What Auditors Always Find, And Why: Lessons from Real GDPR Audits

Many organisations view GDPR audits as a compliance exercise, a checklist that confirms whether policies, procedures and documentation exist. In reality, effective audits go much further than simply reviewing paperwork.

In a recent episode of the Data Protection Made Easy podcast, Catarina Pereira dos Santos and Catherine Santos explored what GDPR auditors consistently uncover when assessing organisations and why the same issues continue to appear across different sectors.

The discussion covered retention failures, staff awareness, third-party management, personal device usage, governance gaps and the common misconception that having documentation automatically means an organisation is compliant.

Drawing on real audit experiences, the session highlighted how organisations can use audits to identify weaknesses, improve accountability and strengthen their overall approach to data protection.

For organisations looking to assess their compliance position, our Data Protection Support Service, Outsourced DPO Service and Training and Awareness Services can help identify risks and support ongoing compliance.

A GDPR audit is more than a checklist

One of the first points raised during the discussion was that a genuine GDPR audit involves much more than reviewing documentation.

Catherine explained: “It’s not a checklist for sure.”

Whilst policies, procedures and records remain important, an audit should also assess how data protection operates in practice. This includes speaking with employees, understanding data flows and evaluating whether documented processes are actually being followed.

As Catherine highlighted, audits often provide an opportunity to understand how mature data protection is within an organisation and whether staff genuinely understand their responsibilities.

Simply having documentation in place does not automatically demonstrate compliance if employees are unaware of the processes they are expected to follow.

Documentation alone does not equal compliance

A recurring theme throughout the episode was the difference between having documentation and implementing it effectively.

The hosts discussed how organisations frequently present policies, procedures and registers during audits, only for employees to reveal that they have never seen them.

As Catherine explained, one of the most common responses during interviews is: “Do we have such a policy? I didn’t know.”

This creates a significant compliance risk. Policies are only effective if they are understood, communicated and embedded within everyday working practices.

An organisation may have an excellent Information Security Policy, Data Breach Procedure or Retention Schedule, but if staff are unaware of them, compliance becomes difficult to demonstrate in practice.

Why employee engagement matters

The discussion highlighted the importance of speaking with employees during an audit.

Unlike a gap analysis or documentation review, a GDPR audit should assess how data protection is understood and applied throughout the organisation.

Employees often provide valuable insight into how personal information is actually handled, revealing differences between documented processes and day-to-day reality.

These conversations can also act as informal awareness sessions, helping staff better understand their responsibilities and providing an opportunity to ask questions.

The hosts emphasised that compliance is not achieved through policies alone. It depends on people understanding what they need to do and why.

Retention remains one of the biggest audit findings

When discussing the issues they encounter most frequently, both hosts quickly identified retention as a recurring challenge.

Many organisations have retention policies in place, but implementation often tells a different story.

Employees may understand that records should be deleted after a certain period, yet the actual deletion process never takes place.

The discussion included examples of organisations retaining emails for decades, storing outdated information indefinitely and relying on manual deletion processes that are rarely followed consistently.

Without effective retention practices, organisations risk keeping personal information for longer than necessary and increasing their exposure to data protection risks.

Third-party management is frequently overlooked

Another area highlighted during the discussion was third-party management.

Many organisations maintain supplier registers and records of processing activities, but auditors often discover inconsistencies when testing the information.

The hosts shared examples where organisations claimed to have Data Processing Agreements in place for all suppliers, only for further investigation to reveal unsigned templates or agreements that had never actually been implemented.

This demonstrates why auditors must test evidence rather than simply accept documentation at face value.

Third-party relationships often represent significant compliance risks, particularly where personal data is being processed externally or transferred internationally.

The risks of personal device usage

The discussion also explored one of the most common findings in modern workplaces, employees using personal devices for business purposes.

As Catherine explained: “The organisation doesn’t know that some employees use their phones for work.”

This creates a range of challenges. Personal devices may contain customer information, contracts, emails or communications that are completely outside the organisation’s governance framework.

It can also create difficulties when responding to Subject Access Requests, managing retention periods and investigating incidents.

Without appropriate Bring Your Own Device policies and controls, organisations may struggle to understand where personal data is being stored and processed.

WhatsApp, shadow IT and hidden data flows

The hosts also highlighted the increasing use of WhatsApp and other informal communication tools.

Whilst these platforms may improve efficiency, they can also introduce governance challenges when organisations fail to formally recognise or manage their use.

Examples discussed included contractors using WhatsApp to share photographs, employees communicating with customers through personal devices and business information being exchanged through channels that are not covered by existing policies.

These hidden data flows can create significant compliance risks if organisations are unaware of how information is being processed.

Effective governance requires organisations to understand where personal information is being stored, shared and accessed, regardless of whether that activity takes place through official systems or informal channels.

Why people shouldn’t fear audits

One of the most interesting parts of the discussion focused on the perception of audits themselves.

Many employees view auditors as investigators looking for mistakes or individuals responsible for assigning blame.

The hosts acknowledged that the word “audit” often creates anxiety, particularly where organisations have recently experienced a breach or compliance issue.

However, they stressed that audits should be viewed as opportunities for improvement rather than exercises in criticism.

As Catarina explained when speaking to employees during audits: “I am not here to judge you.”

The purpose of an audit is to identify risks, highlight opportunities for improvement and help organisations strengthen their compliance position.

When approached positively, audits can provide valuable insight into how organisations handle personal information and where additional support may be needed.

Turning findings into action

Finding issues during an audit is only the beginning of the process.

The real value comes from understanding those findings, prioritising actions and implementing meaningful improvements.

The discussion highlighted the importance of clear reporting, practical recommendations and helping organisations understand where risks are most significant.

Not every finding represents a high-risk compliance issue. Some can be addressed quickly, whilst others may require longer-term planning and investment.

Effective audit reports should help organisations understand not only what needs to improve, but also where they should focus their efforts first.

Why audits are essential for accountability

Whilst UK GDPR does not explicitly require organisations to conduct annual audits, the discussion highlighted how audits support one of the most important principles within the legislation, accountability.

Organisations must be able to demonstrate compliance. To do this effectively, they need mechanisms that test controls, assess risks and evaluate whether policies are operating as intended.

Audits provide an opportunity to challenge assumptions, verify compliance claims and identify gaps before they become larger issues.

Ultimately, the discussion reinforced that audits should not be seen as a negative exercise. They are an opportunity to learn, improve and build a stronger data protection culture.

---

Frequently Asked Questions About GDPR Audits

What is a GDPR audit?

A GDPR audit is a structured assessment of an organisation’s data protection practices, policies, procedures and operational controls to determine how effectively personal information is being managed.

Are GDPR audits legally required?

UK GDPR does not explicitly require annual audits, but audits are often used to support accountability obligations and demonstrate compliance.

What do GDPR auditors look for?

Auditors typically assess governance arrangements, policies, training, records management, retention practices, security measures, third-party management and employee awareness.

Why is retention often a common audit finding?

Many organisations have retention policies in place, but fail to consistently apply them in practice, leading to unnecessary retention of personal information.

Can an organisation be compliant if it has policies but employees do not follow them?

No. Compliance depends on policies being implemented effectively and understood by employees, not simply existing as documents.

What is the benefit of a GDPR audit?

A GDPR audit helps organisations identify weaknesses, strengthen controls, improve accountability and reduce the likelihood of compliance failures or data breaches.