Skip to main content

Preparation for data audit

Data has become an invaluable resource for companies. Collecting, processing and using data (including personal data) is central to running and developing a company. At the same time, handling personal data is an enormous responsibility. Data protection legislation requires companies to protect personal data and comply with certain rules when they handle it. And local data protection agencies have the authority to enforce the rules and ensure that companies follow international and national data security laws. For example, in Denmark, the data protection agency is Datatilsynet. A data inspection by a data protection agency can occur at any time. It can have serious consequences for your company if you have not set up proper data protection. Let’s discuss how you can ensure your company is ready for a data audit.


What does a data protection agency ask for during a data audit?

A data protection agency will ask a variety of questions during a data inspection. The exact questions will depend on the company’s activities and purposes for processing personal data. Some of the questions they may ask during a data inspection may include:

  • Why do you personal data and for what purpose?
  • What type of personal data do you process?
  • How is personal data stored and protected?
  • When is personal data deleted?
  • What security measures have you implemented to protect personal data from loss, theft or misuse?
  • Have you appointed a data protection officer and what role do they play in relation to handling personal data?
  • Have you documented and assessed the risks of processing personal data, and has a data protection impact analysis (DPIA) been carried out?
  • How do you respond to requests for access to personal data, correction of errors, deletion or restriction of processing?
  • Have you informed the registered persons about their rights and about how their personal data is processed?
  • Have you informed your employees about the internal data protection guidelines and educated them about their responsibilities and obligations?

These questions are not exhaustive and may vary depending on the company’s specific activities and data processing practices. The data protection agency will typically also examine the company’s documentation and policies to ensure that there is consistency between what the company does and what it says it does.

Get ShareSimple FREE for one user today!

How can you prepare for a data audit?

The first step is to understand relevant laws and regulations. Do some research on the laws that apply to you and how they affect your business.

The next step is to review and improve your company’s current data protection practices. This includes assessing how well your company protects personal data and identifying any weaknesses in your data protection processes. This assessment will help you improve your data practices and minimize the risk of data leaks and security breaches. Prepare clear policies on how you will collect, store, use and share personal data; and how you will respond to data access requests.

Finally, it is important to have a clear plan in place in case of a data breach. Your plan should outline the steps that will be taken to prevent, detect, and respond to breaches. Establish a team of individuals who will be responsible for responding to a breach.  Decide how you will notify affected individuals, regulatory agencies, and other stakeholders. Detail the steps that will be taken to investigate and contain the breach. Then make sure you regularly test and update your data breach plan and keep records of testing and training.


Do this before the data protection agency comes

In order to prepare for a data audit, make sure you have a clear and coherent plan for how your company handles personal data. Here are some steps to help prepare for a data audit:

  • Review and document all processing of personal data in the company: Identify what type of personal data is processed, where the data comes from, how it is processed and who has access to it.
  • Update and prepare policies and procedures: Review and update the company’s data protection policies and procedures so that they reflect the applicable legal requirements and best practices in the field.
  • Assess risks and carry out an impact analysis: Identify and assess the risks of processing personal data and carry out a data protection impact analysis to ensure that any risks and consequences of a data breach are under control.
  • Educate employees: Ensure that all employees in the company are trained in data protection and that they understand their responsibilities and obligations in relation to the processing of personal data.
  • Ensure documentation and traceability: Document all decisions, procedures and activities related to the processing of personal data in the company and ensure that it is easy to track and document what happened and who was involved.
  • Consider working with an external consulting firm that can help identify any issues and gaps in the company’s data protection and provide advice and guidance in connection with a data audit.

Following these steps will prepare you for a data audit and minimize the risk of GDPR fines (or similar fines and liability).


The smart way to prepare for a data audit

Preparing for a data audit is a comprehensive task. Especially for a small or medium-sized company. GDPR tools can help you meet GDPR requirements and prepare for a data audit much faster and more accurately than if you had to do the whole job manually. These tools can also automate some of the processes involved in processing personal data and complying with GDPR requirements. Read more about what a GDPR tool can do for you here. In Safe Online, we develop GDPR tools that cover the most central places where a company processes personal data. Our tools are:

DataMapper - find your sensitive data
ShareSimple - send and recieve data securely in Outlook
RequestManager - process data subject requests easily

Sebastian Allerelli

Governance, Risk & Compliance Specialist
Follow me on LinkedIn to get tips on GDPR →