Most GDPR audits do not fail because organisations do not care. They fail because the audit starts without a clear objective, focuses too heavily on paperwork, and does not test whether privacy measures actually work in practice.
That was the core message from our recent webinar, Magical Audits: Rethinking the GDPR Audit, where GDPR Register CEO and co-founder Krete Paal spoke with data protection expert and certified data ethics professional Rowenna Fielding about what meaningful GDPR auditing should really look like.
Webinar recap
In our webinar Magical Audits: Rethinking the GDPR Audit, Krete Paal and Rowenna Fielding explored what makes a GDPR audit useful in practice — and why so many audits fail to create meaningful change.
One of the biggest problems is that organisations often carry out audits because they feel they have to. But a “compliance audit” can mean very different things depending on whether the goal is appearance, risk management, internal quality, or real rights protection.
A recurring theme in the webinar was the gap between presentation and reality. When audits uncover issues, management may focus more on making findings look better than on fixing the underlying problem.
Many audits check whether a policy, notice, or process exists. Far fewer test whether those measures actually work. That means organisations often miss the real question: are people’s rights and freedoms being protected in practice?
Policies, notices, and records matter only if they are understood, used, and reflected in day-to-day decision-making. One practical tip from the session: ask people how they feel about the processes they work with, not just what they do.
For startups and smaller teams, the best starting point is often not a huge checklist. It is understanding what the business does, where personal data is processed, whether staff have meaningful awareness, and what the organisation tells people about data use.
One of the clearest messages from the webinar was this: before starting a GDPR audit, be clear about what you want it to achieve.
A meaningful audit is not just about whether documents exist. It is about whether your organisation understands its data practices, whether its controls work, and whether people are actually being protected in practice.
That is what makes an audit useful — not just complete.
Upskilling Privacy Professionals for Real-World Business Impact Privacy and AI work remain demanding, and the value of a privacy professional […]
FinTech Compliance & RegTech in 2026: Why Privacy and Compliance Must Be Built From Day One GDPR Register hosted its […]
