Most GDPR (General Data Protection Regulation) and DPA (Data Protection Act) 2018 compliance failures result from controls, records and day-to-day practices drifting out of line over time.
A well-run audit helps correct that drift.
It gives you a way to test what personal data you hold, why you hold it, who can access it, how long you keep it and whether your controls are still appropriate to the risks to it.
This matters because the GDPR is built around accountability. In other words, it’s not enough just to say that your organisation takes privacy seriously – you need to prove it through policies, records, measures and evidence that show how you manage data privacy compliance in practice.
In this article
- What is a GDPR audit?
- Who can conduct a GDPR audit?
- Step by step: how to audit GDPR compliance
- Do I need a GDPR audit?
- How much does a GDPR audit cost?
- Data security and data privacy audit checklists
- Ready for a GDPR audit?
- GDPR audit FAQs
What is a GDPR audit?
A GDPR audit is a structured review of how your organisation handles personal data and whether its controls, records and processes align with data protection law.
It examines governance, data flows, privacy notices, lawful bases, contracts, retention rules, individual rights handling, breach response and security measures.
It also sits within a wider accountability framework, and should feed into ongoing governance, risk management and improvement.
Who can conduct a GDPR audit?
Different parties can conduct a GDPR audit, depending on the size, maturity and risk profile of the organisation being audited. For example:
Internal teams
Many organisations conduct internal audits, led by the privacy team, compliance function, internal audit, information security team or a designated DPO (data protection officer).
This approach is often fast and cost-effective – internal staff tend to know the organisation and its systems, and can usually access key stakeholders more easily.
However, there is an objectivity trade-off: internal auditors can overlook inherited practices, accept weak controls as normal or lack the specialist experience needed to spot more subtle compliance failures.
External consultants
An external adviser brings independence, specialist knowledge and a broader view of privacy audit best practices.
This is often useful where the organisation has complex processing, operates in more than one jurisdiction, handles special category data, has recently changed systems or has already identified areas of concern.
An external auditor can also be useful where the board wants a more credible assessment than an entirely internal review can provide.
A hybrid approach
For many organisations, the best answer is a hybrid model: internal teams gather information, provide system access and manage remediation, and external specialists review high-risk areas, test assumptions and challenge gaps in documentation, governance or control design.
That model is often especially suitable for smaller organisations, which might not need a large formal project, but would still benefit from independent scrutiny in the areas that matter most.
Step by step: how to audit GDPR compliance
The most effective approach is to break the exercise into clear stages:
1. Define the scope
Start by deciding what the audit should cover. You might review the whole organisation, or focus on a business unit, processing activity, location, product line or high-risk data set.
Define the audit objectives clearly. For example:
- Test whether processing records are complete and accurate.
- Review whether lawful bases for processing are documented and appropriate.
- Assess whether technical and organisational measures are appropriate.
- Check whether data retention rules are being applied in practice.
2. Map personal data and processing activities
You can’t assess your GDPR compliance unless you know what personal data you hold and how it flows through the organisation.
Information audits or data flow mapping exercises help you review:
- Categories of personal data.
- Data subjects affected.
- Data sources.
- Systems, applications and storage locations.
- Internal users and third-party recipients.
- International transfers.
- Retention periods.
- Security controls around each processing activity.
3. Review lawful bases and transparency
Next, test whether each processing activity has a clear and defensible lawful basis. Review:
- Whether the lawful basis selected is appropriate.
- Whether special category conditions are identified where needed.
- Whether privacy notices are accurate, current and intelligible.
- Whether employee, customer and supplier notices match operational reality.
4. Test rights handling procedures
Processes must work in practice as well as on paper. Review how your organisation actually handles:
- Data subject access requests.
- Rectification requests.
- Erasure requests.
- Restriction objections and portability where relevant.
- Identity verification.
- Internal escalation.
- Response times.
- Redaction and exemption decisions.
5. Assess security controls and risk measures
The GDPR requires controllers and processors to implement appropriate technical and organisational measures.
Review access control, user provisioning, password and multifactor settings, encryption, backups, vulnerability management, endpoint protection, logging, monitoring, incident response and supplier security assurance.
Also test whether these measures are documented, reviewed and applied consistently.
6. Review processors, suppliers and contracts
Personal data rarely stays within one organisation, especially where the business relies on software-as-a-service providers, outsourced HR platforms or marketing tools. Third-party processors often introduce security vulnerabilities, so check:
- Which processors handle personal data on your behalf.
- Whether contracts contain the required data protection terms.
- Whether due diligence was carried out before appointment.
- Whether security and sub-processing arrangements are reviewed.
- Whether international transfer risks have been considered where relevant.
7. Check policies, training and ROPAs
A mature audit should also review your supporting governance framework.
That includes your:
- Data protection policy.
- Retention schedules.
- Breach response policy and procedures.
- ROPAs (records of processing activities).
- DPIA (data protection impact assessment) procedures.
- Training records.
8. Validate findings and prioritise remediation
Once the fieldwork is complete, group findings by risk and impact. Some issues will require immediate action, whereas others can be scheduled as medium-term improvements. A useful audit output should distinguish between the following:
- Missing controls.
- Weakly designed controls.
- Controls that exist but are not followed.
- Documentation gaps.
- Governance gaps.
- Monitoring gaps.
Do I need a GDPR audit?
Almost certainly. If your organisation processes personal data at any meaningful scale, conducting regular audits is one of the most practical ways to test whether your privacy arrangements still reflect reality.
This is especially important where there have been changes to your processing activities, for example if you’ve introduced a new CRM or HR system, moved services to the Cloud, expanded into new markets, changed software providers, started processing more sensitive categories of data, had complaints, incidents or near misses, or if your documentation hasn’t been reviewed for some time.
How much does a GDPR audit cost?
How much a GDPR audit costs depends on scope, complexity, sector, number of systems, number of locations, data sensitivity, international transfers, third-party reliance and the depth of testing required.
As a rough guide:
- A basic internal review may mainly cost staff time.
- A focused external review for an SME may sit in the lower thousands.
- A broader multi-department assessment with remediation planning may cost materially more.
- Specialist legal or technical input will usually increase the price.
However, the real question is not simply cost, but value.
A well-run audit can identify weak retention practices, poor vendor oversight, incomplete records, ineffective rights handling and under-documented security controls before they lead to complaints, incidents or regulatory scrutiny and enforcement action.
Data security and data privacy audit checklists
Below are two short data security and data privacy audit checklists. They shouldn’t replace a full review but are a useful starting point.
Data security audit checklist
A practical data security audit checklist should include the following points:
- Access rights are role-based and reviewed regularly.
- Privileged access is limited and monitored.
- Multifactor authentication is enabled where appropriate.
- Personal data is encrypted at rest and in transit where justified by risk.
- Endpoints and servers are patched and protected.
- Logs are generated, retained and reviewed.
- Backups are tested and protected from unauthorised access.
- Incident response procedures exist and are tested.
- Breach reporting routes are clear.
- Processor security controls are assessed before onboarding and during the relationship.
Data privacy audit checklist
A practical data privacy audit checklist should include the following points:
- Records of processing are complete and current.
- Personal data categories, purposes and recipients are mapped.
- Lawful bases are identified and can be justified.
- Privacy notices match actual processing activities.
- Consent mechanisms are valid where consent is relied upon.
- Rights request procedures are documented and evidenced.
- Retention periods are defined and applied.
- Deletion or anonymisation controls exist where data is no longer needed.
- International transfers are identified and assessed.
- DPIA triggers are understood and acted on.