11 August 2025
How to audit your GDPR compliance in an afternoon
Most small businesses think GDPR compliance is more complicated than it actually is. Here's a practical, step-by-step approach that doesn't require a lawyer.
Catenary Ltd
1072 words · 6 min read
GDPR has been in force since 2018. The UK version (UK GDPR) has applied since Brexit. And yet the majority of small businesses and NGO's we talk to still don't have a clear picture of what data they hold, where it lives, or whether they're handling it correctly.
This isn't necessarily negligence. The legislation is dense, the guidance is written for lawyers, and the whole thing feels overwhelming. So people put it off.
Here's the thing: for most small businesses, getting to a reasonable state of compliance isn't as complicated as it looks. Hiring a specialist (like us) can be helpful, but to make a start, all you need is a few hours, some honesty, and a spreadsheet.
This is the approach we use when helping organisations get started.
Step 1: Work out what personal data you actually hold
Personal data is any information that relates to an identifiable living person. In practice, for most small businesses, that means:
- Customer names, email addresses, phone numbers, postal addresses
- Supplier and contractor contact details
- Employee records (payroll, contracts, HR files)
- Any data you hold on behalf of clients (if you're a data processor)
- Website visitor data (if you use analytics or contact forms)
- Mailing list subscribers
Go through your systems (email, CRM, spreadsheets, accounting software, file storage) and make a list. You'll probably find data in more places than you expected. That's fine. The point is to know what you've got.
Step 2: For each type of data, ask three questions
Once you know what you hold, you need to understand it better. For each category of data, ask:
What's our lawful basis for holding it?
UK GDPR requires you to have a legal reason to process personal data. The most common ones for small businesses are:
- Legitimate interests: You need the data to run your business in a way the person would reasonably expect. This covers most B2B contact data.
- Contract: You need the data to fulfill a contract. This covers customer and supplier data where you have a commercial relationship.
- Consent: The person explicitly agreed to you holding their data. This is required for marketing emails.
- Legal obligation: You're required by law to hold it. This covers employee payroll records, for example.
If you can't identify a lawful basis for a particular category of data, that's a problem worth addressing.
How long do we keep it?
UK GDPR requires you not to keep personal data longer than necessary. Most businesses don't have a documented retention policy, and most haven't really thought about when they'd delete old customer records, lapsed contacts, or ex-employee files.
There's no single correct answer, but one is needed. Employee records for instance, are typically retained for 6 years after employment ends (for tax purposes).
Who has access to it?
This includes both internal access (who can see what) and external access (which software systems and third-party services can reach it). If your customer data sits in a US cloud service, that's relevant. See our post on digital sovereignty for why.
Step 3: Check your data subject rights processes
Under UK GDPR, individuals have rights over their personal data. The most common ones you'll need to handle are:
- Subject access requests (SARs): Someone asks to see all the data you hold on them. You have one month to respond, and it's free.
- Right to erasure: Someone asks you to delete their data. In many cases you have to comply.
- Right to rectification: Someone says their data is wrong and asks you to correct it.
The question isn't whether you know these rights exist — it's whether you could actually respond to a request if one arrived. Could you locate all the data you hold on a specific person across all your systems? Could you delete it if required? Do you know who's responsible for handling these requests?
Most businesses don't have a clear process. Having one doesn't need to be complicated. Even a simple note saying "if we receive a data subject rights request, person X is responsible and here's what they should do" is significantly better than nothing.
Step 4: Check your privacy notice
If you collect personal data from people — via a website contact form, by taking customer details or by building a mailing list, you need to tell them certain things. The standard mechanism is a privacy notice (sometimes called a privacy policy).
Your privacy notice needs to cover:
- Who you are and how to contact you
- What data you collect and why
- Your lawful basis for processing
- Who you share data with (including third-party services)
- How long you keep data
- What rights people have and how to exercise them
A lot of small businesses either don't have a privacy notice at all, or have one that was generated by a tool years ago and doesn't reflect what they actually do. Either way, it's worth reviewing.
Step 5: Document what you've found
UK GDPR requires organisations with more than 250 employees to maintain a formal Record of Processing Activities (ROPA). Below that threshold it's not strictly required, but it's extremely good practice and genuinely useful.
A ROPA is just a document that records what personal data you process, why, how, and for how long. A spreadsheet with one row per category of data is sufficient. It gives you a clear picture of your data landscape, makes it much easier to respond to audits or subject access requests, and helps you identify gaps.
What happens after the audit
Most organisations come out of this process with a clearer picture and a short list of things to fix. The fixes typically involve one or more of:
- Deleting data you no longer need
- Updating your privacy notice
- Putting a retention schedule in place
- Moving data off services that aren't appropriate
- Getting proper consent for marketing communications
None of these are technically difficult. They take time, not expertise. And the alternative — waiting until there's a complaint or an ICO inquiry — is significantly worse.
If you go through this process and want a second opinion on what you've found, we're happy to talk it through. We can also help with the trickier parts, like transfer impact assessments or deciding whether a particular tool is appropriate for the data you're putting into it.