data protection audit


Our Data Protection Audit can assist in ensuring that all functions within your organisation are compliant in line with the General Data Protection Regulation (GDPR), Privacy and Electronic Communications Regulations (PECR) and the Data Protection Act 2018. The law requires you to demonstrate compliance and performing a yearly audit is the perfect way to display that your organisation puts data protection at the forefront of its practices.

The audit will determine whether your controls, policies and procedures meet the requirements of the law, and if there are gaps, how you can remediate them.

audit infographic

why DPAS

experience icon


All of our auditors have a huge variety of industry experience including: Healthcare, Housing, Local Government, Councils, Ambulance Services, Retail, Recruitment, Utilities, Finance, Legal, Real Estate and more.

support icon


At DPAS we won’t just complete the audit and provide you with a report. We will work with you to design a project plan so you can address any gaps confidently and mitigate risks.

client icon


Our audit and assurance tools are designed in line with the scope of the regulators audit. Therefore, you can be sure we have every area covered.

working internationally icon


You can call on us at any time after the audit has been completed to ask questions or for advice, we will help you every step of the way.

The scope of the audit will be structured into various sections. These are:  

  • Governance and accountability
  • Training and awareness
  • Records management
  • Security of personal data
  • Subject Access Requests and Individuals’ Rights
  • Data Sharing
  • Information Risk Assessment (DPIA) and Management
  • Direct Marketing
  • Freedom of Information (FOI)(where applicable)

Within each of these sections, we will pose a variety of questions to your organisation including questions about the processes, capabilities, policies and systems that you have in place. The aim of the audit is to fully encompass all areas within an organisation and identify gaps. A full scope is necessary in order to provide an incremental approach towards complete compliance in terms of data protection.  


1.Phone Interviews

​ Interview key personnel to complete our Audit Compliance Tracker to determine the first stage – current level of compliance within the organisation and highlight immediate gaps.  

2.Offsite Checks

​ Carry out offsite high-level review of current documented procedures and policies and a list of systems in place. This is so that these can be discussed in full during the onsite assessment and initial risks can be identified beforehand.  

3. Onsite assessment 

During the audit, our tool will be completed by assessing the risk behind structured sections with relevant stakeholders. These mirror those with the Information Commissioner’s Office (ICO) would review during their own audit. As good data protection requires a culture to be adopted by an entire organisation, it is important that we assist in encouraging an ‘amnesty culture’ whilst onsite. Employees must be truthful in relaying current ways of working to guarantee that any risks can be identified and therefore remediation plans put in place.  

4. Reporting

 Once the onsite assessment is complete, we will produce an in-depth report highlighting all areas identified as a risk. This will additionally be translated into graphs and charts to highlight areas of higher risk and aid in prioritisation moving forward. Each section will be scored by the weightings of the questions within the auditing tool. Dependent upon the risks found, DPAS can provide further support and services in moving towards 100% compliance against the report produced. The graphs and charts within the audit tool will allow a visual representation of your status of compliance as steps are put in place. For example, areas which were previously red and require ‘major work’ may turn to blue ‘compliant’ if the suggestions DPAS make are actioned.  

  • Help to raise awareness of data protection within your organisation
  • As we are an independent organisation, we have conducted audits in many different environments. We can share best practice, and easily provide risk analysis and remediation for continual improvement.
  • Using DPAS ensures that there is a fresh pair of eyes at your organisations processes and an independent assessment.
  • Use the report within your board meetings to demonstrate your commitment to the importance of data protection and individuals’ rights.
  • Don’t put a strain on your existing resources. We can provide audits with minimal disruption to your team.
  • Use the tool that we provide to your organisations on a monthly basis to reassess your compliance score and demonstrate compliance.

1. How much does an audit cost? 

Prices start from £1000 for a small organisation.

2.Will there be a lot of disruption to my teams?

We try to cause as little disruption to your teams as possible. We will need to interview key staff members prior to the onsite assessment and whilst onsite, typically we only need a couple of hours for each team member. 

3. ​​Are your team qualified? 

Our team undertake our Internal Audit training and some team members are working towards the Information Security Lead Auditor qualification. They are qualified Data Protection Officers and Data Protection Practitioners and have years of experience working in the industry.