GDPR: How to Perform a Data Audit
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

GDPR: How to Perform a Data Audit

A GDPR Data Audit is easier to complete than it sounds

With the EU’s General Data Protection Regulation (GDPR) coming into effect on May 25th, companies around the world are scrambling to become compliant. That means performing a GDPR Data audit.

Before we go any further, this is not a GDPR compliance audit. We will provide guidance on how to handle GDPR compliance audits a bit later this month. Today, we’re going to discuss how to perform a data audit – an informal audit that should help clarify your next few steps towards compliance.

When to perform a Data Audit?

GDPR Data Audit
Can you spot the hidden image?

When it comes to getting compliant with the GDPR, you’re going to want to perform your data audit at the very outset. Keep in mind, the first data audit is likely going to be the most difficult one you perform. That’s largely due to the fact that you need to map everything out and truly use it to gain visibility over your information flows.

Of course, there will be additional data audits, compliance audits and other data management exercises along the way as you maintain compliance. But first you need to know where everything is. That first data audit is the one we’re discussing today.

Is it hard to perform a Data Audit?

Honestly, that all depends on the size of your operation. In theory, no, a data audit shouldn’t be hard to perform. It may be tedious, but not hard. To help get you into the right mindset, we’re going to cover some of the key questions your data audit needs to answer. Let these questions guide you as you proceed.

  • What data are we collecting?
  • Where are we storing the data?
  • How do we protect and document the data?
  • How long do we keep the data?
  • Do we have a function for every piece of data?
  • What is the process for honoring a request to delete data?

Obviously, there are other questions you’ll need to focus on, too. But these six should set a solid foundation.

Now that we have that settled, lets go about collecting the information you need to complete your audit.

What data are we collecting?

The first question we need to answer may seem like the most obvious: what are we collecting? Now, to answer this you need to have a little more information about what data qualifies as “personal data” under the GDPR. There are two categories of personal data. The first is just your standard stuff, anything that can be used to identify an individual:

  • Name
  • Address
  • Email Address
  • IP Address
  • Cookies
  • Phone Number
  • Social Security Number
  • ID numbers

Then there is something called special categories of personal information, that pertains to:

  • Racial or ethnic origins
  • Health information
  • Political Opinions
  • Religious Beliefs
  • Union Activity
  • Sexual or Gender Identity

This second category requires special legal bases to process. Additionally, if you possess any personal data on children under the age of 16 you will need parental consent.

Regardless, you need to go over your entire website (or websites) looking for any point at which you collect personal data. Make sure to map these out, too. Because later you’ll need to come back and add GDPR privacy notices to them.

But for now, just make a complete accounting.

Where are we storing the data?

The GDPR requires you to document where you’re storing the personal data of EU citizens. For the sake of this audit, “where” refers to both a geographic location as well as what kind of mechanism you’re using to store it—whether that’s in emails, documents, databases, backups, email lists, etc.

So after you’ve mapped out where you’re collecting information and what it is you’re collecting, you need to figure out where you’re storing it all. Get granular. ‘This subscription text field records email addresses in a database stored on a server in our New Jersey office.’ That may seem excessive, but as we have said repeatedly: err on the side of caution.

It’s better to be excessively cautious than to become a cautionary tale.

How do we protect and document the data?

Again, this is a fairly straightforward question to answer. What safeguards are in place protecting the data you have stored. Do you use passwords to help protect the data? How do you store the passwords? Are they hashed? Salted? Do you limit access to parts of your site? What about to your databases? Are you collecting this data over a secured HTTPS connection? Do you encrypt your data at rest?

These are the kinds of questions that need to be answered.

This is also an excellent opportunity to assess whether your organization is doing enough to secure the information that it collects. If the list of safeguards you have in place seems kind of short, it may be smart to discuss what safeguards you haven’t added yet and how you can incorporate them. Take the GDPR as an opportunity to get your house in order. It will pay off in the long run.

How long do we keep the data?

Like so many other things in the GDPR, the maximum amount of time an organization should store data for is ill-defined. The EU simply says to retain data “no longer than necessary.” Great.

Ideally, the GDPR wants you to dispose of personal data once its served its purpose, but without providing any timelines it can be difficult to figure out what an appropriate length of time to keep personal data is. Part of the reason for this is that different organizations have different needs, and a blanket approach wouldn’t fit very well.

Your organization should decide what is appropriate for itself. Here are some things to consider:

  • The value of the information, both now and in the future
  • The costs and risks of continuing to store the data
  • The ease of keeping it maintained and accurate

Additionally you’ll also need to consider how you’re using the data, any additional legal or regulatory requirements and what is generally considered a best practice in your industry.

If you’re storing data indefinitely you need to put an end to that immediately.

Do we have a use for every piece of data?

Every piece of personal data you collect should have a purpose. Ideally you should be able to explain that purpose at the point of collection, too. So what are you using this data for? Is it for completing a transaction? Are you adding it to an email subscriber list? Are you using it to tailor a better website experience or deliver better customer service?

If you mapped out all of your data collection points earlier, this should be easy. And any data that isn’t being collected for a specific purpose needs to be deleted. The days of grabbing as much information about a user just for the sake of having it are long gone. The data you collect needs to be collected for an express purpose—one that is clearly articulated to your customers.

What is the process for honoring a request to delete data?

Finally, you need to figure out how you’re going to honor the right to be forgotten. This EU right gives citizens the ability to take control over their personal information, including to modify or delete it.

That means you need a mechanism in place for quickly gathering any stored data and then delivering it to the data subject. The two main questions you need to answer here are:

  1. Whose responsibility is it to respond to data requests from users?
  2. What records need to be checked to provide said data?

Once you know this, you should have all the information you need to complete your GDRP data audit.

Data Delete Request


GDPR Data Audit Checklist

Here’s a quick checklist to help you work through your Data Audit.


Additional Considerations


What data do you possess?Does the data fit these categories?


  • Personal Data
  • Special Categories of Personal Data
  • Data belonging to a person younger than 16
Why do you possess that data?Considerations:


  • What your business does with the data
  • Can you demonstrate this use?
How did you obtain the data?Things to determine:


  • Methods used for collection (online and offline)
  • Did you provide your privacy policy upon collection?
When did you obtain the data?Can you identify the date it was collected? 
Who in your organization is responsible for the data?Things to consider:


  • Do you have a Data Protection Officer? If not, who is responsible for the data?
  • Does your DPO/Data Manager handle your privacy policy and processing agreements?
What does your organization do with the data?Considerations:


  • How are you processing the data?
  • Do you share the data with any third parties?
  • Can you easily demonstrate why you need the data?
How do you store and secure the data?Considerations:


  • Where is the data stored?
  • Do you back it up?
  • Are you using cloud-based applications?
  • Do you have an agreement in place with your storage provider?
  • Does your storage provider provide “adequate” safefuards?
  • Who has access to the data?
Who controls the data?Are you the “controller” or just a “processor?”


  • Controllers – Do you instruct any processors on processing the data?
  • Both – Do you have a data processing agreement in place?
How long is the data stored, how do you delete it?Considerations:


  • How did you determine the length of time you store data for?
  • How do you handle requests to delete the data?

Check out the rest of the Hashed Out GDPR Compliance Series


Patrick Nohe

Patrick started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. Patrick covers encryption, hashing, browser UI/UX and general cyber security in a way that’s relatable for everyone.