GDPR audit readiness UK is not something organisations should think about only when the Information Commissioner’s Office (ICO) makes contact. A strong data protection programme should be ready to show evidence of compliance at any time, whether the trigger is an internal review, a customer question, a board request, a healthcare assurance process, a complaint, a personal data breach, or an ICO review.

For DPOs, compliance managers and healthcare managers, audit readiness is about more than having policies saved in a folder. It means being able to show that data protection is understood, documented, implemented and reviewed. The ICO’s accountability approach expects organisations to demonstrate how they comply with UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and relevant guidance.

In 2026, organisations are under increasing pressure to prove compliance, not simply claim it. This guide explains what a GDPR audit involves, when the ICO might review an organisation, what documents auditors may expect to see, and how to prepare using a practical readiness checklist.

For foundational reading on the person who often leads this work, see our DPO role explained guide.

What Is a GDPR Audit?

A GDPR audit is a structured review of how an organisation complies with data protection law. It examines whether policies, records, processes, training and controls are in place and working in practice.

A GDPR compliance audit may be carried out internally, by an external consultant, by a customer or commissioner, or by the ICO. The scope can vary. Some audits review the whole privacy management programme, while others focus on a specific area such as healthcare records, data sharing, staff training, breach reporting, Subject Access Requests (SARs), information security or retention.

A useful audit asks three questions:

• What does the organisation say it does?
  This is usually shown through policies, procedures, privacy notices and governance documents.
• What does the organisation actually do?
  This is shown through records, system evidence, completed training, DPIAs, breach logs and operational practice.
• Can the organisation prove it?
  This is the accountability test. Evidence matters.

A GDPR audit UK review should not be treated as a one-off paperwork exercise. It should help the organisation identify gaps, prioritise risk and improve over time. The strongest organisations use audit as part of continuous compliance, not as a last-minute scramble before an ICO investigation.

When Might the ICO Review Your Organisation?

The ICO may review an organisation in different ways. Some engagement is proactive and cooperative. Other engagement may follow a complaint, breach report or concern about non-compliance.

Common types of ICO engagement include:

• Consensual audit: the organisation agrees to an ICO audit or review process.
• Compulsory or statutory audit: the ICO uses formal powers to assess compliance.
• Investigation: the ICO investigates a complaint, breach, concern or suspected infringement.
• Information request: the ICO asks for documents, explanations or evidence.
• Advisory or assurance activity: the ICO may engage with organisations to improve standards, particularly in higher-risk areas.

The ICO has powers of investigation under UK GDPR and the Data Protection Act 2018. Depending on the circumstances, it may request information, assess compliance, issue recommendations, use enforcement notices or take regulatory action.

The ICO does not audit every organisation. Reviews are usually risk-based, complaint-led, sector-focused, incident-driven or part of wider assurance work. However, any organisation that processes personal data should be able to explain and evidence its compliance.

Triggers for ICO attention may include:

• a serious personal data breach;
• repeated complaints from individuals;
• poor handling of SARs;
• high-risk processing without adequate DPIAs;
• insecure systems or data sharing;
• weak transparency or privacy notices;
• failures involving special category data;
• healthcare or social care risks affecting vulnerable people;
• lack of evidence after a reported incident.

Preparing for ICO investigation does not mean assuming the worst. It means keeping your governance, documentation and training records in a condition where they can withstand review.

Key Documents the ICO Expects to See

ICO auditors and reviewers usually want evidence, not vague assurances. The exact documents depend on the scope of the review, but most organisations should expect to provide core accountability records.

A data protection audit checklist UK should include:

• Record of Processing Activities (RoPA);
• privacy notices;
• data retention schedule;
• DPIA register;
• data breach register;
• data protection policies;
• SAR procedure and logs;
• training records;
• processor contracts;
• data sharing agreements;
• information security policies;
• governance meeting records;
• risk registers and action plans.

These documents should be accurate, up to date and consistent with each other. A privacy notice that says data is kept for six years is a problem if the retention schedule says two years and the system actually keeps data indefinitely.

