GDPR Data Audit Checklist

Self-assess your GDPR compliance with 10 key data protection requirements. Free basic checklist or unlock AI-generated comprehensive audit with risk ratings, remediation steps and DPIA templates — £19.99/month.

GDPR compliance is not optional for UK businesses. The Information Commissioner’s Office issued £15.2 million in fines during 2024/25, and small businesses are not exempt. Every organisation that processes personal data must meet the UK GDPR requirements, from lawful basis for processing to data subject access requests and breach notification procedures.

This audit checklist covers the 10 most critical compliance areas. It helps you identify gaps in your current data protection practices and prioritise the fixes that matter most. Think of it as a health check for your data handling, not a replacement for legal advice.

The free version gives you a basic self-assessment with pass/fail indicators. Upgrading unlocks AI-generated risk ratings for each area, detailed remediation steps, and downloadable Data Protection Impact Assessment templates that satisfy ICO audit requirements.

How it works

  1. Work through 10 data protection questions covering lawful basis, consent, retention, and security.
  2. View your compliance score and identify areas that need attention.
  3. Upgrade for AI-generated remediation plans and DPIA templates.

Written by the CalcStack team · Last updated April 2026

Company details

No

Frequently asked questions

What is a GDPR audit and why do I need one?
A GDPR audit is a systematic review of how your organisation collects, stores, processes and shares personal data. It helps identify compliance gaps, reduce the risk of data breaches, and avoid ICO fines of up to 4% of annual turnover or GBP 17.5 million.
How often should I conduct a GDPR audit?
The ICO recommends reviewing your data protection practices at least annually. You should also conduct an audit whenever you introduce new processing activities, change suppliers, adopt new technology, or experience a data breach.
Do I need a Data Protection Officer (DPO)?
You must appoint a DPO if you are a public authority, if your core activities involve large-scale systematic monitoring of individuals, or if you process special category data on a large scale. Even if not mandatory, appointing a DPO is considered best practice.
What is a Data Protection Impact Assessment (DPIA)?
A DPIA is a process to identify and minimise data protection risks of a project. It is mandatory when processing is likely to result in high risk to individuals, such as large-scale profiling, automated decision-making, or processing children's data.
What are the six lawful bases for processing under GDPR?
The six lawful bases are: consent, performance of a contract, legal obligation, vital interests, public task, and legitimate interests. You must identify and document which basis applies before you start processing personal data.
What counts as special category data under GDPR?
Special category data includes racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, sex life or sexual orientation. Processing requires an additional condition under Article 9.
How do I handle a data breach under GDPR?
You must report a personal data breach to the ICO within 72 hours of becoming aware of it, unless it is unlikely to result in a risk to individuals. If it poses a high risk, you must also notify the affected individuals without undue delay.
Can I transfer personal data outside the UK after Brexit?
Yes, but you need appropriate safeguards. The UK has its own adequacy decisions for certain countries. For others, you can use UK International Data Transfer Agreements (IDTAs) or Standard Contractual Clauses (SCCs) with the UK addendum.
What records do I need to keep for GDPR compliance?
Under Article 30, you must maintain Records of Processing Activities (ROPA) if you have 250+ employees, or if the processing involves high-risk data, is not occasional, or includes special categories. In practice, all organisations should maintain ROPA.
What are the penalties for GDPR non-compliance in the UK?
The ICO can issue fines up to GBP 17.5 million or 4% of annual global turnover (whichever is greater) for serious infringements. Lower-tier fines of up to GBP 8.7 million or 2% of turnover apply for lesser breaches such as record-keeping failures.

Related tools

Staff Handbook GeneratorBusiness Name GeneratorRight to Work Checker

© 2026 CalcStack — a Flavoureak UK Ltd product. GDPR audit results are for guidance only and do not constitute legal advice. Consult a qualified data protection practitioner.