How to do a GDPR business data audit

How to do a GDPR business data audit

Updated 4th May 2018


There’s only three weeks to go before General Data Protection Regulation comes into effect and there are businesses out there that are starting to feel stressed and perhaps a bit confused and overwhelmed by GDPR. It becomes law on Friday 25th May 2018 and the biggest question I am hearing from small businesses is ‘What exactly am I supposed to do?’.

If GDPR is still new to you, I recommend you read this blog post first: ‘GDPR - What a small business can do’. It will help you understand what GDPR is, how it will work, what Personal Data is and why you must be compliant. The blog post has recently been updated with the latest information.

This blog post is going to concentrate on doing a business-wide data audit.

What exactly am I supposed to do?

The first thing your business needs to do to be GDPR compliant, is to do a company-wide data audit so that you better understand what data you hold, how you acquired it and what you do with it. You can start your data audit by answering these questions about the Personal Data you have already collected:

1. What data does your business hold?

Write a list of all the types of Personal Data you have, such as a person's name, email address, home address, social media posts, location, IP address, Cookies, etc. Include existing customer details, mailing lists, blog comments etc.

2. Why does your business hold that data?

You’ll need to know the reason why your business collected the data in the first place and be able to demonstrate how you use the data, so next to each type of data, write down why you have it.

3. How did your business collect that data?

Determine the methods used (including online and offline) for how you collected the data. i.e. customer details from an online sale or an online signup form. Did your business make its Privacy Policy available when it collected the data?

4. When did your business collect that data?

Can the date of the data collected be identified? i.e. a record of an online sale or the date someone subscribed to your newsletter.

5. Who is responsible for that data?

Have you assigned a Data Protection Officer in your business to look after GDPR or are you that person? Do they manage the Privacy Policy and any data processing agreements that your business enters into?

6. What does your business do with that data?

Consider the reason your business processed the data and why you need it. Can your business identify reasons why it still needs the data?

7. Where did the data your business collected come from?

Do you have evidence of where your collected data came from? Was it freely given by a customer or acquired by a third party?

8. How does your business store the data and is it secure?

Consider where the data is stored. Is your website secure and password protected? Is the data backed up and kept off-site or processed using a cloud-based application? Do the solutions you use have suitable data protection policies in place? Who has access to the data both inside and outside of your business? Is the storage solution encrypted? Is the backup of the storage encrypted?

9. Is the data your business collected correct?

Do you know if the data you have is correct, or is it out of date and needs updating?

10. Is the data you collected shared with a third party?

Does your business send the data to a third party for any reason? If so, why and how? Are the third party companies GDPR compliant?

11. How long will your business hold the data?

How long do you need to keep the data you have and when do you plan to delete it? After six months? Five years? When a user unsubscribes?

12. How will the data your business collect be destroyed?

When you or a user decides to delete the data, how will it be erased? Will it also be erased from all backup solutions?

I understand that there are lots of questions to answer and for some of you this will be a big job. However, after you have answered these questions, you’ll be well on your way to understanding how to be GDPR compliant and why it’s important.

The next step will be how to make your website GDPR compliant. That will come in my next blog post very soon. Watch this space.


This guide is not legal advice and by using it you agree to this disclaimer. The materials provided are for informational purposes only and do not constitute advertising, a solicitation or legal advice. You should not rely upon this information for any purpose without seeking legal advice. The information contained is provided only as general information and may or may not be useful to you in your current situation or reflect the most current legal developments; accordingly, information is not promised or guaranteed to be correct or complete.

If you have a comment or want to ask any questions about GDPR or doing a data audit, please leave a message below.

Until next time…


Lm Brand Identity Cover


What Creates a Successful Brand?

Download our free guide to learn the five key steps that your brand needs to have in place in order to create a successful brand identity.

Leave a Comment