Contact us

How to complete a GDPR Audit

Protect your organisation from data protection risks and fines by completing a GDPR audit. Compliance is an ongoing data protection requirement and as organisations evolve, how they collect and use personal data changes. Audits can help you identify non-compliance or areas requiring improvement so you comply with data protection legislation.

 We recommend organisations conduct GDPR audits annually to ensure they are up to date with compliance and changes relating to the use of personal data within the organisation. 

Preparation at the start of any GDPR audit will save time. Reading this step by step guide to completing a GDPR audit will give you confidence that your GDPR audit will be thorough and support your ongoing data protection programme.

Take the uncertainty out of your next GDPR audit by following these steps

1. Understand the GDPR requirements

Familiarise yourself with the key aspects of the GDPR, including the relevant data protection principles, rights of data subjects, data processing requirements, and security measures. If this is a focussed audit on a specific area, familiarise yourself on all the relevant GDPR requirements and any specific nuances for that type of processing or use of the personal data.

2. Form an audit team

Assemble a team with cross-functional expertise on the privacy areas you are assessing, for example this may include someone from legal, data governance, AI, IT, HR, marketing, etc. A key member of this team should be your data protection officer or other person responsible for data protection compliance.

3. Conduct data mapping

Identify and document all data processing activities, including data collection, storage, and sharing across departments and systems. Understand which entities are responsible for data processing, both within your organisation and with third-party processors or other controllers.

4. Assess legal basis for data processing

Evaluate and ensure that the correct legal basis has been chosen for the processing of the personal data and make sure you comply with the specific requirements for using that legal basis. For example, if you rely on consent, make sure that consent is obtained in accordance with the GDPR and other laws if applicable, for example, The Privacy Electronic Communications Regulations 2003 (PECR). Ensure details of the data processing being reviewed is added to the record of processing activities (also known as the ROPA).

5. Evaluate data subject rights compliance

Check that procedures are in place to handle data subject rights requests. Ensure that individuals can easily exercise their data subject rights. Ensure that your GDPR audit checks the application of the data subject rights and how your organisation handles these. Also review policies, procedures and processes in place for handling data subject rights.

6. Review data processing agreements and GDPR clauses

Ensure that all contracts with third-party vendors who process personal data on your organisations’ behalf as a “processor” include GDPR-compliant clauses and full details of the personal data being processed. For any cross-border data transfers, ensure that appropriate safeguards, for example, Standard Contractual Clauses or Binding Corporate Rules are in place.

7. Examine data breach management processes and procedures

Ensure that processes are in place for detecting and handling personal data breaches within the mandatory 72 hour time period. Review your organisation’s policies, procedures and templates and ensure these are tested regularly.

8. Review data retention policies

Ensure that personal data is retained for no longer than necessary and that there are clear data retention and deletion policies in place. Review if these are followed and personal data is being deleted or anonymised when no longer needed.

9. Data protection by design and default

Ensure privacy is embedded into business processes. Review templates for data protection impact assessments (DPIAs). Look at if DPIAs are being carried out, reviewed and maintained to ensure they stay up to date. Review business processes to see when the need for a DPIA is highlighted and a DPIA undertaken. Check that by default only the minimum amount of personal data is being processed and that individuals have control over the use of their data where possible.

10. Train employees and raise awareness

Review any training requirements in place in relation to data protection and the GDPR. Check that the training is offered on induction and regularly thereafter. Check if the training is tracked for completion. Also check to ensure employees who handle personal data in large volumes or where the personal data is sensitive have enhanced GDPR training. 

11. Document findings

Keep detailed records of your audit findings, actions taken, and areas for improvement. Document these in a report template with clear actions for the business areas who own any privacy risks which have been identified.

12. Prepare a remediation plan

Based on the audit findings, implement corrective actions to address any gaps or non-compliance issues. Assign owners for any privacy actions and make sure these are followed up to ensure that the privacy risks are mitigated.

By following these steps, you’ll ensure that your GDPR audit is thorough, compliant, and helps reduce the risk of non-compliance within your organisation. 

Why not download our GDPR audit checklist?

Click here

With our free GDPR Toolkit you’ll find templates for you to customise during your GDPR audit. These will aid preparation of your own data protection programme. The documents do not constitute legal advice, if you’re unsure we’re here to help.

If you’d like an impartial view and timely management of your GDPR audit, our expert team can provide tailored audits for your organisation. From short GDPR audits into an area of concern, to full compliance audits of your organisation’s processing activities.

Contact us to discuss your requirements.

FAQs

How does my GDPR audit prove I’m compliant?

By completing a GDPR audit, this demonstrates your organisation is aware of their data protection obligations, and they are actively documenting and managing them alongside considering how they meet or need to meet those requirements.

