Data privacy audit checklist – how to compile one

8 things to remember when conducting a data privacy audit

Data privacy is at the top of the agenda as companies strive to comply with regulations such as the EU General Update To Data Protection Regulation (GDPR). At a time when firms are collecting vast amounts of information, data privacy audits assess whether organisations are in a good position to win customers’ trust and meet their regulatory obligations.

Data privacy audits offer valuable insight into how to improve data handling practices, says Robert Grosvenor, managing director in the Disputes and Investigations practice at professional services firm Alvarez & Marsal. “Ultimately, this helps support better data governance and trust at a time when good data management is critical to business strategy.”

The benefits of conducting a data privacy audit are clear, so what do you need to remember?

>See also: Information Age guide to data + privacy

#1 – Define a clear purpose and scope

There are a number of options available, so it’s important to determine the audit’s purpose and scope, says Camilla Winlo, head of data privacy at professional services consultancy Gemserv.

Grosvenor agrees. In some cases, it might make sense to undertake a “collaborative less formal health-check or assessment” of the privacy function, he advises. “A practical roadmap for improvement can then be laid out with the goal of proactively engaging stakeholders and making them aware of the importance of data privacy.”

#2 – Outline a criteria and methodology

A data privacy audit requires a criteria and methodology. “It may be possible to audit against a third party standard such as ISO 27701 – or it might be necessary to create a bespoke audit plan drawn from requirements set out in documents such as policies, procedures and contracts,” says Winlo.

Once the audit criteria are determined, firms should consider the evidence they need to review and think about how they will collect it. This might include sample checks, interviews, documentation reviews and tests, Winlo says. “The auditor will need to review enough evidence to know whether the processing activities always, sometimes or never conform to the requirements. Where they don’t conform, organisations need to assess how significant the gap is.”

>See also: Best GDPR compliance software for CTOs

#3 – Know what data you have and what you use it for

When conducting a privacy audit, it’s important to identify the data you have, where it is stored and what you use it for. “Once you know what data you have, you need to establish where you got it from,” says Nigel Jones, co-founder, Privacy Compliance Hub. “Then you can work out what rights you have in relation to it; what you do with it; where you keep it; how long you keep it; and what happens when you no longer need it.”

This basic inventory will form the basis of the rest of your audit as well as your Record of Processing Activities (ROPA), he says.

But there is no point keeping data safe within your own organisation if you then share it with others who do not respect it, Jones points out. “Make sure you have a list of all organisations you share information with; have agreements in place with all of them; and be ready to demonstrate why you think they are safe to process data.”

GDPR compliance requires that data is only used for the purpose it was collected for, so you’ll need to prove your business has committed to this principle, says Jamie Akhtar, CEO and co-founder of CyberSmart.

On top of this, you’ll also need to establish how your business protects data and ensures its accuracy, he adds.

>See also: How AI could be a game-changer for data privacy

#4- Don’t overlook shadow data

When conducting the audit, don’t forget “shadow data” – the information typically extracted from enterprise systems into a spreadsheet or database and used by teams within the business.

“This type of information, which can be personal and sensitive, will often fall outside of other data privacy and security controls,” says Darren Wray, head of data protect solutions by Guardum at DFIN and author of The Little Book of GDPR: Getting on the Path to Compliance.

#5 – Think about business processes and staff awareness

When auditing, it’s not just about the data itself: firms should consider the business processes and take into account staff awareness of compliance and privacy issues, says Wray.

Training is a key factor, he says. “Make sure there is a process to raise staff awareness and that all staff – including the executive team – undergo the training.”

>See also: What is the role of the data manager?

#6 – Focus on consent

Obtaining consent is absolutely crucial when handling data and ensuring compliance. Active and ongoing consent is the key to GDPR compliance, but simply using cookies to manage pop-up acknowledgements “won’t cut the mustard”, says Russell Howe, VP EMEA, Ketch.“Instead, you need clear, contextualised consent mechanisms that allow users to understand and control exactly what data is collected and how it’s controlled.”

Organisations need to establish whether the business has lawful grounds for processing the data, says Akhtar. “You’ll also need to show how you obtain consent from customers for the use of their data.”

Firms need to be able to provide evidence of how consumers can access their data if they submit a subject access request. At the same time, businesses should be able to demonstrate compliance with subjects’ right to erase their data, says Akhtar.

#7 – Document everything

Organisations need to ensure they are documenting everything. This will provide the ability to prove your data protection credentials if the need arises.

The GDPR requires “verifiable compliance”, says Howe. “Keeping clear records about how you’re handling data is vital when it comes to communicating with users and regulators. It will also make it far easier to get penalties reduced or waived if you or your partners slip up.”

#8 – Data security and data breaches

Under GDPR, firms need to be able to demonstrate the business’ technical security credentials, including how they protect data physically and digitally, how they back it up, and how they anonymise it.

At the same time, firms should be able to prove the business has a robust incident response plan in place in case of a data breach. “This includes notifying the authorities, documentation and insurance,” says Akhtar.


Clive Humby – data can predict nearly everything about running a business Clive Humby, inventor of the Tesco Clubcard, on ways to stop feeling so overwhelmed by data, how to convince your CEO of its importance, and why data should look forward and not backwards

How businesses can prepare for the Data Protection and Digital Information BillWith the Data Protection and Digital Information Bill currently being reviewed in Parliament, Netwrix vice-president of research and development Michael Paye explains how businesses can amply prepare

Forget digital transformation: data transformation is what you needStefano Maifreni, founder of Eggcelerate, discusses why organisations must focus on data transformation to maximise long-term value