GDPR Data Protection Audit
GDPR Data Protection Audit
Part 1: General
1.1 What are the business’s objectives?
1.3 List any policies currently in place that
relate to data protection and
information security.
1.3.1 For each policy, state when it was last
reviewed and/or updated and how
often this is done.
1.3.2 For each policy, state how that policy
is made available to staff.
1.4 Does the business provide fair
processing notices to data subjects?
1.4.2 What format are the notices in?
1.4.3 When were the notices last reviewed
and/or updated and how often is this
done?
1.5.1 Have any changes recently been
made to the business that relate to
data protection?
1.5.2 Are any changes to the business
currently taking place that relate to
data protection?
1.5.3 Are any changes to the business
planned that relate to data protection?
1.7 Does the business specifically comply
with any data protection standards,
e.g. BS 10012:2017 and ISO/IEC
27000 series?
1.11 Identify the senior staff within the
business and answer the following:
1.11.1 Are senior staff fully aware of the
business’s obligations under the
GDPR?
1.11.2 Are senior staff fully aware of the
rights and protections given to data
subjects by the GDPR?
1.11.3 Are senior staff fully aware of the
consequences and penalties for non-
compliance?
1.12 Are meetings between senior staff
held to discuss and assess data
protection within the business?
1.12.1 If yes, are those meetings recorded?
(If so, attach agendas, minutes etc. if
available)
1.13.1 If not, does the business’s use of
personal data require such
registration?
1.13.2 If yes, when was the business’s
registration entry last reviewed?
1.14 Does the business need a data
protection officer under the GDPR?
1.14.1 Has a data protection officer been
appointed? (Provide details of the
data protection officer)
1.14.2 Is the data protection officer only
responsible for data protection or do
they have additional roles?
1.14.3 Does the data protection officer carry
out regular audits? (If so, how
frequently)
1.14.4 Are all (relevant) staff aware of the
data protection officer and their role?
2.1 Do new projects that involve the use
of personal data adopt a “privacy by
design” approach?
3.1 Are all staff whose roles involve the
use of personal data aware of their
data protection responsibilities?
3.2 If any staff have questions about data
protection, do they know who to ask?
(See 1.14.4)
3.3.1 Are all staff trained or only those
whose roles involve personal data?
3.3.3 Has the training provided to date
covered the GDPR?
3.3.4 What form(s) does the training take?
(Attach copies of training materials
where possible)
3.4 If new staff are given induction
training, does that training include
data protection?
3.5 Are staff leaving the business made
aware that personal data (including
customer and employee data)
remains confidential? At what point
are they reminded of this?
4.1 Why does the business collect the
personal data it collects? List each
purpose separately.
4.2 Referring to the purposes listed under
4.1, is any personal data collected in
order to comply with any specific legal
obligations, standards, or similar?
Answer the following only if the business collects sensitive personal data.
4.3 Why does the business collect the
sensitive personal data it collects?
List each purpose separately.
4.4 Referring to the purposes listed under
4.3, is any sensitive personal data
collected in order to comply with any
specific legal obligations, standards,
or similar?
4.5 For each purpose identified, which
lawful basis for collecting and
processing data applies?
4.6 Where data subjects’ consent is relied
upon as the lawful basis for collecting
and processing data, answer the
following:
4.6.3 How are data subjects informed of
their right to withdraw consent?
5.1 Refer back to 4.1. For each purpose
identified, list the types of personal
data collected for that purpose.
5.3.1 List the methods of data collection
used.
5.3.3 If personal data is obtained from any
third parties (e.g. mailing lists),
identify those third parties on the list.
5.4 Is the business’s collection of personal data fair and in compliance with data subjects’ rights? Answer the questions below:
5.4.1 Are clear, accessible privacy notices
(“fair processing notices”) available to
data subjects at or before the point of
data collection?
5.4.2 Are privacy policies, cookie policies,
terms and conditions, and similar
clear and easily accessible?
5.4.4 Are data subjects able to find out and
access the personal data that you
hold about them? Describe the
method(s) by which this is done.
5.4.5 Are data subjects able to correct, or
request the correction of, the personal
data that you hold about them?
Describe the method(s) by which this
is done.
5.4.6 Are data subjects able to delete, or
request the deletion of, the personal
data that you hold about them?
Describe the method(s) by which this
is done (also see Part 10):
5.4.7 Are data subjects able to control
(restrict) your use of their personal
data? Describe the method(s) by
which this is done.
5.4.8 Are data subjects able to transfer, or
request that the business transfers,
their personal data to another
organization? Describe the method(s)
by which this is done.
5.4.10 Does any processing of personal data
carried out by the business involve
automated decision-making? If yes,
describe it.
5.5 Does the business transfer any
personal data to third parties? If yes,
answer the questions below:
5.5.1 List each third party to whom
personal data is transferred (including
their location). [If any third parties
are located outside the EU or EEA,
Part 8 must also be completed.]
5.5.2 For each third party in the list, list the
type(s) of personal data transferred to
them.
5.5.3 For each type of personal data in the
list, state the purpose(s) for which
that personal data is transferred.