Typically, this will depend on your organisation. You may want to share the outcomes of the GDPR audit with the senior leadership team, IT and security colleagues, heads of departments and of course your data protection officer or person responsible with data protection compliance should have access to the full audit details. We recommend sharing the GDPR audit with the team who the audit was carried out on first though to allow them a chance to confirm details in the GDPR audit are correct!

Yes, and sometimes this is better than an audit being carried out internally because with HelloDPO, when we carry out an audit it will be independent. Our team has the expertise and impartial point of view to conduct a thorough GDPR audit. If this is something you’d like support with, contact us so we can discuss your requirements.

Share:

Facebook
X
Pinterest
LinkedIn

Related Resources

The DUA Act 2025 at a glance

In our in-depth review of the Data (Use and Access) Act 2025, we’ve distilled its key data protection provisions into clear, actionable insights for professionals

Read More »
August 12, 2025

Do I need a DPO?

Find out if your organisation needs to appoint a data protection officer, learn what a DPO does and the advantages of outsourcing this role to HelloDPO.

Read More »
August 12, 2025
Don't just take our word for it
"We have been working with HelloDPO for several years now and I have always found them to be friendly, approachable and above all professional in their approach. I would have no hesitation in recommending them."
Serena MayDirector, Southern HR Ltd
Serena May
"We have been working with HelloDPO for several years now and I have always found them to be friendly, approachable and above all professional in their approach. I would have no hesitation in recommending them."
Serena MayDirector, Southern HR Ltd
Serena May
“We have worked with Jenai, Alison and the HelloDPO team for over 5 years as our DPO and have found their advice and support invaluable. They are pragmatic and flexible in the advice they provide, and assist in making data protection compliance apply in a corporate environment. Working with them is like having additional members of our team, and the relationship has flourished over time."
Craig SaundersHead of International Privacy, Aetna Global Benefits (UK) Ltd
Craig Saunders
“The team (Jenai and Lisa) provided DPO services and compliance support to our business for over a year, during which they consistently delivered high quality advice and excellent client service. The demands of the hospitality industry are high and HelloDPO adapted to this quickly and seamlessly – they are responsive, knowledgeable, and pragmatic. They are also a pleasure to work with.”
Frasers Hospitality (UK) Ltd
“We have been working with HelloDPO for nearly a year. The team have been great to work with, highly professional and flexible. Most importantly, they have given clear advice and guidance in what is a very complex area. Well done and we look forward to continuing working with you!”
Ruth HidalgoDirector, Chartered Accountants Worldwide
Ruth Hidalgo
“The HelloDPO team have led us patiently through the intricacies of GDPR over the years, helping us to navigate a careful path to ensure understanding of the rules and therefore compliance with them. HelloDPO are a pleasure to work with and I’d have no hesitation in recommending them to others looking for good, commercial advice in this complex area.”
Sanjay PatelFinance Director, Cadogan Group Limited
“We have recently engaged HelloDPO and the team, led by Jenai, has been responsive, practical and generally very helpful when dealing with our data protection queries. We look forward to what’s on track to becoming a great working relationship!”
Federica CozzaniSenior Legal Counsel, Compre Group
Federica Cozzani
“If you’re looking for trustworthy, pragmatic and diligent legal advisors, say Hello(to)DPO! The team has been a great support to Skyscanner on a broad range of privacy and data protection matters, whether advising at a compliance level or on more acute legal issues. You’ll enjoy considerate, timely and helpful advice, provided by professionals with whom it’s a delight to work.”
Gemma WithamDirector of Legal (Privacy), Group Privacy Officer, Sykscanner Limited
Gemma Witham
“Jenai and Emma are amazing to deal with. They strike the right balance between understanding the business needs while doing it’s fiduciary duty to ensure we are on the right track from a legal, ethical and moral perspective. Working with HelloDPO’s guidance over the past 2 years has enabled X-Mode (now known as Outlogic) to be able to navigate complex and at times uncertain waters with GDPR in a strategic and ethical manner.”
Joshua AntonCEO, Outlogic
Joshua Anton
“A great bespoke service, delivered flexibly by absolute experts in a friendly, collaborative and accessible way. I cannot recommend more highly!"
Clare RussellInterim Head of Legal, Vue UK & Ireland
Clare Russell
“HelloDPO have been brilliant at getting our data compliance into shape. We have come such a long way in our ways of working and they are always on hand to help when we have complicated or urgent issues – they have simply become part of the team."
Josh TowbHead of Business Transformation, Jigsaw
Josh Towb
“The HelloDPO team have provided Channel 4 with a wide range of data protection advice over the years. Alison is always delightful to work with, and her advice is pragmatic and set within a commercial context, which is particularly helpful. HelloDPO runs regular DP Confessionals, which provide our team with a valuable wider industry view and a sense of issues which other organisations are struggling with, and the ways in which they are approaching them."
Rebecca MillerChannel 4