Agnes runs a GDPR audit with a checklist and laptop for a small business

How to Run a GDPR Audit as an SMB (Practical Steps)

GDPR, Compliance, SMB

A client sends you a questionnaire about your privacy practices. Your accountant asks if your GDPR paperwork is up to date. Or you read about a fine hitting a company that looks a lot like yours.

That's the moment you realise: you don't actually know where you stand.

That's exactly when a GDPR audit matters. Not as a box-ticking exercise, but as a practical check: what's already in place, what's missing, and what needs attention first?

In this article, you'll learn what a GDPR audit involves, when to do one, and how to work through it step by step. Including a concrete GDPR audit checklist you can use straight away.

What is a GDPR audit?

A GDPR audit is a structured review of how your organisation handles personal data and whether that handling meets the requirements of the General Data Protection Regulation.

Nobody from a supervisory authority calls you up to schedule one. You do it yourself, or you bring in a privacy consultant. Either way, you're working through a set of questions: do you have the right legal bases, is your documentation in order, do your employees know what to do?

Two main approaches exist. An internal audit uses a checklist and the knowledge already in your organisation. An external audit brings in a privacy professional, who can look at your processes more objectively and spot blind spots you've stopped seeing.

For most SMBs, starting with a self-audit makes sense. It surfaces the obvious gaps, and you'll quickly know whether you need external help.

When do you need a GDPR audit?

Not just when something goes wrong. A privacy audit is most useful before problems appear. Run one when:

  • You've adopted new software that processes personal data
  • A new vendor now has access to customer or employee data
  • A client sends you a GDPR questionnaire — this is becoming routine in procurement and partnerships
  • You've had a near-miss or an actual data breach
  • You're working toward ISO 27001 or NIS2
  • It's been over a year since you last looked at your privacy processes

No external trigger required. An annual check is good practice, especially if your business is growing and new tools keep getting added.

What do you check in a GDPR audit? (The checklist)

Work through the nine points below and note the status for each: in order, partially in order, or still to do.

  1. Processing register (Article 30 GDPR). Do you have an overview of all personal data processing activities? Is it current, complete, and clear on who owns each entry? Without this, the rest of the audit doesn't hold together.

  2. Data processing agreements (DPAs). Have you signed a DPA with every vendor that processes personal data on your behalf — accounting software, HR system, email provider, CRM?

  3. Legal bases. Each processing activity needs a documented legal basis. Consent, legitimate interest, contractual necessity — pick one and record it. No legal basis means no valid processing, full stop.

  4. Retention periods. How long do you keep personal data? More importantly: does that policy work in practice, or does it only exist in a document nobody reads? See also: data retention under the GDPR.

  5. Data subject rights. When someone asks to see, correct, or delete their data, who handles it and how fast? You need a named person and a working procedure, not just a vague plan.

  6. Data breach procedure. Does your team know what a data breach actually is? Do they know when to escalate internally and when you're required to notify the supervisory authority?

  7. Privacy policy and cookie statement. Up to date, complete, easy to find — and does the text match how you actually operate today, not how you operated when you first wrote it?

  8. Access management and security. Who can see which personal data, and is that limited to people who genuinely need it? Two-factor authentication and encryption where relevant are worth checking here too.

  9. Employee awareness. Do people on your team understand what personal data is and what they're allowed to do with it? No formal training programme needed, but zero awareness is a real gap.

Nine points. None of them are out of reach for an SMB. But each one you can't tick off is a place where a regulator, a client, or an incident can catch you out.

How to run a GDPR audit (step-by-step)

Step 1: Start with your processing register. Map out which personal data you process, from whom, for what purpose, and through which systems. If you don't have this yet, it's your first action item. You can't complete the rest of the checklist without it.

Step 2: Work through the nine points per processing activity. Go entry by entry through your register. For each one: do you have a legal basis? A retention period? A DPA with the relevant vendor? Working per activity keeps things concrete rather than abstract.

Step 3: Write down what you find. Record what's in order, what's partly there, and what's missing. Be honest. Marking everything green when it isn't doesn't help you or anyone else.

Step 4: Build a priority list. Not everything missing needs to be fixed this week. Prioritise by risk — what's most likely to cause an incident or a complaint? Start there.

Step 5: Put the next check on the calendar. An audit done once and forgotten is almost as bad as no audit. Before you close this one out, schedule the next.

A tool like ComplianceHive keeps processing activities, vendors, and audit evidence in one place, so you're not rebuilding the picture from scratch every time.

Common gaps found in SMB GDPR audits

Some problems show up again and again. Knowing them in advance saves time.

No processing register at all. By far the most common gap. Many SMBs assume the register is only required for large companies. It's not. If you regularly process personal data — and almost every business does — you need one.

Missing or outdated DPAs. You switched email providers two years ago but never signed a new DPA. You started using a project management tool that touches client data, but nobody checked the agreement. It adds up fast and is easy to miss.

Retention periods on paper, ignored in practice. The policy exists, but nobody actually deletes anything. Old customer records, former employee files, abandoned email lists — still sitting there, still a liability.

No breach procedure. Ask five employees what to do if they accidentally send a file to the wrong person. Five different answers, or five blank stares, means you have a gap.

Access that's too broad. Everyone has admin rights to everything because it seemed simpler. It stays that way until someone accidentally deletes a database or a file ends up somewhere it shouldn't. Tightening access is one of the cheapest security improvements available.

None of this is unusual. It's what most SMBs look like before their first audit. And each gap is fixable once you've named it.

How often should you run a GDPR audit?

Once a year at minimum. The GDPR expects you, as a data controller, to demonstrably maintain control over your privacy processes — not just set things up once and hope they hold.

For SMBs that are growing quickly, regularly adding new tools, or working in sectors with sensitive data like healthcare, HR, or finance, twice a year is more realistic. Your organisation changes, and your compliance has to keep pace.

Beyond that, run a check whenever something significant shifts: a new vendor, a new system, a merger, a client asking for proof of compliance. That check doesn't have to cover everything. Walking through the relevant parts of the checklist is often enough.

Ready to get your GDPR audit sorted?

ComplianceHive gives you a clear view of your processing activities, vendors, and documentation. So you're always audit-ready.

Try ComplianceHive free for 30 days

Start gaining control over your vendors and software today

Let ComplianceHive help you with ISO 27001, GDPR, vendor management, and more. No hassle, no spreadsheets, just clarity. Start now with a free 1-month trial. No credit card required, no hidden fees. Discover the Busy Hive plan and manage up to 25 tools and vendors in one overview.

Try 1 month for free