Fast effective GDPR audits

Get clear concise understanding of the risks in days

GDPR and performing a Data Audit

For many business owners, GDPR can seem like a complicated piece of legislation. It is vitally important that you are compliant, otherwise you could face enforcement action, including a financial penalty.

You probably have many questions, and you may wonder whether a data audit is necessary for your organisation.

You may be asking yourself

  • How much will it cost?
  • How long will it take?
  • Will an audit interrupt the flow of my business?

You might be feeling overwhelmed and not sure where, or how, to begin.

Rest assured that we are committed to making your audit as efficient and cost-effective as possible while causing minimum disruption to you and your staff.

we are committed to making your audit as efficient and cost-effective as possible…

Why conduct a data audit?

The primary reason to conduct a data protection audit is to discover if your business is currently abiding by GDPR laws. An important first step towards GDPR compliance is for a business to determine what data they hold and where.

A data audit will establish:

  • What personal data you are collecting
  • The reason you are collecting that personal data
  • How that data is being stored and processed
  • Whether (or not) you are processing that data lawfully

Conducting a thorough data audit will provide your business with the information it needs to identify weaknesses (the gaps!) in your GDPR processes – areas that need to be changed or practices which may not be necessary.

Does my business need a GDPR audit?

If your business intends to comply with the GDPR, then carrying out a comprehensive privacy audit is the first step. A data audit is the best way for a business to establish its compliance with GDPR laws.

Seven Data Protection Principles are outlined:

  • Lawfulness, Transparency, and Fairness
  • Purpose Limitation
  • Data Minimisation
  • Accuracy
  • Storage Limitation
  • Integrity and Confidentiality
  • Accountability

You must obtain and use personal data in a fair and lawful manner.

Personal data must be stored no longer than is necessary.

Data must be collected for a specified purpose and held only long enough to achieve that purpose.

The data you hold must be accurate and you have an obligation to update or remove data that is inaccurate.

The data you hold must be protected against unlawful usage or accidental loss.

Appropriate methods must be used to securely maintain the data that you hold.

A professional data audit will determine if you are doing everything correctly and lawfully.

What penalties do I risk by not being GDPR-compliant?

Not complying with GDPR data protection laws can have serious regulatory consequences including notices of enforcement, fines and an order to stop processing – devastating if your business relies on the activity to operate.

Must small businesses comply with GDPR?

If your business processes personal data then you will need to be fully compliant with GDPR, regardless of your size.

Post Brexit GDPR – must I still comply?

UK businesses must still comply with GDPR laws even after leaving the EU.

Existing data protection legislation has been merged with new regulations to create a new ‘UK GDPR’ framework. The best thing for any business to do is to follow good practices to protect its individual data subjects, as well as itself.

Is a data audit a legal requirement?

No, the GDPR does not legally require a business to complete a data audit. An audit, however, is the only way of knowing if your business is compliant and if not, where the gaps are so they can be promptly and efficiently corrected.

You must have lawful reasons for obtaining and storing personal data, and you must do so in an appropriate legal manner. An audit will help you assess and strengthen your GDPR processes (and thus avoid potential penalties or other regulatory action for non-compliance).

Is a data audit difficult?

Be assured, that our Privacy Team has many years of experience in conducting GDPR audits – it is a well-rehearsed process for us and we know what we are looking for.

Our auditor will ask several questions to obtain information necessary for the work, including, but not limited to:

  • What personal data does your company collect and store?
  • How is the data collected?
  • Why do you need to possess this data?
  • How is the data stored?
  • How is it secured?
  • How long is it kept?
  • How is the data used?
  • Who is the data shared with?

What data is protected by GDPR?

The GDPR applies to personal data and special category data. Personal data is information that relates to a person (a data subject) – not a company or organisation.

Some examples include:

Personal data:

  • Name
  • Address
  • Email address
  • Phone number
  • Date of birth
  • Employment details
  • Bank details

Special category data:

  • Sexual orientation
  • Religious beliefs
  • Political views
  • Biometric data
  • Health / medical data

Why should I use a professional GDPR data auditor?

Putting your GDPR audit into the hands of a qualified expert will ensure that a thorough and professional job will be done. An expert will perform an independent assessment of your business regarding your data protection needs.

  • We guarantee minimum disruption to your business.
  • We will work with you and your staff to suit your schedule.
  • We can offer a FIXED price for the audit.
  • We will take your risk appetite into consideration when drafting your report.
  • Our GDPR consultants will tailor your GDPR strategy to create a personalised plan of action.
  • Staff training is critical to ensure costly errors are avoided – we have a dedicated online portal that can instantly address this.

We offer a service that is cost-effective and time-efficient.

We will ensure your business achieves the necessary level of GDPR compliance and is able to easily maintain that legal status going forward.

Our independent assessment means that your business will be assessed in the same way that a regulatory body would conduct a review. Our experts know exactly what is needed to establish and maintain your GDPR compliance – and what is deemed “proportionate” for a business of your size.

