GDPR Audit Checklist: What Does a Data Privacy Audit Include?

Myles Dacres

Read our GDPR audit checklist for completing a successful data compliance review.

Data Protection GDPR Audit

If your company wants to achieve and maintain GDPR compliance, a GDPR audit will ensure you are on the right track. This audit identifies vulnerabilities and pinpoints how your company and its employees can meet data protection standards.

In our last blog, we discussed what a GDPR audit is and how you can achieve compliance. Below, you will discover the most important areas to assess during an audit. 

GDPR Audit Checklist

Data Mapping

Identify and document the types of personal data you collect. Define the purpose for handling each data category and assess the lawful basis for processing. This systematic approach ensures transparency and compliance with Article 5(1) of the UK GDPR, listed below. 

Data Governance

When processing personal data, you must align with the six data protection principles which lie at the heart of the UK GDPR. In Article 5(1), personal data must be:

  • Processed lawfully, fairly and transparently.
  • Obtained for a specific, explicit and legitimate purpose and not further processed in a manner that is incompatible with those purposes. (‘purpose limitation’).
  • Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’).
  • Accurate and, where necessary, keep up to date; promptly rectify or erase inaccurate information without delay (‘accuracy’).
  • Stored in a confidential format which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. (‘storage limitation’); and, 
  • Processed to ensure appropriate security of the personal data. This includes protection against unauthorised or unlawful processing and accidental loss, destruction, and damage using appropriate technical or organisational measures (integrity and confidentiality).

Data Protection Officer (DPO) 

There are three instances where the UK GDPR requires companies to appoint a DPO.

They are as follows:  

(a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;

(b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/ or their purposes, require regular and systematic monitoring of data subjects on a large scale; or

(c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10.

There are also some occasions where an organisation may voluntarily appoint a DPO. A GDPR audit will determine whether you require a DPO and how a DPO can fulfil their responsibilities in line with Article 39 of the UK GDPR.

Roles and Responsibilities

It is considered best practice to outline the roles and responsibilities of those within your organisation. This includes examining what data protection training you’ve implemented and whether there are internal policies your employees should align to. 

Risk Management & Data Security 

The UK GDPR sets out a requirement for data controllers and processors to implement ‘appropriate technical and organisational measures’ for safely processing personal data. An audit will identify whether an organisation has any measures in place, these include but are not limited to encryption, role based access controls, policies and procedures and CCTV.

Data Subject Rights

Data subjects have seven qualified rights that they can exercise under the UK GDPR.

  • The right to be informed
  • The right of access, also known as a “subject access request” (SAR);
  • The right to rectification; 
  • The right to erasure; 
  • The right to restrict processing; 
  • The right to data portability; 
  • The right to object; and, 
  • Rights about automated decision-making and profiling

These rights must be responded to within one calendar month of receipt. It is your responsibility to have efficient processes for facilitating these requests to ensure the deadline is not missed.

There are also additional absolute rights that must be adhered to; these are:

  • The right to withdraw consent
  • The right to opt out of direct marketing

A GDPR audit will analyse whether an organisation has sufficient instruments in place to facilitate these requests.


A Privacy Information Management System (PIMS) is a framework that helps organisations systematically order documentation such as DPIAs, SARs and data protection policies. A PIMS also centralises your employee’s awareness training, helping organise your privacy practices. 

A PIMS must meet the standards set in ISO 27701, a British Standard for privacy information management. 


An Information Security Management System (ISMS) ensures you have appropriate security measures for protecting personal data in hard copy or on the cloud. ISO27001 outlines the requirements you need to meet to ensure compliance. 

As a leading ISO27001 auditor, Data Protection People will thoroughly examine your ISMS to see if you have safeguarding controls for personal information assets.

Need Help With Your GDPR Audit? 

Ensure your organisation is UK GDPR compliant with Data Protection People. Our independent auditors will conduct a detailed data protection audit so you can focus on what you do best. 

Contact the team to learn more about our GDPR audit service. 

Check our Data Protection Audit Guide here: