UK General Data Protection Regulation (UK GDPR)

UK GDPR data protection audit: checklist


Conducting a data audit is fundamental in ensuring your compliance with the UK General Data Protection Regulation (UK GDPR).

What is a data mapping audit?

A data audit or data mapping exercise simply involves taking the time to think about and document what personal data your business holds and how you use it. All businesses should be able to perform a data mapping audit. It is unlikely that you will need a solicitor or a specialist consultant to help you with this.

The checklist below may help break down the key steps in the process. It serves as a starting point rather than an exhaustive list of actions.

How to perform a data mapping audit?

To conduct an audit, you should ask yourself several key questions about the data you hold and document your findings. Things you should consider include:

What types of personal data do you hold?

List the categories of data subjects and any personal data you collect. For example, current employee data, past employee data, customer data, marketing database, CCTV footage, etc. Segment this data by type, eg people's names, addresses, purchasing history, online browsing history, images etc. Determine if you hold just personal data, or does some of it fall under the category of sensitive personal information? Do you collect and process children's data?

Why do you hold this data?

List the purposes for which you collect and retain this data. For example, marketing, service improvements, product development, human resources, systems maintenance, etc. Consider what you do with the data? Do you use it at all? Do you need it? Can you show what you use it for? Establish the exact purpose and the lawful basis for processing of personal data (eg consent, contract, legal obligation, etc).

How did you collect this data?

List the sources of personal data. For example, did you collect it directly from individuals or third parties? Can you show the different methods you used to collect data? Do you have a documented consent / opt-in? Have you communicated your privacy policy to data subjects?

How do you store it?

Can you show how and when you collected the data? Can you document where you store it? How do you protect and access it? How secure is the data, both in terms of encryption and accessibility?

What do you do with this data?

How do you process it? Do you share it with anyone? Why do you share it? Do you transfer personal data outside of the UK?

Who owns and controls the data?

Are you a controller or processor of the data? Who has access to it (internally and externally)? What safeguards do you have in place with your processors?

How long do you keep the data for?

Check your retention and deletion periods. What justification do you have for the length of time you retain it? What is your process for deleting data?

What do you need to do to make your data processing GDPR compliant?

List actions that you should do to ensure your processing is compliant with the legislation. For example, you may need to delete data that has exceeded your retention period or data you have collected unlawfully.

It may help to put all this information in a spreadsheet or a word document. You can include specific headings for each of these considerations.

Data audit templates

The Information Commissioner's Office (ICO) has developed basic templates to help you document your processing activities. You can also use this to help you carry out information audits or data-mapping exercises:

Documenting the audit will help you compile evidence and records on your compliance efforts, and may be useful in meeting the UK GDPR's accountability principle. Remember to keep your records up to date to ensure they reflect your current processing activities.

This guide does not constitute legal advice and is provided for general information purposes only.