Record of Processing Activities (RoPA)

A Record of Processing Activities (RoPA) is a core accountability document under Article 30 UK GDPR for most organisations. It records what personal data the organisation processes, why it processes it, who it shares it with, how long it keeps it and what security measures apply.

A useful RoPA template UK should include:

• processing activity name;
• purpose of processing;
• categories of individuals;
• categories of personal data;
• special category or criminal offence data;
• lawful basis;
• Article 9 condition where relevant;
• recipients or categories of recipients;
• processors and systems used;
• retention periods;
• security measures;
• international transfers;
• business owner or responsible team.

RoPA completeness is often a key audit issue. If the RoPA is missing major processing activities, the organisation may struggle to demonstrate that it understands its data flows.

Healthcare organisations should pay particular attention to patient data, staff records, safeguarding information, third-party systems, referrals, care records and supplier processing.

After reviewing your RoPA, teams may benefit from GDPR audit readiness training, especially where healthcare or care data is involved.

Privacy Notices

Privacy notices explain how an organisation uses personal data. They should be clear, accurate and accessible.

A privacy notice should usually explain:

• who the organisation is;
• what personal data is collected;
• why the data is used;
• lawful bases for processing;
• special category conditions where relevant;
• who data is shared with;
• how long data is kept;
• individual rights;
• how to complain;
• DPO or contact details where applicable;
• international transfers where relevant.

Privacy notice accuracy is important. If the organisation starts using data in new ways, adds new systems, changes suppliers or introduces profiling, notices may need updating.

In an audit, reviewers may compare the privacy notice against actual practice. If staff are using data in ways not described, transparency may be weak.

Data Retention Schedule

A data retention schedule sets out how long personal data is kept and when it should be deleted, archived or reviewed.

Retention is a common audit weakness because many organisations keep data “just in case”. UK GDPR requires personal data to be kept no longer than necessary. This means organisations should define retention periods and apply them in practice.

A retention schedule should cover:

• record type;
• business purpose;
• legal or regulatory requirement;
• retention period;
• trigger date;
• disposal method;
• owner;
• review frequency.

Retention schedule adherence matters as much as the document itself. An audit may ask whether deletion actually happens, whether systems support deletion, and whether staff understand retention rules.

DPIA Register

A Data Protection Impact Assessment (DPIA) is required where processing is likely to result in high risk to individuals. DPIAs are also a key accountability tool.

A DPIA checklist UK should help organisations assess:

• the nature, scope, context and purpose of processing;
• necessity and proportionality;
• risks to individuals;
• safeguards and controls;
• residual risk;
• consultation needs;
• approval and review dates.

A DPIA register helps track completed DPIAs, in-progress assessments and review dates. This is useful for audit readiness because it shows that the organisation has a process for identifying and managing high-risk processing.

The DPO should be involved in DPIAs, advise on the process and monitor whether DPIAs are carried out appropriately.

Data Breach Register

UK GDPR requires organisations to document personal data breaches, including breaches that are not reported to the ICO. A breach register helps evidence that incidents are assessed, recorded and learned from.

A breach register should include:

• date discovered;
• date occurred, if known;
• description of the incident;
• data involved;
• individuals affected;
• risk assessment;
• containment actions;
• ICO reporting decision;
• individual notification decision;
• lessons learned;
• corrective actions.

An audit may look for whether breach decisions are consistent and whether actions are followed through. Repeated similar incidents may suggest that training or controls are not working.

Policies Every Organisation Should Have

Policies turn data protection expectations into practical rules. The exact policies needed depend on the organisation’s size, sector and processing, but most organisations should maintain a basic policy set.

Useful policies include:

• data protection policy;
• information security policy;
• data breach response procedure;
• subject access request procedure;
• retention and disposal policy;
• acceptable use policy;
• remote working and device policy;
• data sharing policy;
• supplier and processor management procedure;
• DPIA procedure;
• records management policy;
• special category data handling policy.

Healthcare organisations may also need more specific procedures for patient confidentiality, clinical record access, safeguarding information, NHS systems, DSP Toolkit evidence and data sharing between care providers.

