GDPR Data Audit Checklist

Self-assess your GDPR compliance with 10 key data protection requirements. Free basic checklist or unlock AI-generated comprehensive audit with risk ratings, remediation steps and DPIA templates — £19.99/month.

Company details

No

Frequently asked questions

What is a GDPR audit and why do I need one?
A GDPR audit is a systematic review of how your organisation collects, stores, processes and shares personal data. It helps identify compliance gaps, reduce the risk of data breaches, and avoid ICO fines of up to 4% of annual turnover or GBP 17.5 million.
How often should I conduct a GDPR audit?
The ICO recommends reviewing your data protection practices at least annually. You should also conduct an audit whenever you introduce new processing activities, change suppliers, adopt new technology, or experience a data breach.
Do I need a Data Protection Officer (DPO)?
You must appoint a DPO if you are a public authority, if your core activities involve large-scale systematic monitoring of individuals, or if you process special category data on a large scale. Even if not mandatory, appointing a DPO is considered best practice.
What is a Data Protection Impact Assessment (DPIA)?
A DPIA is a process to identify and minimise data protection risks of a project. It is mandatory when processing is likely to result in high risk to individuals, such as large-scale profiling, automated decision-making, or processing children's data.
What are the six lawful bases for processing under GDPR?
The six lawful bases are: consent, performance of a contract, legal obligation, vital interests, public task, and legitimate interests. You must identify and document which basis applies before you start processing personal data.
What counts as special category data under GDPR?
Special category data includes racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, sex life or sexual orientation. Processing requires an additional condition under Article 9.
How do I handle a data breach under GDPR?
You must report a personal data breach to the ICO within 72 hours of becoming aware of it, unless it is unlikely to result in a risk to individuals. If it poses a high risk, you must also notify the affected individuals without undue delay.
Can I transfer personal data outside the UK after Brexit?
Yes, but you need appropriate safeguards. The UK has its own adequacy decisions for certain countries. For others, you can use UK International Data Transfer Agreements (IDTAs) or Standard Contractual Clauses (SCCs) with the UK addendum.
What records do I need to keep for GDPR compliance?
Under Article 30, you must maintain Records of Processing Activities (ROPA) if you have 250+ employees, or if the processing involves high-risk data, is not occasional, or includes special categories. In practice, all organisations should maintain ROPA.
What are the penalties for GDPR non-compliance in the UK?
The ICO can issue fines up to GBP 17.5 million or 4% of annual global turnover (whichever is greater) for serious infringements. Lower-tier fines of up to GBP 8.7 million or 2% of turnover apply for lesser breaches such as record-keeping failures.

Related tools

Staff Handbook GeneratorBusiness Name GeneratorRight to Work Checker

© 2026 CalcStack — a Flavoureak UK Ltd product. GDPR audit results are for guidance only and do not constitute legal advice. Consult a qualified data protection practitioner.