How can we help?

Privacy and Data Protection



Audits help organisations to understand and meet their data protection obligations. The audit will check the effectiveness of controls in place and look at the suitability of your policies and procedures.

Our lawyers can conduct a full compliance privacy health check of your business including a review of any technical and organisational measures employed, providing clear and practical recommendations.

“Very professional, knowledgeable and accessible lawyers.” 

Chambers and Partners

FAQs – Audits

A data protection audit assists a business in understanding what personal data the organisation collects and processes. It is carried out to ascertain if the organisation is compliant with the data protection laws and it will usually assess the organisation’s procedures, systems, records and activities.

In order to:

  • Make sure the appropriate policies and procedures are in place.
  • Confirm if those policies and procedures are being followed and enforced.
  • Evaluate the effectiveness of existing controls.
  • Identity actual or suspected breaches of compliance.
  • Suggest any necessary improvement to control, policies and procedures.

The UK GDPR includes an accountability principle which requires a controller to demonstrate compliance with the data protection principles of the UK GDPR. An audit is one of the ways in which a controller can demonstrate accountability. Although the UK GDPR does not directly apply to processors, both controllers and processors have compliance obligations and an audit is one of the ways which can demonstrate compliance.

This depends on the size and complexity of the organisation. At minimum, a data protection audit should be performed once each year. If there are several areas that need to be improved, you should consider working on those areas more regularly until the organisation is confident that it is compliant with the data protection regulation.

In summary, the data protection audit is likely to cover governance and accountability; security measures in place; whether data is transferred outside the UK and arrangements for such transfers; and whether there are procedures for data subjects’ rights, amongst other areas. The nature of the audit will depend on the specific organisation and method of audit.

If the organisation has a data protection officer (DPO), they will likely oversee the audit. If the organisation has no DPO or Compliance Manager, then the business must select an auditor. The auditor will then decide whether to use a customised questionnaire audit or conduct a personal interview or a blend of both methods.

Key contacts

Read, listen and watch our latest insights

  • 19 September 2023
  • Privacy and Data Protection

Organisations’ use of social media: Data protection

Social media applications (or commonly known as ‘apps’) are being developed all the time and we are constantly being introduced to new social media platforms, some of which take almost no time to gain huge popularity.

  • 22 August 2023
  • Privacy and Data Protection

Overview of Data Subject Access Requests

In recent months, we have witnessed a series of high-profile data breaches that have brought data protection issues to the forefront of the public’s mind and with this comes an increase in Data Subject Access Requests (DSARs).

  • 16 August 2023
  • Privacy and Data Protection

PSNI and Electoral Commission Data Breach

Both the UK Electoral Commission and the PSNI, announced serious data breaches. This article looks at what happened to cause the breaches, and what lessons employers can learn from this about processing data and how to protect the information.

  • 09 August 2023
  • Privacy and Data Protection

Penalties for data breaches

Individuals and organisations alike are increasingly reliant on technology to assist with all kinds of functions – from communicating and sharing data to strengthening security and recruiting staff.

  • 27 July 2023
  • Privacy and Data Protection

Nigel Farage v NatWest: When you can’t bank on data protection?

If you have seen the headlines recently, you will have read that NatWest CEO Dame Alison Rose has resigned from her position following the row over Nigel Farage’s bank account and the disclosure of his banking data.

  • 21 July 2023
  • Privacy and Data Protection

What will happen if the Metaverse comes to life?

Metaverse talk has seemingly died down when just a few months ago it was a popular topic on the internet. This is no surprise since Mark Zuckerberg – the CEO of Meta Platforms, formerly ‘Facebook’ – has stopped discussing the Metaverse after a period of actively promoting it.