Is DPO the New AI Officer?
Is the DPO the New AI Officer? Practical AI Governance for GDPR and the EU AI Act In this webinar, […]
Webinars
Magical Audits
Practical approaches & quality focus
Most privacy audits don’t improve compliance. They create the illusion of it.
A checklist gets completed.
Red flags turn green.
A report is filed and circulated internally.
And six months later, nothing has meaningfully changed.
The organisation feels compliant.
The Data Protection Officer is overwhelmed.
And the actual risks to personal data remain exactly where they were.
This is the core problem with the traditional approach: it measures documentation, not effectiveness.
A modern GDPR audit should do much more than confirm that policies exist. It should evaluate whether those policies actually work in practice, reduce risk, and support accountable decision-making across the organisation.
This article — and the accompanying webinar — will help you move from checkbox compliance to a more practical, risk-driven approach that reflects how privacy operates in the real world.
Guest Speaker – Rowenna Fielding
Rowenna is a data protection and data ethics professional with over 14 years of experience across privacy, information security, and responsible data use.
As a certified data ethics practitioner, she focuses on helping organisations move beyond checkbox compliance toward practical, risk-based frameworks that genuinely reduce harm and improve decision-making.
She has worked with a wide range of organisations — from fast-growing tech companies to complex regulated environments — advising on audits, DPIAs, and LIAs, with a strong emphasis on quality over formality. Her approach challenges “paper compliance” by evaluating whether privacy measures are actually effective in practice.
Rowenna is the creator of the “Magical Audits” concept — a modern take on how organisations should approach privacy reviews. Her methodology focuses on decision-making quality, organisational competence, and real risk exposure.
Rather than treating audits as pass/fail exercises, she positions them as tools for continuous improvement and accountability.
She regularly works with DPOs, legal teams, and leadership, helping them identify hidden risks, improve the quality of DPIAs and LIAs, communicate risk in business terms, and turn compliance efforts into meaningful governance practices.
Her sessions are known for being practical, direct, and grounded in real-world experience, giving professionals frameworks they can immediately apply.
What Is a GDPR Audit — And What It Should Be
A GDPR audit is typically understood as a structured review of an organisation’s compliance with the General Data Protection Regulation.
In practice, this often includes reviewing policies and procedures, checking Records of Processing Activities (RoPA), verifying the existence of DPIAs and LIAs, assessing processor contracts, and evaluating security measures.
However, most audits stop at verification.
They answer questions like:
Does this exist?
Is this documented?
But they rarely address what actually matters:
Is this effective?
Does this reduce risk?
Would this stand up under regulatory scrutiny?
A high-quality GDPR audit goes beyond existence and focuses on substance, context, and outcomes.
Why Most Privacy Audits Fail
There are several structural reasons why the average audit fails to deliver real value.
First, there is an over-reliance on checklists. Checklist-driven audits prioritise completeness over quality, leading organisations to optimise for passing the audit rather than reducing risk. This results in “paper compliance” — where everything appears correct but lacks depth.
Second, many audits rely on binary thinking in a non-binary environment. Compliance is treated as done or not done, even though GDPR is inherently risk-based. A weak DPIA and a strong DPIA are often treated the same, despite vastly different risk implications.
Third, audits often fail to assess how decisions are made. Important questions are left unanswered: Were risks genuinely evaluated? Were trade-offs documented? Are decisions revisited over time? Without this, accountability cannot be measured.
Fourth, audits frequently ignore organisational reality. They are conducted in isolation from business operations, without considering incentives, constraints, or company culture. This leads to recommendations that are technically correct but practically ignored.
Finally, most audits are static. They represent a single moment in time, while privacy risk is constantly evolving. New vendors, new tools, and new data uses mean that a once-a-year review quickly becomes outdated.
What a High-Quality GDPR Audit Looks Like
To be effective, an audit must shift from documentation review to risk evaluation and governance assessment.
This requires a change in mindset.
