GDPR Information Audit. Where do you start?

GDPR: Start with an Information Audit

When you read through the GDPR requirements you’ll find that businesses have the obligation to document their processing activities. This is a new requirement under the GDPR. This can include documenting the purpose of your data processing, who you share you data with and your retention policy. Doing a GDPR Information Audit and/or data mapping exercise is a recommended way to find out what your (personal) data is and where it is.

What exactly is a GDPR Information Audit?

That sounds very interesting, but how to complete a GDPR information audit? Or a data mapping exercise?

When it comes to getting compliant with the GDPR, you want to carry out an information audit at the very  beginning.

Dependent on the size of your business, it is not that hard to perform a GDPR Information Audit. It may be tedious however! But just think, your business is made up of assets which includes the information that you hold. What if that data is stored in multiple places, is disorganised and unstructured, or is not fully accessible – how difficult is it to make these data assets work for your business? When you have to spend a lot of time looking for certain information in different places, that is a huge waste of time (and essentially money lost).

A GDPR Information Audit will help you identify how and where you need to store your information. Preferably in a central location, so everyone knows where the information can be found. Easily.

I’d like to point out that this obligation should not the only reason why you (however reluctant) carry out such an audit. Audits help your business to find out about problems that maybe you are not aware of. It can help to find ways of working with more efficiency. And as an extra bonus, it will also help provide a sense of confidence that your business is functioning well and that things run as smoothly as is possible!

Where do I start?

A good place to start is with asking yourself/ business the following questions.

What data are you collecting:

Before you can answer that you may need a little more information about what is personal data under the GDPR.

There are two categories: personal data and special category data.

Personal data is any data that can be used, directly or indirectly, to identify a person (data subject). This includes the standard things like name, address, phone number, email address but also IP address, CCTV images, etc.

Special category data is data that is more sensitive and therefore in need of more protection. It also requires making sure you have the appropriate extra legal basis to process such data. This data can include: racial/ ethnic origins, health information, political opinions, religious beliefs, union activity and sexual/ gender identify.

When you process data on someone under the age of 16, you will need parental consent and this needs to be reviewed/ managed appropriately.

Why do you use personal data:

Is there a purpose to the information you hold? Many businesses have accumulated and ‘hoarded’ information over the years with the thought that it may be useful at some point. Under the GDPR this is not allowed and all information you have needs to have a clear purpose for processing.

There is a Purpose Limitation principle which details that you must be clear from the outset why you are collecting data and what you intend to do with it. This also means that if you obtain data for a specific purpose, you can’t then use that data for other processing. For example, if you get an email address for receiving newsletters, you then cannot use that email address for direct marketing purposes.

Other questions you can ask are; do you use the data at all? Do you need it? Can you show what you use it for? Do you have a lawful basis for processing the information?

What types of information do you hold?

There will be several different categories of data subjects in your business. For example, your staff (current and past), clients, CCTV footage, suppliers, third parties.

How did you collect the data?

This is where you list how you obtained the information. Did you get it from the person directly? Or from a third party? Do you have consent for the data? What is the lawful basis for obtaining the data? Document this in your GDPR Information Audit.

Where are we storing and protecting personal data:

This means both geographically as well as through which method, for example email, documents, databases, backups, systems, etc

Data held on a server which is outside of the EEA has specific considerations. And is data held on paper archives? If so, how is that protected?

And when it is digital, where is it stored? Who has access to it and how is digital data protected? Is it password protected / encrypted / backed up?

How long do you keep data:

The GDPR states that data should not be kept longer than necessary. This means once it served its purpose and there is no longer a legal requirement to keep the data, you must securely dispose of the information. Do you have a justification for how long you retain personal data? What is your process for deleting data?

Who do we share data with:

There may be situations where you share your data with a third party. If that is the case, ask yourself whether that is necessary. Why do you share data? Is personal data transferred to outside the EEA? And do you have a contract for sharing data with the third party in place?

What approach can I take?

The best way to get this information and to make sure you find out about information that you, as business owner/ manager, may not be aware off, is to engage staff. Create a questionnaire you can distribute throughout the business and also talk to staff across the business. This way you get a full picture of all processing activities in your organisation, including data storage locations and process work arounds that are news to you. A GDPR Information Audit does not have to be complicated!

What are the next steps?

The GDPR information audit is the first step for GDPR compliance. It is the starting point of documenting your processing activities. In my next blog I will write more about the Accountability obligation under the GDPR and documenting your processing activities.

Next steps to consider:

  • Make sure you are registered with the ICO
  • Do a GDPR GAP Analysis (assess where your business sits with regards GDPR requirements)
  • Review your lawful basis for all your processing activities
  • If you rely on consent, review how you seek/record/manage consent
  • Document your processing activities
  • Put in place a Privacy Notice
  • Put processes in place to ensure Data Subject Rights
  • Ensure this includes Data Breach Processes and Data Subject Access Requests processes
  • Ensure someone is responsible for data protection in your organisation
  • Train your staff!

If you would like help getting started, please contact us for more information.


The information provided in this article and on this website is not legal advice. We would recommend to consult a solicitor if you need legal advice for definitive legal guidance or visit the ICO website for the Guide on GDPR.