UK GDPR Audit Guidance
for Organisations
Data Protection Audits – Guidance
What is a UK GDPR audit?
A UK GDPR audit is a structured review of how an organisation handles personal data. In simple terms, it looks at what personal data you collect, why you collect it, where it is stored, who can access it, how it is used and shared, and how long it is kept. The purpose is to understand whether the way personal data is handled in practice aligns with data protection requirements, and whether your documentation reflects what actually happens day to day.
An audit is not the same thing as producing or updating a set of policies. It is also not a one-off checklist exercise. Many organisations have policies and notices in place, but still find that systems, working practices and supplier arrangements have changed over time. A useful audit brings those elements together so you can see your current position clearly.
Why organisations carry out data protection audits
Organisations usually look at audits when they want clarity. Sometimes that is because responsibilities have grown organically and no one is confident that processes are consistent across teams. Sometimes it is because there has been a change, such as a new system, a new supplier, a restructure, or a move to different ways of working. In other cases, an audit is prompted by a specific issue, such as an increase in subject access requests, a security incident, or a concern raised internally.
A data protection audit helps you understand what you are doing now, rather than what you intended to do when policies were first written. It can also help you identify where effort is best spent, because most organisations do not need to change everything at once. The value is in being able to prioritise realistically.
What an audit looks at in practice
Although every audit is different, a meaningful audit looks beyond whether a document exists and considers how personal data is actually handled. It will usually involve understanding the main areas where personal data is processed and how that processing is managed. That might include how personal data is collected, how it is stored, how it is accessed, how it is shared, and how it is retained and deleted.
It may also include reviewing whether privacy information is accurate, whether records of processing are maintained in a workable way, and whether responsibilities and decision-making are clear. The emphasis is on identifying gaps between documented processes and real practice, because this is where avoidable issues tend to arise.
Why audits can be more complicated than expected
Audits are often more involved than organisations anticipate because personal data is rarely held in one place. It may sit across HR systems, email, shared drives, customer or client databases, finance systems, case management tools and supplier platforms. Different teams may also use the same data for different purposes. Over time, organisations may develop workarounds and informal processes that are not reflected in written documentation.
An audit needs to take account of these realities. If an audit only focuses on policies and templates, it may miss the practical points that matter. A proportionate audit focuses on the areas that carry the most risk or uncertainty, rather than trying to treat every part of the organisation in exactly the same way.
What a data protection audit is not
It is helpful to be clear about what an audit does not do. An audit is not a regulatory inspection and it is not, in itself, a determination of whether an organisation is legally compliant in every respect. It does not remove the need for ongoing governance or day-to-day decision-making. It is a way of bringing together the information you need to understand your current position and decide what to do next.
Organisations sometimes worry that an audit will create problems. In practice, most issues arise when organisations do not know what is happening across their systems and processes. An audit can provide clarity, and clarity tends to reduce risk over time.
Preparing for an audit
An audit is easier and more effective when the organisation is clear about what it is trying to achieve. Preparation may involve identifying the key people who understand data use in different areas, locating the main policies and notices, and having a view of the systems and suppliers involved in processing personal data. It is also helpful to be realistic about timescales and internal capacity, because audits can be disruptive if they are not planned carefully.
A proportionate approach is often the most sensible. Many organisations start by focusing on high-impact areas and then decide whether a wider review is needed later.
What happens after an audit
An audit is only useful if it leads to sensible follow-up. The outcome should be a clear picture of what was reviewed, what the main findings were, and what options the organisation has. In many cases, the next steps are practical rather than dramatic: updating documentation so it matches practice, tightening responsibilities, improving consistency, addressing obvious gaps, and making sure staff know what is expected.
It is also common for organisations to use an audit as a baseline, then revisit certain areas later to check whether changes have been implemented and whether the organisation’s approach remains appropriate as systems and working practices evolve.
Summary
A data protection audit helps organisations understand how personal data is handled in practice and whether current processes and documentation align with data protection requirements. It is most valuable when it provides clarity and supports proportionate, prioritised improvement, rather than attempting to treat compliance as a one-off tick-box exercise.
Looking for practical support?
Unsure if your DSAR process meets regulatory expectations? View our [Data Protection Audit Services] or [Book a Scoping Discussion.
Ready to start your audit? Book a scoping discussion.
If you are planning a data protection audit and need expert guidance, get in touch for confidential advice. You can also call us on
+44 (0)7976 939 016
Westbrook Data Protection Services Limited.
2nd Floor, Midas House, 62 Goldsworth Road
Woking, Surrey
GU21 6LQ
View our Privacy Policy here
Content reviewed by Clara Westbrook
Clara Westbrook is a qualified solicitor and non-practising barrister with over 25 years’ experience in data protection and commercial law.
She is the founder of Westbrook Data Protection Services Ltd, a consultancy providing GDPR compliance advice, DSAR support, audits and contract reviews for organisations across the UK. Clara has previously held senior legal and compliance roles at Burberry, WarnerMedia, Richemont and IMS Health.
Stay ahead with expert data protection tips
Get practical advice, legal updates, and exclusive insights.
What is a data protection audit?
A data protection audit is a structured review of how an organisation handles personal data, examining what data is collected, why, where it is stored, who has access, how it is used and shared, and the retention period. Its purpose is to ensure practices align with data protection requirements and reflect actual daily operations.
Why do organisations carry out data protection audits?
Organisations conduct audits to gain clarity on their data handling processes, especially when responsibilities grow or changes occur, such as new systems or restructures, or in response to specific issues like increased subject access requests or security incidents. It helps to understand current practices and prioritise improvements.
What does a typical data protection audit involve?
A meaningful audit looks beyond policies and examines practical data handling, including how personal data is collected, stored, accessed, shared, and deleted. It also reviews the accuracy of privacy information, record-keeping, and accountability to identify gaps between documented procedures and actual practice.
Why can audits be more complicated than expected?
Audits can be complex because personal data is often stored across multiple systems and used by different teams for various purposes, sometimes with informal workflows that aren’t documented. This complexity means audits need to consider real-world data handling, not just policies.
What is a data protection audit not?
An audit is not a regulatory inspection or a legal compliance guarantee. It does not replace ongoing governance or decision-making but provides a clear understanding of current data practices to inform next steps and reduce risks.