An external GDPR audit demonstrates that you have taken steps to ensure that your business is compliant. It shows that you take your GDPR obligations seriously.

Why an Audit?

The objective of a data audit is to assess your business to check if it is GDPR compliant. This will include looking at how data flows through your business and identifying potential flaws in your system that could lead to a data breach.

Ensuring you are protecting data sufficiently is important, as is documenting your data flow so you can demonstrate your compliance.

What happens if my organisation has a data breach?

A data breach is broadly defined under the GDPR and a breach could include loss or destruction of personal data, data that has been unlawfully altered, personal data that has been disclosed deliberately or accidentally. This could include leaving a laptop unsecured in a public area with inadequate IT security protocols which allow unauthorised access to personal data.

If you become aware of a data breach, then you must take immediate action to contain the breach as well as take appropriate steps to remedy the situation.

Will I need to contact the ICO?

The Information Commissioners Office (ICO) should be notified if a breach has occurred that is likely to result in a potential risk to the rights of the individual/s whose data has been breached. Businesses should assess what types of breaches they may face as well as the potential risks to individuals (financial loss, discrimination, etc) those breaches could entail.

You would be required to provide the ICO with information including:

The type of breach, how it occurred and how many people are likely to be affected

  • What the potential consequences are due to the breach
  • What actions you are taking to remedy the problem
  • The contact details of your Data Protection Officer

How can I arrange a professional GDPR audit?

Get in touch and let us know your GDPR needs.

We will need to discuss your current procedures and ask questions about how you handle data and why. We will need to speak to members of your organisation who are involved in data collection. We will be able to discuss costs, work schedules and length of time necessary to complete the audit.

What happens after the audit is complete?

Once your GDPR audit has been completed, depending on your package, we will help you to create a Remediation Plan to ensure compliance is achieved over a manageable period of time.

You may need to change your procedures, ensure your data is more secure, and appoint a Data Protection Officer. You will then be secure in the knowledge that your business is GDPR compliant and you are able to demonstrate that with appropriate documentation.

What to do next:

  • Please contact us now and let us remove the stress of managing data compliance in your business.
  • We handle the complete scope of any data privacy requirement.
  • You can find out in a matter of hours where your gaps are…


As with our ethos, our pricing structure is simple, straightforward and highly competitive – we offer fixed-price options.

Audit Only

For companies that will action the output of the Gap Analysis themselves or via a third-party

£175 per hour

(Budget 3 hours per Department/Work Area)

No contract commitment
Single fixed price

  • Basic Gap Analysis (consulting hours based on the number of departments/work areas in the organisation)
  • Initial Discovery Phase
  • Delivery of Executive Summary & RAG Report
  • Report contains both “Quick Wins” and “Long-Term Tasks”

Audit plus Action

For companies that need Outsourced DPO and long-term gap-closure support

£150 per hour

(Budget 3 hours per Department/Work Area)

Leads to a GDPR Action & Outsourced DPO plan
Single fixed price

  • Gap Analysis (consulting hours based on the number of departments/work areas in the organisation)
  • Initial Discovery Phase
  • Delivery of Executive Summary & RAG Report
  • Report contains both “Quick Wins” and “Long-Term Tasks”


When on-site, our working day is 9am – 5pm. For site visits, reasonable subsistence expenses are charged, however these are all agreed by you in advance. On large-scale projects, where our Global Privacy Consultants are engaged, fees are £250 per hour.

Our hourly rates mean you only pay for EXACTLY the time we need for the task – our hours are recorded on timesheets, so we are fully accountable for time vs tasks!

At PRIVACYHELPER, we pride ourselves on tailoring packages to suit your business – your needs and your budget. That is why we don’t offer pre-packaged services that your business has to try and fit into.

Once we have conducted the data discovery phase, or reviewed your existing GAP analysis documents, we’ll propose a set number of days per month – based on the size of the business, the challenges you face and the amount of guidance you’ll need from us.

This resourcing model is perfect for most companies, as it offers you the flexibility to use our time intensively when the need arises, but to keep time to a minimum at other times. You remain in complete control of your budgets!

Why choose us?

Click here to find out why we are the UK’s #1 privacy consultancy.

How much will this cost?

Our pricing structure is simple, straightforward and highly competitive. Head over to our pricing page and take a look at our most popular packages.

What next?

Get in touch via our contact us page, tell us about your business and a member of our team will get back to you.

Other services you may be interested in from PRIVACYHELPER

Security Icon

GDPR Consultancy

Our Privacy Team consists of expert data protection consultants in the fields of IT & Technical, Legal, Records Management and Marketing.

GDPR Training Courses

An effective, demonstrable training programme can be the difference between the ICO imposing monetary fines – or not, even if your data privacy programme has just started.


Is your marketing activity legal? We can make sure it is.