Skip to main content
HubSecure
Menu

Blog

How to Run a GDPR Audit on Your Business in One Day

A GDPR audit does not require a consultant or a week of meetings. This step-by-step guide takes you through a one-day self-assessment that identifies your biggest compliance gaps and tells you exactly where to focus first.

· By HubSecure Compliance

A formal GDPR audit conducted by an external specialist is a worthwhile investment for many businesses — but it is not the only way to understand your compliance position. A structured self-assessment, conducted honestly and systematically, will surface the majority of significant gaps and give you a clear action list to work from.

This guide takes you through a one-day GDPR self-audit. Set aside a full working day, work through the sections in order, and document your answers as you go. By the end, you will have a clear picture of where your compliance programme is strong and where the urgent gaps are.

Before you start: gather what you need

Block the day in your calendar. You will not complete this properly if you are context-switching between this and normal work. Collect the following:

  • Your current privacy notice (from your website)
  • Any Data Processing Agreements you have with software providers or service companies
  • Your current data retention policy (if it exists)
  • The last 12 months of data subject requests and how they were handled
  • Your breach register (if it exists)
  • Your staff training records for data protection

If any of these do not exist, note that. Their absence is itself a finding.

Morning (9am–12pm): The data landscape

9:00 – Record of Processing Activities

Work through every category of personal data your business handles. For each, answer:

  • What data do we collect?
  • Why do we collect it? (the purpose)
  • What is our legal basis for processing it?
  • Where is it stored?
  • Who has access to it?
  • How long do we keep it?
  • Who do we share it with?

Common categories to consider: customers, prospects, employees, contractors, website visitors, suppliers, enquiries and leads, former customers, children (if applicable to your services).

Score yourself: Red if you cannot answer these questions for a category. Amber if you have approximate answers but nothing documented. Green if you have documented answers that are current.

10:30 – Lawful Basis Assessment

For each processing activity you identified above, is the lawful basis correct and documented?

Watch for these common errors:

  • Using consent where a more appropriate basis applies
  • Citing legitimate interests without a documented balancing test
  • Processing special category data (health, biometric, financial, religious, political) without an additional condition under Article 9

Score each processing activity Red/Amber/Green.

11:00 – Privacy Notice Review

Read your privacy notice as if you have never seen it before. Check:

  • Does it accurately describe all the processing activities in your ROPA?
  • Does it name all processors and third parties with whom you share data?
  • Does it explain the lawful basis for each category?
  • Does it explain retention periods?
  • Does it explain how individuals can exercise their rights?
  • Is it written in language a non-lawyer can understand?
  • Is it up to date? (When was it last reviewed?)

Score: Red if it is missing major categories of actual processing. Amber if it is mostly accurate but outdated or incomplete in places. Green if it accurately reflects current practice.

11:30 – Processor Register

List every company that processes personal data on your behalf. For each:

  • Is there a signed Data Processing Agreement in place?
  • Is the DPA current (reflecting actual processing activities)?
  • Does the DPA include the mandatory GDPR Article 28 clauses?

Pay particular attention to: cloud storage providers, email marketing tools, CRM systems, HR and payroll software, IT support providers, accounting and finance software, customer communication tools.

Score each processor relationship Red (no DPA), Amber (DPA exists but may be outdated or incomplete), Green (current, compliant DPA in place).

Lunchtime: Score and prioritise

Before the afternoon, review your Red findings from the morning. These are your highest-priority gaps. Not all Red findings are equal — rank them by:

  1. Regulatory risk: gaps related to consent, lawful basis, and processor agreements attract the highest fines
  2. Operational risk: gaps that would prevent you from responding to a breach or data subject request create immediate practical exposure
  3. Volume: gaps affecting large numbers of individuals are weighted more heavily in regulatory enforcement

Write your top five urgent actions.

Afternoon (1pm–5pm): The operational controls

1:00 – Data Subject Rights Process

Test your rights process. Ask yourself: if a customer emailed us today requesting a copy of all data we hold about them, what would happen?

  • Is there a designated channel for receiving these requests?
  • Is there a documented process for handling them?
  • Who is responsible for responding?
  • Have we responded to any requests in the last 12 months? What happened?
  • Can we locate all data relating to a specific individual across all our systems?
  • Can we delete data from all systems in response to an erasure request?
  • Do we have a log of rights requests?

Score: Red if you have no process. Amber if the process exists but has not been tested or documented. Green if you have a working, documented, tested process with a request log.

2:00 – Breach Response

Ask: if we discovered tomorrow that personal data had been accessed without authorisation, what would we do?

  • Do we have a written breach response procedure?
  • Does every employee know how to report a suspected breach?
  • Is there a named person responsible for breach assessment decisions?
  • Do we have contact details for our supervisory authority and the notification form?
  • Do we have a breach register?
  • Have we had any breach events in the last 12 months? Are they documented?

Score Red/Amber/Green.

2:30 – Data Retention

Pull a sample of your data — customer records from two years ago, former employee records, prospect lists that have gone cold.

  • Should this data still be held?
  • Is there a defined retention period for each data category?
  • Is retention being enforced automatically or relying on manual deletion?
  • Has any data been deleted in the last 12 months as a result of a retention policy?

Most organisations find significant volumes of data they should not still be holding. This is a common audit finding.

3:00 – Access Controls

Check who has access to personal data in your systems.

  • Is access to personal data limited to those who need it?
  • Have former employee accounts been deprovisioned?
  • Are there shared accounts or shared passwords for systems containing personal data?
  • Is multi-factor authentication enforced for systems containing personal data?
  • Can you produce an access log for your most sensitive systems?

3:30 – Training

Check your training records.

  • Have all staff who handle personal data received GDPR training in the last 12 months?
  • Are individual completion records maintained?
  • Does the training cover: what is personal data, what is a breach, how to report a breach, how to handle a data subject request?

4:00 – International transfers

If you use any software or services that transfer personal data outside the EU/EEA (or outside your applicable jurisdiction):

  • Is there a legal mechanism in place for each transfer?
  • For transfers to the US: is there a Transfer Impact Assessment in place alongside any Standard Contractual Clauses?
  • Have you reviewed these arrangements since the Schrems II ruling?

End of day: The audit output

By 5pm, you should have:

  1. A completed Red/Amber/Green assessment across all sections
  2. A ranked list of the most urgent gaps
  3. A sense of which gaps are systemic (indicating the programme does not exist) versus operational (indicating the programme exists but has gaps)

Systemic gaps — no ROPA, no breach procedure, no processor DPAs — should be addressed first, as they represent missing foundations. Operational gaps are typically faster to address once the foundations are in place.

What to do with the results

The audit output is an action list, not a report for filing. Assign an owner and a deadline to each Red finding. Amber findings should be scheduled for the following quarter. Green findings should be reviewed annually.

If the audit surfaces more Red findings than you can address internally, this is the moment to engage a DPO or compliance specialist for targeted help — not for a full programme rebuild, but for assistance with the highest-risk gaps.

The business that does this audit and acts on the results is substantially better positioned than one that never conducts the self-assessment. The barriers to getting started are lower than most businesses believe.