Step 2: Audit

Key considerations

Reasons for using personal data

All your uses of personal data must be justified by a lawful basis. This step requires you to record for each use of each type of data, what that basis is. (Consent isn’t the only basis for using personal data, but where you are relying on it, you need to examine how that consent is obtained and recorded when data comes in.) Not only does this help ensure your data processing activities are lawful, but the record of your reasons helps demonstrate compliance and will be necessary to complete your external and internal privacy notices (these provide individuals with certain information about how you are using their data).

Internal policies and procedures

To ensure that the movement and use of data around your business is compliant, you need to consider what internal policies and procedures you have in place. Retention policies (dictating how long each type of data is held) should apply to all data, and certain information may need permissions-based access and encryption protocols for greater security. If you transfer data between group companies, you also need to consider what rules or policies (including Binding Corporate Rules) apply.


You need to understand your status as a data controller (an organisation which determines the purpose and means by which data is used) or a data processor (an organisation which simply carries out processing on the instructions of a controller) as this will affect your responsibility in terms of GDPR compliance.

External data sharing

You will need to assess whether data is being shared externally and if so, agreements should be in place whenever data goes out of the business, whether that’s to service providers or where you’re sharing data with other controllers. You’ll also need to consider what privacy notices apply to that data, and how they’re made available (or, if they’re not, how you would make them available).


Depending on your industry, there may be additional regulatory requirements around your use and storage of data. These need to be considered alongside your data protection obligations.


This applies at all levels. You will need to assess where data is stored (for instance, on cloud servers, local machines and mobile devices) as well as whether individuals, service providers, or parts of your business are located outside the European Economic Area.


How Cripps Pemberton Greenish can help

The documented policies, procedures and protocols you have in place around your data are key to understanding the level of risk in your business. We can help you cut through the jargon and understand and interpret all the guidance that has been issued by the ICO, ask the right questions internally and enable a full and accurate assessment to be undertaken.


Click here for Step 3: Gap analysis