Instead of asking “Do we have this?”, the better question is “Is this good enough, and does it actually reduce risk?”
This is the foundation of a more mature, outcome-focused approach — one that treats audits as part of an ongoing process rather than a one-time exercise.
Key Elements of a Modern Approach
A strong GDPR audit evaluates the quality of DPIAs and LIAs, not just their existence. It looks at whether risks are clearly identified, whether mitigation measures are meaningful, and whether the reasoning is defensible.
It also examines accountability in practice. Who is making decisions? Are responsibilities clearly understood? Is there a record of how and why decisions were made?
Organisational competence is another critical factor. Policies alone are not enough — teams need to understand data protection principles and apply them consistently in their work.
Vendor and supply chain risk must also be addressed more deeply. A modern approach goes beyond contracts and considers how third parties actually process data, whether risks are monitored continuously, and whether high-risk vendors are properly assessed over time.
Finally, continuous monitoring is essential. Privacy compliance cannot rely on periodic reviews alone. It requires ongoing updates, regular reassessment, and visibility into changing risks.
Platforms like GDPR Register support this shift by providing structured workflows, centralised documentation, and audit trails that enable continuous oversight rather than one-time validation.
How to Make Audits Matter to Leadership
One of the biggest challenges for DPOs is making audit outcomes relevant to decision-makers.
Compliance alone rarely drives action.
To create impact, audit findings need to be framed in terms of risk exposure, financial and reputational consequences, and customer trust.
Instead of saying:
We need to complete a DPIA
Say:
We have an unassessed high-risk processing activity that could expose the organisation to regulatory action and reputational damage
This shift turns the audit from a compliance exercise into a strategic tool.
Webinar: Rethinking the GDPR Audit
On April 8th, we’re hosting a webinar for professionals who want to improve how they approach privacy reviews and compliance assessments.
Rowenna will share a practical framework for improving audit methods, real examples of ineffective versus effective approaches, techniques for evaluating quality, and ways to engage leadership in meaningful conversations about risk.
Who Should Attend
This session is designed for Data Protection Officers, privacy professionals, consultants, and compliance leaders who want to move beyond checkbox compliance and build more effective governance practices.
What You’ll Gain
By attending, you’ll gain a clearer understanding of what makes an audit effective, practical tools to assess real compliance quality, a framework for continuous improvement, and greater confidence in challenging weak or superficial practices.
Final Thought
A GDPR audit should reduce risk — not just prove compliance.
If your current approach doesn’t influence decisions, uncover real issues, or lead to measurable improvement, it’s time to rethink it.
Join us on 8th April and learn how to make your audits actually matter.
Speakers
Rowenna Fielding
Data ethics professional and data protection consultant
Rowenna Fielding (aka Miss IG Geek) is a certified data ethics professional and data protection consultant with over a decade of experience helping organisations across all sectors get privacy right — not just on paper, but in practice.
Known for making complex topics human, accessible and occasionally funny, Rowenna is a trusted voice for privacy professionals who want substance over spin.
Known for making complex topics human, accessible and occasionally funny, Rowenna is a trusted voice for privacy professionals who want substance over spin.
Krete Paal
CEO
Krete Paal is the CEO of GDPR Register, where she leads the development of AI-powered tools that make privacy compliance scalable and practical for organisations across Europe.
With a strong background in data protection and legal tech — from heading Veriff’s DPO Office to earlier work with the Estonian Police and Border Guard, Krete combines deep regulatory expertise with product leadership.
At GDPR Register, she brings a forward-looking perspective on how AI can support GDPR compliance and align with emerging regulations, turning complex requirements into clear, actionable workflows.
With a strong background in data protection and legal tech — from heading Veriff’s DPO Office to earlier work with the Estonian Police and Border Guard, Krete combines deep regulatory expertise with product leadership.
At GDPR Register, she brings a forward-looking perspective on how AI can support GDPR compliance and align with emerging regulations, turning complex requirements into clear, actionable workflows.
