known as the GDPR, and by French Act No. 78-17 of 6 January 1978 as amended. In concrete terms, the audit answers a simple question: to what extent does my organisation respect the rights of the individuals whose data it processes?
A well-conducted audit produces an action plan ranked by level of criticality. It also constitutes evidence in the event of a CNIL inspection or a user complaint. The principle known as "accountability", set out in Article 5(2) of the GDPR, indeed requires data controllers not only to comply with the rules, but also to be able to demonstrate this at any time.
The risks are multiple and concrete. First, the risk of an administrative penalty: the GDPR provides for two levels of penalties in Article 83. The most serious breaches (violation of fundamental principles, lack of a legal basis, unlawful transfers) are punishable by fines of up to 20,000,000 euros or 4% of total worldwide annual turnover. Less serious breaches (failure to inform, absence of a register, failure to designate a mandatory DPO) are penalised up to 10,000,000 euros or 2% of turnover.
Second, the reputational risk: a data breach made public or a CNIL conviction is a severe blow to customer trust. CNIL decisions are systematically published. The penalties imposed in January 2026, in particular those related to security failures (Article 32 of the GDPR), show that the absence of appropriate technical and organisational measures is one of the most frequently identified breaches. Finally, in the event of a contractual dispute or litigation with a processor or a business partner, the absence of any documented compliance process considerably weakens your position.
The first step consists in identifying all the personal data processing activities carried out by your organisation. Processing means any operation performed on personal data: collection, recording, storage, consultation, use, disclosure, erasure. Every data flow must be considered: contact form, newsletter, online payment, HR file, CRM tool, website analytics, cookies.
This mapping work must be formalised in a record of processing activities, an obligation set out in Article 30 of the GDPR for organisations with more than 250 employees, but strongly recommended, and often imposed by supervisory authorities, for all structures whenever they process high-risk data or do so on a non-occasional basis. For each processing activity, the register must indicate:
Good to know: An e-merchant who collects email addresses, telephone numbers and purchase histories carries out several distinct processing activities. Each must be the subject of an entry in the register with its own legal basis. The performance of a sales contract is the basis for invoicing, but not necessarily for sending a commercial newsletter, which requires separate consent.
Each processing activity must rely on one of the six legal bases listed in Article 6 of the GDPR. The most common error observed during audits is the systematic recourse to consent as the legal basis, when another basis (performance of a contract, legal obligation) would be more appropriate and more robust. Consent must be freely given, specific, informed and unambiguous; it cannot be a pre-ticked box.
At the same time, the information obligations provided for in Articles 13 and 14 of the GDPR must be checked. Is your privacy policy accessible, readable, complete? Does it mention the retention periods? Are the rights of individuals (access, rectification, erasure, portability, objection) clearly indicated together with the means of exercising them? These notices must appear at each point of collection: web form, mobile application, contract signed at the point of sale.
The GDPR requires that any relationship with a processor that processes personal data on your behalf be governed by a Data Processing Agreement (DPA), in accordance with Article 28 of the GDPR and Article 96 of the French Data Protection Act. This contract must define the subject matter of the processing, its duration, its nature and purpose, the types of data processed, the processor's security obligations, and its obligation to act only on the controller's instructions.
The typical processors of a digital SME include: the website host, the emailing solution (Mailchimp, Brevo, etc.), the CRM tool (HubSpot, Salesforce, etc.), the payment provider (Stripe, PayPal, etc.), the audience analytics tools. The absence of a DPA with one of these providers constitutes a characterised breach. The audit must verify that these contracts exist, that they are up to date, and that they cover all the processing actually carried out.
Article 32 of the GDPR requires the implementation of appropriate technical and organisational measures to ensure a level of security adapted to the risk. It is on this basis that France Travail was penalised in January 2026 with a fine of 10 million euros, that several operators were convicted at the end of 2025, and that the CNIL recalled in its recent decisions that a breach of the security obligation may be established independently of any data breach actually having occurred.
The audit must therefore focus on the security measures in place: encryption of sensitive data, management of authorisations and access, password policy, access logging, data backup, incident management. For more advanced structures, penetration tests or code audits may be commissioned. These technical documents may moreover constitute evidence in the event of an inspection.
Certain processing activities that are particularly risky for the rights and freedoms of individuals must be the subject of a Data Protection Impact Assessment (DPIA), provided for in Article 35 of the GDPR. This is notably the case for processing relating to sensitive data (health, ethnic origin, political opinions, etc.), processing involving systematic large-scale monitoring, or scoring and profiling processing. The CNIL publishes a list of the types of processing that systematically require one.
If a DPIA is necessary and has not been carried out, this constitutes a specific breach. The DPIA must describe the processing, assess its necessity and proportionality, identify the risks to the rights of individuals, and specify the measures envisaged to address them.
Since the 2018 reform, the CNIL has had strengthened enforcement powers. In 2025 and 2026, it imposed several dozen administrative penalties, some of them very significant. The decisions handed down in January 2026 against several telecom operators and service providers show that the absence of adequate security measures remains the main driver of conviction. These decisions also specify that a breach of the security obligation may be established independently of any data breach actually having been found, which is a strong signal sent to companies: do not wait for an incident to act.
In addition to financial penalties, the CNIL may issue compliance orders accompanied by periodic penalty payments, formal notices, or even the temporary restriction of processing, which may lead to the interruption of a commercial activity. It may also publish its penalty decisions, which constitutes considerable reputational harm. In criminal matters, Article 226-16 of the French Criminal Code penalises certain violations of the GDPR with up to 5 years' imprisonment and a fine of 300,000 euros.
