GDPR Data Audit Template
A structured data audit to map all personal data flows, legal bases, processors, and retention periods — the foundation of any GDPR compliance programme.
Quick Answer
A GDPR data audit maps every personal data flow against a documented legal basis, processor list, retention schedule, and Record of Processing Activities — it is the mandatory starting point for any GDPR compliance programme.
Compliance Checklist (8 items)
Penalty if not compliant
Up to €20 million or 4% of global annual turnover; ICO/DPA enforcement notices; reputational damage from public findings.
Frequently Asked Questions
Who must maintain a Record of Processing Activities (ROPA)?
All organisations with 250+ employees must maintain a ROPA. Smaller organisations must also maintain one if they process data regularly, process special category data, or process data that could result in risk to individuals.
How often should a GDPR data audit be conducted?
A full audit should be conducted at least annually and whenever there is a significant change to systems, processes, or the products/services you offer that involve personal data.
What is the difference between a data audit and a DPIA?
A data audit maps all personal data across the organisation. A DPIA (Data Protection Impact Assessment) is a deeper analysis of a specific high-risk processing activity, required when that activity is likely to result in high risk to individuals.
Need this turned into a real document?
Our compliance sprint service delivers production-ready documents tailored to your organisation in 5–15 business days. A senior compliance specialist reviews every document before delivery.