Live National Cyber Helpline · 0300 123 2040
Assured Cyber Protection Cyber & insurance briefing

Compliance, Standards and Contracts

GDPR Audit: How to Run One Yourself and When to Bring in Help

By the Assured Cyber Protection team · Updated 2026 · Reviewed

A GDPR audit is the structured check that tells you whether your business is actually doing what data protection law requires, rather than assuming it is. For most small and medium UK organisations this is something you can start yourself with free tools from the regulator, and you only need to bring in specialist help for the parts that carry real legal or contractual risk. This guide walks through how to run a data protection audit, what to look at, and where the line sits between a sensible self-assessment and a job for an expert.

The pressure to get this right has gone up. The Data (Use and Access) Act has brought in a duty for organisations to handle data protection complaints properly, and the Information Commissioner’s Office (ICO) continues to expect businesses of every size to be able to show how they comply. An audit is how you build that evidence before anyone asks for it.

What a GDPR audit actually covers

A GDPR audit is not a single tick-box form. It is a review of how personal data moves through your business and whether each stage is lawful, secure and documented. In practice it covers six things:

  • What personal data you hold, where it lives, and why you have it.
  • Your lawful basis for processing each type of data.
  • How long you keep it and how you dispose of it.
  • Who you share it with, including suppliers and processors.
  • How you keep it secure, technically and organisationally.
  • How you handle people’s rights, such as access requests and complaints.

The point is to find the gaps between what your policies say and what your business actually does. That gap is where breaches and enforcement action come from.

Step one: know whether you are a controller or a processor

Before you assess anything, work out your role. You are a controller when you decide why and how personal data is processed, and a processor when you handle data on someone else’s instructions. Many businesses are both, depending on the activity, in which case you assess each role separately. This matters because the obligations differ, and the ICO’s self-assessment checklists are split along these lines.

Step two: build a data inventory and map the flows

You cannot protect or audit data you have not catalogued. The first real task is a data inventory: identify every place personal data sits, including local servers, cloud apps, email archives, paper files and staff laptops. Then map the flows, tracing each type of data from the point you collect it, through where it is stored and processed, to where it leaves your business.

This is the most time-consuming part and the most valuable. Most compliance failures trace back to forgotten data: an old spreadsheet of customer details, a marketing list nobody owns, a former supplier still holding records. The inventory surfaces these so you can decide what to keep, secure or delete.

Step three: use the ICO’s own tools

You do not need to invent the framework yourself. The ICO publishes a data protection audit framework covering the areas it looks at when assessing an organisation, along with downloadable trackers you can use to record findings and plan fixes. For smaller organisations, the ICO’s self-assessment for small business owners and sole traders is a faster starting point.

Work through the relevant checklist honestly, marking each area as in place, partly in place or missing. The output is a prioritised list of actions, which is exactly what you want to be able to show the regulator if a complaint or breach ever lands.

Step four: check your security controls

Data protection law requires “appropriate technical and organisational measures”, and an audit should test that yours exist and work. This overlaps heavily with cyber security: access controls, multi-factor authentication, patching, backups, encryption and staff training all count. Many of these are the same controls that underpin Cyber Essentials certification, so if you already hold that, you have evidence for part of the audit.

When to bring in help

Run the self-assessment yourself for the everyday picture. Bring in a specialist or a data protection officer when the stakes rise:

  • You process special category data such as health, biometric or criminal records.
  • You carry out large-scale or high-risk processing, which may require a formal Data Protection Impact Assessment.
  • A contract or tender demands documented compliance you are not confident you can demonstrate.
  • You have suffered a breach or received a complaint and need to respond correctly and on time.

In those situations the cost of getting it wrong, in fines, lost contracts or compensation claims, dwarfs the cost of expert advice. Our guide to who enforces GDPR in the UK explains the ICO’s powers and what enforcement actually looks like.

Make it a habit, not a one-off

A GDPR audit dates quickly because your data, suppliers and systems keep changing. Treat the first audit as the baseline, fix the priority gaps, then schedule a lighter review at least once a year and whenever you launch a new system or product. The businesses that cope best with a complaint or breach are the ones that can produce a current audit on request, not the ones scrambling to build one after the fact.

Frequently asked questions

Is a GDPR audit a legal requirement? There is no law that says “you must run an audit” by that name, but UK GDPR requires you to be able to demonstrate compliance and to have appropriate measures in place. An audit is the practical way to meet that accountability duty and to show the ICO you take it seriously.

Can a small business run a GDPR audit without a consultant? Yes. For most low-risk small businesses, the ICO’s free self-assessment checklists and audit trackers are enough to run a credible audit in-house. Bring in help only for high-risk processing, special category data, contractual demands or after a breach.

How long does a GDPR audit take? For a small business it can take from a day to a few weeks, depending mostly on how much data you hold and how scattered it is. The data inventory and flow mapping take the longest; once that exists, future audits are much quicker.

How often should you carry out a data protection audit? At least once a year, and additionally whenever you adopt a new system, supplier or product that changes how you handle personal data. Data, staff and tools change constantly, so a one-off audit goes stale fast.

What is the difference between a GDPR audit and a DPIA? An audit reviews your overall compliance across the business. A Data Protection Impact Assessment (DPIA) is a focused risk assessment for a specific high-risk activity, such as introducing new monitoring or large-scale profiling. You may run both, and an audit can flag where a DPIA is needed.

All briefings Get the Threat Brief

More from Assured Cyber Protection

How Much Does Cyber Insurance Cost for a UK Small Business in 2026?
Costs

How Much Does Cyber Insurance Cost for a UK Small Business in 2026?

What UK SMEs pay for cyber insurance in 2026: typical premiums by size and sector, what drives the price, and how MFA, EDR and Cyber Essentials cut it.
Cyber Essentials Cost UK and the April 2026 MFA Rule Explained
Costs

Cyber Essentials Cost UK and the April 2026 MFA Rule Explained

What Cyber Essentials costs in the UK in 2026 by company size, plus the 27 April MFA rule that fails you on the spot if cloud MFA is off.
How to Get the Free £25,000 Cyber Insurance Bundled With Cyber Essentials
Guides

How to Get the Free £25,000 Cyber Insurance Bundled With Cyber Essentials

UK firms under £20m turnover get £25,000 of free cyber liability insurance with Cyber Essentials. Here is exactly how to qualify, opt in, and what it covers.

The Threat Brief

A calm, plain-English security update. Once a week.

New scams, breach lessons, and cyber insurance changes that affect UK businesses, explained without the jargon. No alarmism, no vendor spin.

Unsubscribe anytime. We never share your address.