How can we help?

Privacy and Data Protection



Audits help organisations to understand and meet their data protection obligations. The audit will check the effectiveness of controls in place and look at the suitability of your policies and procedures.

Our lawyers can conduct a full compliance privacy health check of your business including a review of any technical and organisational measures employed, providing clear and practical recommendations.

“Very professional, knowledgeable and accessible lawyers.” 

Chambers and Partners

FAQs – Audits

A data protection audit assists a business in understanding what personal data the organisation collects and processes. It is carried out to ascertain if the organisation is compliant with the data protection laws and it will usually assess the organisation’s procedures, systems, records and activities.

In order to:

  • Make sure the appropriate policies and procedures are in place.
  • Confirm if those policies and procedures are being followed and enforced.
  • Evaluate the effectiveness of existing controls.
  • Identity actual or suspected breaches of compliance.
  • Suggest any necessary improvement to control, policies and procedures.

The UK GDPR includes an accountability principle which requires a controller to demonstrate compliance with the data protection principles of the UK GDPR. An audit is one of the ways in which a controller can demonstrate accountability. Although the UK GDPR does not directly apply to processors, both controllers and processors have compliance obligations and an audit is one of the ways which can demonstrate compliance.

This depends on the size and complexity of the organisation. At minimum, a data protection audit should be performed once each year. If there are several areas that need to be improved, you should consider working on those areas more regularly until the organisation is confident that it is compliant with the data protection regulation.

In summary, the data protection audit is likely to cover governance and accountability; security measures in place; whether data is transferred outside the UK and arrangements for such transfers; and whether there are procedures for data subjects’ rights, amongst other areas. The nature of the audit will depend on the specific organisation and method of audit.

If the organisation has a data protection officer (DPO), they will likely oversee the audit. If the organisation has no DPO or Compliance Manager, then the business must select an auditor. The auditor will then decide whether to use a customised questionnaire audit or conduct a personal interview or a blend of both methods.

Key contacts

Read, listen and watch our latest insights

  • 19 February 2024
  • Privacy and Data Protection

The role of Data Protection Officers in ensuring compliance

How many of us receive marketing calls for products and services we did not sign up for?

  • 09 February 2024
  • Privacy and Data Protection

Are we suffering from cookie fatigue?

An over-indulgence in Easter treats might not be the only cookie fatigue that individuals will suffer this year according to the Information Commissioners Office (ICO).

  • 26 January 2024
  • Privacy and Data Protection

AI Podcast: AI, Discrimination and Automated Decision-making

In this podcast, Lucy Densham Brown and Jordan Masters, members of the data protection team at Clarkslegal, discuss how using AI and automated decision-making could conflict with GDPR protections and lead to discrimination.

  • 28 December 2023
  • Privacy and Data Protection

Data Protection: What’s in store for 2024?

As 2023 nears to a close, we take a look at some of the key trends and developments to watch out for in 2024.

  • 12 December 2023
  • Privacy and Data Protection

Is Santa’s List Naughty or Nice?

All year we all work hard to make sure we end up on the Nice List, and avoid that dreaded lump of coal at the end of our bed. But what about Santa himself?

  • 04 December 2023
  • Privacy and Data Protection

The UK-US data bridge for transfers of personal data – Melanie Pimenta writes for Business Voice magazine

In Business Voice magazine, Melanie Pimenta, Senior Solicitor at Clarkslegal writes that transferring data can be a tricky business and the risks of getting it wrong can be costly both reputationally and financially.