Skip to content
AuditFront
SEC-5 Tech Due Diligence

Tech Due Diligence SEC-5: Data Privacy and GDPR Compliance

What This Control Requires

The assessor evaluates data privacy practices, including GDPR compliance readiness, data processing agreements, consent management, data subject rights implementation, data retention policies, and cross-border data transfer mechanisms.

In Plain Language

GDPR non-compliance carries fines of up to 4% of global annual turnover, but the real cost is often the damage to customer trust and brand reputation. If you operate in or serve customers in the EU, privacy compliance is not optional, and DD reviewers treat it accordingly.

We look at whether your company has a clear legal basis for each category of personal data processing, how data subject rights are implemented in practice (access, deletion, portability, rectification), whether consent management meets GDPR requirements, the state of your data processing agreements with sub-processors, cross-border data transfer mechanisms, data retention policies and whether they are technically enforced, and whether privacy-by-design principles are part of how you build product.

For SaaS products, we pay particular attention to multi-tenancy privacy concerns. Can customer data be exported on request? Is data deletion complete and verifiable? Is the product's data processing documented clearly enough for your customers to fulfil their own GDPR obligations?

How to Implement

Maintain a Record of Processing Activities (ROPA) that documents every personal data processing activity: categories of data processed, purposes, legal basis for each purpose, data recipients and sub-processors, retention periods, and technical and organisational measures in place.

Build data subject rights directly into the product. Users should be able to export their personal data in a machine-readable format (right of access), request deletion with both soft and hard delete capabilities (right to erasure), correct their personal data (right to rectification), and export data in common formats like JSON or CSV (right to data portability).

Where consent is your legal basis for processing, implement it properly. Consent must be freely given, specific, informed, and unambiguous. Record when and how consent was obtained, make withdrawal easy, and never pre-check consent boxes.

Review and maintain Data Processing Agreements (DPAs) with all sub-processors. Keep a current sub-processor list and notify customers when it changes. Make sure DPA obligations flow through the entire processing chain.

Enforce data retention policies technically, not just on paper. Configure automated deletion or anonymisation when retention periods expire. Remember that backups are also subject to GDPR - stale personal data sitting in old backups is still your responsibility.

If data is transferred outside the EU, ensure appropriate mechanisms are in place: Standard Contractual Clauses (SCCs) with transfer impact assessments, processing within EU/EEA data centres where possible, and clear documentation of any derogations you rely on.

Conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities such as large-scale processing of sensitive data, automated decision-making, or systematic monitoring.

Evidence Your Auditor Will Request

  • Record of Processing Activities (ROPA)
  • Data subject rights implementation documentation and evidence of functionality
  • Consent management implementation evidence
  • Sub-processor list and Data Processing Agreements
  • Data retention policy and evidence of technical implementation

Common Mistakes

  • No Record of Processing Activities maintained
  • Data subject deletion requests result in soft delete only; data persists in databases and backups
  • Consent mechanisms do not meet GDPR requirements (pre-checked boxes, bundled consent)
  • Sub-processor list not maintained; no DPAs with key vendors
  • Cross-border data transfers occurring without appropriate safeguards

Related Controls Across Frameworks

Framework Control ID Relationship
GDPR Art.5 Related
GDPR Art.17 Related
ISO 27001 A.5.34 Related

Frequently Asked Questions

Do we need a Data Protection Officer (DPO)?
A DPO is legally required if your core activities involve regular and systematic monitoring of data subjects on a large scale, or large-scale processing of special categories of data. Even if it is not mandatory for you, having a DPO or equivalent privacy function signals maturity and is viewed positively in due diligence.
How should we handle data deletion requests for data in backups?
This is a genuinely tricky problem. There are a few acceptable approaches: exclude deleted data when restoring from backups by maintaining a deletion registry, implement crypto-shredding (destroy the encryption key for the deleted data), or accept that backup data will be overwritten within the backup retention period and document this clearly in your deletion procedures. Pick the approach that fits your architecture and be transparent about it.

Track Tech Due Diligence compliance in one place

AuditFront helps you manage every Tech Due Diligence control, collect evidence, and stay audit-ready.

Start Free Assessment