1.
GDPR AUDIT CHECKLIST FOR SMALLER BUSINESSES
© 500 Words Ltd, 2018. You may share only provided you keep this notice. You have no licence to adapt. Please tell us if it needs changes. Page 1
Topic Action Y/N/DK Evidence/action GDPR Requirements
1. Awareness  Is everyone aware of GDPR? Read ICO 12 Steps Train staff on GDPR
 Have you identified possible compliance
issues?
You should ensure suppliers are GDPR-
compliant by asking them to confirm their
security measures. Check contracts include
requirements in Article 28(3).
 Do you have records of the audit?
 Have you completed due diligence on
your supply chain?
2. Information
audit
 What personal data do you hold? GPR requires you to maintain records of your
processing activities. GDPR requires you to
show how you comply (accountability). Article
9 defines sensitive data.
 Is it any of it sensitive data?
 Where did it come from?
 Where is it stored (device & location)?
 Is it encrypted?
 Who do you share it with?
3. Communicating
privacy info
 What does your privacy notice say? GDPR requires you to explain your lawful basis
(see 6) for processing data, your data retention
periods and the individual’s rights (in plain
language).
See ICO Privacy Notice Guide
 Do you need to update your privacy notice
for GDPR?
 Is your privacy policy on your website?
 Do you need to update your T&C for the
new data regulations?
4. Individuals’
rights
 Do your data policy cover all rights
individuals have?
GDPR gives these rights to individuals:
 the right to be informed
 the right of access
 the right to rectification
 the right to erasure
 the right to restrict processing
 the right to data portability
 the right to object
 the right not to be subject to automated
decision -making including profiling
 Does your data policy need updating?
 Do you delete personal data?
 Do you provide data electronically or in a
commonly used format?
5. Access
requests
 Do your procedures allow you to (1)
handle requests for information in the
new timescales and (2) provide the
correct information?
GDPR gives a month to comply (was 40 days).
Mostly compliance is without charge.

2.
GDPR AUDIT CHECKLIST FOR SMALLER BUSINESSES
© 500 Words Ltd, 2018. You may share only provided you keep this notice. You have no licence to adapt. Please tell us if it needs changes. Page 2
Topic Action Y/N/DK Evidence/action GDPR Requirements
6. Lawful basis  What is the lawful basis for your
processing of data?
Lawful bases for necessary processing are:
 Clear consent
 Contract
 Legal obligation eg as employer
 Vital interests (protect life)
 Public task
 Legitimate interests
See ICO Guide on lawful processing
 Do you have fair processing notices?
 Where is that stated?
 Have you updated your privacy notice to
explain it?
7. Consent  Have you reviewed how you seek, record
and manage consent?
Consent must be freely given, specific,
informed and unambiguous. It cannot be
inferred from silence, inactivity or pre-ticked
boxes.
Do not rely on implied consent. Separate
consent requests from other T&C.
Simplify unsubscribing. See ICO Consent
Guidance
 If someone joins your email list do they
know the content you will send?
 Can you prove their consent?
 Do your existing consents meet the GDPR
standards? Free choice + positive opt-in
 Can they unsubscribe easily?
8. Children  Does your data verify the ages of
individuals?
GDPR requires specific protection for children’s
(below 16YO) personal data and requires
parental consent if a child. Your privacy notice
should be understandable to children.
 Do you need a procedure to get parental
consent?
9. Data breaches  Do you have procedures to (1) detect, (2)
report and (3) investigate a data breach?
GDPR requires you to notify breaches to ICO if
it is likely to result in a risk to rights and
freedoms of individuals within 72 hours.
10. Privacy Impact
Assessment
 Has everyone read the ICO Code of
Practice on Privacy Impact Assessments?
GDPR requires privacy by design. You may need
a Data Privacy Impact Assessments. See ICO PIA
Guidance Do you know how & when you will
implement any DPIA?
11. Data
Protection
Officers
 Do you need a DPO to check compliance? GDPR requires a DPO if you are a public
authority, carry out large regular monitoring or
large scale processing of specific personal data.
 Who is our DPO (or equivalent)?
12. International  If you work across EU member states, who
is your lead data protection supervisory
authority?
Lead authority is where your main
establishment is.