Let us take the example of an e-merchant who runs a site on Shopify or PrestaShop, uses Mailchimp for newsletters and Stripe for payments. An audit typically reveals the following points:
This non-compliance profile, very common, exposes the company to a fine that may exceed several tens of thousands of euros and to a compliance order. Correction generally takes 2 to 3 months with appropriate legal support.
A startup that markets SaaS software to companies often plays a dual role: data controller for its own users (team, sales staff), and processor with respect to its customers who entrust it with the data of their own customers or employees. This dual status is often poorly understood and poorly governed contractually.
The audit must verify that the GTC and the customer contracts incorporate processing clauses compliant with Article 28 of the GDPR, that the data of your customers' customers is properly partitioned, and that specific security measures (encryption, isolation of test environments) are implemented. Neglecting this point exposes the startup to actions for contractual liability from its own customers.
Mandatory
Conditional / likely
Depending on the activity
Not mandatory
This table is indicative. The exact obligations depend on your activity and the processing carried out. In case of doubt, consult a data protection officer or the CNIL documentation.
The designation of a Data Protection Officer (DPO), provided for in Article 37 of the GDPR, is mandatory in three situations: for public authorities, for organisations whose core activity consists of large-scale processing requiring regular and systematic monitoring of data subjects, and for those that process on a large scale so-called sensitive data (health, religious beliefs, biometric data, criminal offences, etc.).
Outside these cases, the designation of a DPO remains strongly recommended. The DPO may be an internal employee or an external provider. They must have the necessary legal and technical knowledge, be independent in the exercise of their duties, and have sufficient resources. The CNIL maintains a public register of designated DPOs. Since 2024, it has increasingly checked during its inspections whether structures subject to the obligation have indeed made this designation.
The firm Mirabile Avocat works alongside company directors, e-merchants, startups and SMEs at every stage of the GDPR compliance process. Our approach is both legal and operational: we do not produce unworkable deliverables, but concrete action plans adapted to the reality of your structure.
We carry out a documentary and operational audit covering all of your organisation's processing activities. This audit results in a detailed report identifying the non-compliances in order of criticality, the associated legal risks, and the priority corrective measures. This report is directly usable and constitutes evidence of your good faith in the event of an inspection.
The firm handles the drafting or updating of your privacy policy, your legal notices, your record of processing activities and your data processing agreements (DPAs) with your processors. We also check the legal validity of your consent-collection mechanisms, in particular regarding cookies, in compliance with the CNIL's recommendations.
In the event of a CNIL inspection, a complaint filed by a user or a formal notice, the Mirabile firm assists you at every stage: preparation of responses to the supervisory authority, organisation of the compliance process within the required timeframes, representation before the competent authorities, and if necessary, litigation before the administrative or civil courts.
GDPR compliance does not lie solely in the documents. It also relies on the daily practices of your staff. The firm offers awareness sessions tailored to your sector and your size, to make data protection an integrated reflex in your corporate culture.
Good to know: Practical example: an SME in the digital health sector contacted us after receiving a formal notice from the CNIL. In less than six weeks, we set up the record of processing activities, formalised the DPAs with three processors, drafted a new privacy policy and brought the consent mechanisms into compliance. The CNIL closed the procedure without penalty.
In 2026, the European supervisory authorities and the CNIL have clearly signalled their intention to strengthen the enforcement of the GDPR, including towards VSEs and SMEs. The penalties imposed in recent months confirm this: compliance is no longer reserved for large companies. It applies to any structure that collects, processes or stores personal data, whether it is an e-merchant, a startup, a craftsperson, a professional or an association.
The GDPR audit is the indispensable first step. It allows you to know where you stand, to act as a priority on the most significant risks and to document your process so that you can account for it. It is also a strong signal sent to your customers and partners: that of an organisation that takes seriously the protection of the data entrusted to it.
The firm Mirabile Avocat is at your disposal to assess your situation, carry out your compliance audit and support you over the long term in managing your obligations under the GDPR and digital law.
To learn more
The GDPR audit is a snapshot of the organisation's situation in light of the requirements of the European regulation and of the French Data Protection Act. It assesses the level of compliance, identifies the gaps and guides the corrective actions to be put in place.
In 2026, GDPR compliance is an obligation enforced with growing vigour by the CNIL. The audit makes it possible to know where the organisation actually stands, to identify breaches and to reduce the risk of penalty before a possible inspection.
The penalty imposed on France Travail in January 2026, namely a 10 million euro fine for breach of Article 32 of the GDPR, is a reminder that even large organisations are not immune. It illustrates the growing vigour of inspections.
The GDPR audit examines the processing activities, the register, the legal bases, the information of individuals, data security, the management of rights and the documentation. This complete review measures compliance and identifies the priority corrective actions.
Yes. For private companies, VSEs, SMEs, startups and e-merchants, the question is no longer whether to comply, but where the organisation stands. The GDPR audit responds precisely to this need for assessment, whatever the size.
At the end of the audit, the organisation has a review of the situation and a plan of prioritised corrective actions. The implementation of these actions makes it possible to close the gaps identified and to raise the level of GDPR compliance.
Yes. By identifying breaches before an inspection, the audit makes it possible to correct them and to demonstrate a compliance process. This reduces the risk of a penalty from the CNIL, whose fines can reach high amounts.
A lawyer helps to carry out a complete GDPR audit, to interpret the gaps in light of the regulation and the French Data Protection Act, and to structure the action plan. This support secures compliance and limits the risk of penalty.
Still have questions?
Our team is available!
Have a question?

Ressources
Aller plus loin