A practical 10-point checklist for IT administrators preparing for a GDPR audit or ICO investigation. Covers documentation, access controls, breach readiness, and data discovery.
GDPR audits — whether internal, from a customer, or from a supervisory authority like the ICO — test the same things: whether your controls match your policies, whether your policies match reality, and whether you can produce evidence on demand. Most organisations that struggle with audits don't fail because they have bad practices — they fail because they can't demonstrate good ones.
ICO investigations increasingly begin with a written questionnaire requesting documentation, not an on-site visit. If you can't produce your ROPA, retention schedule, and data processing agreements within 48 hours, the investigation starts badly.
The 10-point checklist
1. Maintain a current Record of Processing Activities (ROPA)
Your ROPA must be in writing (electronic counts), complete, and up to date. An auditor will check whether it reflects your actual processing activities — if you've launched a new product or tool since the last update, it should appear in the record. Review quarterly; update immediately when anything changes.
2. Document the lawful basis for every processing activity
For each processing activity in your ROPA, you need a documented lawful basis. 'Legitimate interests' requires a Legitimate Interests Assessment (LIA). 'Consent' requires records of when and how consent was obtained. These should be linked directly from your ROPA, not stored separately in a folder no one can find.
3. Have signed Data Processing Agreements with every processor
Every third-party service that processes personal data on your behalf — cloud platforms, HR systems, marketing tools, IT support providers — must have a signed DPA in place. Compile these now. Many SaaS vendors provide standard DPAs under their terms of service; locate and download them. If a DPA doesn't exist, contact the vendor before the audit, not during.
4. Implement and document technical security measures
Article 32 requires 'appropriate technical and organisational measures'. Document what you've implemented: encryption at rest and in transit, access controls and least-privilege, multi-factor authentication, patch management cadence, and endpoint security. The standard is 'appropriate to the risk' — you need to show you've thought about the risk level and matched your controls accordingly.
5. Maintain a documented retention schedule
Data protection by design requires you to delete data when it's no longer needed. An auditor will ask: how long do you keep each category of data, and how do you enforce deletion? Document specific retention periods, the trigger event (employment end, contract completion, last purchase), and your deletion method. If deletion is manual, document who is responsible and how often they run the process.
6. Have a tested breach notification procedure
Your procedure must specify: how a breach is detected, who is notified internally, how you assess whether the 72-hour notification threshold is met, who reports to the ICO, and who contacts affected individuals if required. 'We would figure it out' is not a procedure. The ICO expects to see a documented, tested process — at minimum a tabletop exercise in the last 12 months.
7. Have a DSAR response procedure
Document how DSARs are received (any channel, not just a web form), verified, investigated across all data systems, reviewed, and responded to within the one-month deadline. Show that you've tested this against your actual data estate — including endpoint devices and file shares. If the process relies on manual searching, demonstrate how you ensure completeness.
8. Conduct and document Data Protection Impact Assessments (DPIAs) for high-risk processing
If you use systematic profiling, process special category data at scale, or use technologies like biometric authentication, CCTV, or location tracking, a DPIA is mandatory. But DPIAs are good practice for any significant new processing activity. An auditor will ask whether you've conducted DPIAs for your high-risk activities — and whether the DPO (if you have one) was consulted.
9. Know where your personal data actually lives
This is the hardest item on the list. Your ROPA documents where data should live. An auditor may ask you to demonstrate where it actually lives. For structured databases, this is usually straightforward. For unstructured data on endpoints and file shares — the kind that ends up in personal data incidents — it requires active discovery. If you can't demonstrate that your out-of-scope systems are actually clean of personal data, your scope statement is an assertion rather than evidence.
10. Train staff and keep records of training
Data protection awareness training should cover: recognising personal data, how to handle DSARs, how to report a suspected breach, and the basics of lawful basis and consent. Completion records should be kept for every employee. An auditor will ask not just whether you have training, but whether staff who handle personal data have completed it recently (typically within 12 months).
Before the audit: a quick evidence audit
In the week before any external audit, run through this list and locate the evidence for each item. If a document doesn't exist, note it as a gap — attempting to create it days before the audit and presenting it as long-standing practice is worse than acknowledging the gap. Auditors appreciate honesty about gaps accompanied by a remediation plan. They don't appreciate fabricated documentation.
- ROPA — current, signed, accessible
- Lawful basis documentation and LIAs
- DPA register with signed agreements
- Security measures documentation (including encryption and access control evidence)
- Retention schedule with deletion records
- Breach notification procedure + test exercise record
- DSAR procedure + response log (last 3 years)
- DPIAs for high-risk processing
- Training completion records (all staff, within 12 months)
- Data discovery evidence for your stated scope