Policies should be reviewed regularly. A policy that has not been updated for years may not reflect current systems, laws or risks.

Auditors may ask whether staff know the policies exist and how they are applied. A policy is stronger when supported by training, operational guidance, system controls and evidence of review.

Training Records as Accountability Evidence

Training records are important accountability evidence. They show that the organisation has not simply written policies, but has taken steps to make staff aware of their responsibilities.

Training records may include:

• induction training completion;
• annual refresher training;
• role-specific training;
• DPO training;
• manager training;
• healthcare data protection training;
• cybersecurity awareness training;
• breach reporting training;
• SAR handling training;
• attendance logs;
• assessment results;
• reminders and escalation records.

Training should match risk. Staff handling patient data, employee records, children’s information, financial data or large volumes of customer data may need more detailed training than staff with limited access.

An audit may ask:

• Who receives training?
• How often is it refreshed?
• What topics are covered?
• How is completion tracked?
• What happens if staff do not complete training?
• Is training tailored to job roles?
• Are incidents used to improve training?

For organisations strengthening evidence, GDPR compliance training can support wider staff awareness, while GDPR Training for Data Protection Officers helps DPOs and compliance leads manage monitoring and accountability.

10-Point GDPR Audit Readiness Checklist

Use this 10-point checklist to assess GDPR readiness UK before an ICO audit, internal audit or customer assurance review.

• Update your RoPA
  Check that all major processing activities are listed and that lawful bases, retention periods and sharing arrangements are accurate.
• Review privacy notices
  Make sure notices reflect what actually happens, including systems, purposes, recipients and individual rights.
• Check retention practice
  Confirm that retention rules are applied, not just written down.
• Review DPIAs
  Identify high-risk processing and check that DPIAs are completed, approved and reviewed.
• Test breach procedures
  Confirm that staff know how to report incidents and that the breach register is complete.
• Check SAR handling
  Review whether subject access requests are recognised, logged and answered within required timescales.
• Audit training records
  Confirm that staff have completed appropriate data protection training and that completion gaps are followed up.
• Review supplier contracts
  Check that processors have appropriate contracts, security obligations and breach notification clauses.
• Assess information security controls
  Review access controls, MFA, device security, backups, encryption, remote working and user permissions.
• Report findings to senior management
  Create an action plan with owners, deadlines and risk ratings.

A GDPR compliance audit template UK should not only list documents. It should help the organisation identify whether the documents match real practice.

The DPO plays a key role in audit readiness by advising, monitoring, challenging gaps and reporting to senior management. However, audit readiness is not solely the DPO’s responsibility. HR, IT, operations, procurement, legal, records management and frontline teams all contribute.

For healthcare organisations, an ICO audit preparation course can help teams connect GDPR documentation, training, patient data governance and continuous compliance.

FAQs

What does an ICO audit involve?
An ICO audit assesses how an organisation complies with data protection law. It may review documents, policies, training records, governance arrangements, breach handling, DPIAs, records of processing and evidence that procedures work in practice.

Does the ICO audit all organisations?
No. The ICO does not audit every organisation. ICO reviews may be consensual, compulsory, risk-based, sector-focused or linked to complaints, breaches or other concerns.

What documents should I have for a GDPR audit?
Key documents include your RoPA, privacy notices, retention schedule, DPIA register, breach register, data protection policies, SAR procedure, processor contracts, training records and security evidence. The exact documents depend on your processing and sector.

What is a Record of Processing Activities?
A Record of Processing Activities is a written record of how your organisation processes personal data. It usually covers purposes, categories of data, individuals, recipients, retention periods, lawful bases, security measures and transfers.

Can staff training records be used as GDPR compliance evidence?
Yes. Training records can help demonstrate accountability by showing that staff have been informed about their data protection responsibilities. They are strongest when training is role-based, refreshed regularly and linked to policies and incident learning.

Build your compliance foundation — explore our GDPR audit readiness and healthcare compliance training to strengthen documentation, staff awareness and continuous compliance.