5.5.4 For each third party in the list, either
list the provisions of the business’s
contract with that third party or attach
a copy of the contract to verify
compliance with the GDPR.
5.5.5 Are data subjects made aware that
their personal data may be
transferred to third parties and why?
6.1 Refer back to the list of purposes and personal data created for 4.1 and 5.1 [and 4.3 and 5.2 if sensitive personal data is collected]. For each item,
answer the following:
6.1.2 Does the business have enough
personal data to properly fulfil the
purpose?
6.1.3 Is any of the personal data listed no
longer relevant to a particular,
legitimate purpose?
6.2 How often does the business review
the following for ongoing adequacy
and relevance?
6.2.2 Personal data currently held by the
business.
7.1 Refer back to the collection methods identified under 5.3. For each, answer the following:
7.1.2 Is any of the personal data likely to
need updating over time? If yes, what
measures are in place to ensure that
it is kept up-to-date?
7.2 Refer back to 5.5. If any personal data is transferred to third parties, answer the following:
7.2.2 How is the data kept up to date after
transfer?
Refer back to the list of third party recipients under 5.5.1. If any of those recipients are located outside of the EU or EEA, answer the questions in this
Part for each third party identified.
8.1 Which country or territory is the third
party located in?
8.3 If the answer to 8.2 is “no”, what
conditions are being relied upon
and/or what arrangements are in
place to ensure adequate levels of
data protection?
8.4 What measures are in place to check
that the arrangements referred to
above are being complied with?
9.1 How many employees does the
business have?
9.2 Does the business keep records of its
data collection and processing
activities? If yes, do the records
include:
9.2.1 Details of your business (and other
data controllers, where applicable)?
9.2.3 The purpose(s) for which personal
data is collected and processed?
9.2.4 The type(s) of data collected and
processed? (And do the records
clearly distinguish between personal
data, sensitive personal data, and
non-personal data?)
9.2.7 Details of any third country transfers?
9.2.8 Details of how long personal data is
retained?
10.1 Refer back to the list of personal data collected and purpose(s) created for 4.1 and 5.1 [and 4.3 and 5.2 if sensitive personal data is collected]. For
each item, answer the following:
10.1.1 How is the retention period for the
personal data determined?
10.1.2 Aside from the GDPR itself, is the
business subject to any specific legal,
regulatory, or other requirements that
impose specific time limits on the
retention of personal data?
10.1.3 Where is the retention period for the
personal data documented?
10.1.4 How long is the personal data
retained?
10.2 What procedures are in place within
the business to review the retention of
personal data and it’s ongoing
relevance?
10.3 When personal data is deleted (or
destroyed in the case of hard copies)
– whether in response to a request
from a data subject or because it is
no longer required – what method(s)
are used?
10.4 If personal data is retained for longer
periods, what justifications apply and
how is that data treated in order to
prevent data subjects from being
identified?
11.1 Refer back to the list of personal data
collected and purpose(s) created for
4.1 and 5.1 [and 4.3 and 5.2 if
sensitive personal data is
collected]. For each item, note the
physical form of storage and where
the data is stored.
11.3 What physical measures are in place
to control access to physical data
records?
11.4 How is acces to physical data records
monitored and logged?
11.5 Are physical data stores checked
regularly for missing items? If so,
describe the procedure when a
missing item is identified.
11.7 Refer back to the list of personal data
collected and purpose(s) created for
4.1 and 5.1 [and 4.3 and 5.2 if
11.10 What physical measures are in place
to control access to personal data
stored electronically?
11.15 Does each individual in the business
11.16 Describe the rules and policies that
apply to usernames and passwords.
11.17 Do all user accounts grant the same
access priviliges, or are different
levels avaialble? If so, describe the
different levels.
11.18.1 Are access levels regularly reviewed?
11.18.1.1 If yes, how often and/or in what
circumstances?
11.19 Are users able to access data
remotely?
11.19.1 If so, what personal data is accessible
remotely and by whom?
11.20 When a member of staff leaves the
business, when and how is their
access revoked?
The following questions relate to computers and devices provided by the business.
11.21 Are staff provided with laptops and/or
other mobile devices by the
business?
11.23.1 If yes, list the type(s) of personal data
accessible.
11.24.1 If yes, list the type(s) of personal data
stored.
11.25 Are laptops and/or mobile devices
encrypted? If so, what type(s) of
encryption is/are used?
The following questions relate to Bring Your Own Device (“BYOD”) devices.
11.26 Does the business allow staff to use
their own devices for work purposes?
11.27 Does the business havea BYOD
Policy in place?
11.28.1 If yes, list the type(s) of personal data
accessible.
11.29.1 If yes, list the type(s) of personal data
stored.
11.32 Are records kept of BYOD devices? If
so, list the iformation included.
12.1 Are staff trained to identify data
breaches? If so, is training given to all
staff or to certain key personell?
12.2 Are staff aware of the time limits for
reporting notifable breaches?
12.3 What procedures are in place for
reporting data breaches internally?
Signature: Signature: