To comply with the General Data Protection Regulation (GDPR) all companies need to know what personal data is being recorded and held on their systems, whether it be employees, clients, suppliers or other stakeholders. Typically this will require an information or data audit – but be careful how you go about it!

The Information Commissioner’s Office recommends in its ’12 Steps’ checklist for GDPR:

You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.

How the GDPR Data Audit works in practice…

The Data Protection Officer (DPO) – or whoever is in charge of data privacy and protection – will likely produce a nice big spreadsheet with details of where all the personal data in the organisation can be found.

This will have lots of detail – the reason for collecting and holding each bit of data, where it is stored, how long it is held for, whether it is archived or backed up and where those archives and backups are held, which third parties have access to each piece of data, where and how it is processed, etc., etc.

In the days before GDPR, for many organisations, personal data would have been all over the place – in lots of different locations, databases and applications – and likely no single person would have known where to look for it all.

Now we’ll have all the details in a single document – what is being stored and where to find it.

GDPR Data Audit Spreadsheet

This spreadsheet will likely be saved in the ‘GDPR Compliance’ folder and it will probably be called something like ‘ACME Inc GDPR Data Audit – draft.xlsx’

A copy (or a share link, but probably not) will be sent to heads of departments along with an email requesting that they ‘check the details’ before it goes in front of the audit committee or the GDPR compliance committee or whatever team has been set up to deal with data privacy and protection.

Heads of department don’t have the time or the inclination to deal with ‘admin’ like this, so they will delegate it to someone below them – probably along with another copy of the document.

This task will find its way down to the lowest level possible – which could be several rungs down the ladder for larger organisations.

Let’s face it, this is the kind of job no-one really wants and if you could delegate things like finding personal data and recording the details and location, who wouldn’t?

On the way down the hierarchy the orginal spreadsheet might have been copied as an attachment, downloaded to local drives or personal or business OneDrives, DropBoxes, Google Drive or other cloud storage. It might even have been printed off and handed over.

So some junior member of staff (maybe the intern) who has no-one below them to delegate this to ends up with the job and will have to deal with it.

If they really want to check what personal data their department is holding, they might have to request a higher level of security access (assuming the most junior member of staff wouldn’t typically have access to all personal data held in their department).

Maybe their security access level will be enhanced to allow them to find personal data – or maybe they will be told to temporarily use someone else’s login so they have the access level they need to find the personal data they need to check.

Once the checks have been done – and maybe some amendments made to the document – it will go back up the food chain – with the amended file being sent as an attachment and again saved locally or printed off while someone at each level ‘checks’ the document.

There might be several minor amendments so that it looks like people of increasing seniority have actually made a contribution. Each time there will probably be another ‘save as’ to create an other copy in case they make a mess of it and can revert back to the original.

Eventually it arrives back at the DPO. All the various departmental copies are consolidated into a master document – but the various ‘draft’ versions will be saved somewhere for a little while ‘just in case’.

Now the Data Audit document will be distributed by email to the members of the Audit Committee or the GDPR Compliance Committee or whatever for review and approval at the next meeting.

On the morning of the meeting, the organiser might print off copies of the document and place them in the meeting room in case any of the attendees need to refer to it (or read it for the first time!).

The spreadsheet data might also appear embedded in a PowerPoint presentation that the DPO will be giving at the meeting.

The DPO always puts the PowerPoint presentation on a memory stick because you have to use the computer connected to the projector in the meeting room and you can’t always guarantee to get on the network to find your .ppt files, so best to run it from a stick.

To make sure the slide with the Excel embed works, a copy of the spreadsheet is also put on the stick and everything is tested running from the memory stick. Perfect.

The presentation goes well and the Committee approves the document. A couple of the members asked for a copy of the slides from the presentation and it was minuted to send out a copy of the .ppt to all the attendees.

The DPO’s PA includes a copy of the spreadsheet as well because the DPO had said something about needing the spreadsheet for the PowerPoint to work, so best just to include both on the email.

The approved document is then renamed and copied into the master GDPR documents folder and an entry in the GDPR document log is made detailing the filename, location and next review date.

The GDPR document log is where everything related to GDPR documents is recorded so everyone can find the documents they need and can see what has been amended or updated or is up for review.

As data privacy is everyone’s responsibility at ACME Inc, all staff are expected to be aware of the GDPR document log and keep it up to date. Where to find the GDPR document log and how to update it is included in the Data Privacy Awareness training that is now a compulsory part of the onboarding process for all new employees.

The End Result

As a result of this one exercise – which will be the starting point for the GDPR compliance journey for many organisations – there are lots of points where a security breach could occur.

And you now have a single document (and lots of copies of versions of it) that tells anyone who comes across it what personal data you are storing and where to find it!

Another example of GDPR making EU citizens personal data more secure…


Need help or advice on security, data privacy and GDPR compliance? Use the form on the right to arrange a no-obligation call to see if we can help.

Need to speak to an expert about data privacy and protection?


Need help with your compliance strategy for GDPR and other data protection legislation?


Complete the enquiry form to arrange a no-obligation call to see if we can help.