GDPR, Swiss nFADP, retention periods, employee rights, sub-processing: an HR compliance audit spots gaps before a regulator (CNIL, PFPDT) or an employee complaint does it for you.
Standard scope #
| Section | Content |
|---|---|
| Data mapping | What data, where, for how long |
| Legal bases | Contract, legal obligation, legitimate interest, consent |
| Sub-processing | DPA contracts, EU/CH transfers, compliance |
| Employee rights | Access, rectification, erasure, portability procedures |
| Security | Encryption, access control, traceability, incident response plan |
| Documentation | Records of processing, DPIAs, IT charter |
Step-by-step #
-
Scoping workshop #
Scope, team, calendar. Half-day with HRD, CIO, DPO.
-
Document collection #
Privacy policy, processing register, vendor contracts, evidence of technical measures. 1 week.
-
Interviews and tests #
Verify that practice matches documentation. Access tests, exfiltration tests, user rights checks.
-
Gap report #
List of gaps by severity (blocking, major, minor), priced and prioritised recommendations.
-
Remediation plan #
Quick wins (30 days), structural projects (3-6 months), governance (DPO, CISO, committees).
FAQ #
How much does a compliance audit cost?
Flat fee per size (50, 200, 500, 1,000+). Quote on the Premium Consulting page.
Must we involve the in-house DPO?
Yes, essential. The DPO is our main contact and co-builds the report.
And DPIA?
If you process sensitive data at scale (health, surveillance), a DPIA is mandatory. We support its drafting.
In case of regulator audit?
The audit is significant proof of good faith if regulators come knocking. They value preventive efforts.
See Process & tooling diagnosis #
Learn how to measure HR digital maturity.
