Before you can take any action — update your privacy policy, add a new opt-in box or change your consent process — you need to know what data you currently collect and what you do with it.

Luckily, it doesn’t need to take you all day. It’s just a simple record of the different sources of people’s information, where you store it and what you do with it.

In fact, you can do it with just 7 questions!


I’m not a lawyer and none of the information in this article or any linked files should be interpreted as legal advice. Please do your own due diligence to determine if or how much of this information is relevant to your circumstances, and whether you should seek professional legal advice.

The 7-question data audit

Don’t panic!

If you aren’t sure how to complete any part of this audit right now, leave it blank and come back to it later as you read more articles in the Data Privacy series. We’ll be looking at things like “Data Controllers” and how to get Consent in more detail.

1 – 3: How and why do you collect this data?

I suggest listing each unique combination of “source” and “purpose” separately.

The source (how you collect it) tells you what business activity you might need to change, whether your online checkout system, newsletter subscription form, or how you collect customer info at markets.

The purpose (why you collect it) will help you decide what GDPR legal basis you have to use that data, which might differ even if it’s being collected at the same source (eg. from a sale).

Even if you aren’t worried about the GDPR, the legal bases they offer will put you in good stead for complying with other privacy laws, too.

For more information about the GDPR legal bases, read the UK’s Information Commissioner’s Office website or use their interactive “lawful basis” tool.

4: What data do you collect?

Briefly list the data you collect or access (name, email, country, IP address etc.). This is an opportunity to identify when you collect too much or information that isn’t strictly necessary for your purpose.

When you start checking the details about each tool, you might find more information that they collect to add to this list (like cookie IDs).

5: Tools & services you use

You should aim to use GDPR compliant tools to store all the personal data you collect. List all tools and services that touch the data, whether they simply process it or store it long term.

Don’t forget to check plugins and extensions in WordPress or your ecommerce platform – you might be surprised what’s keeping a copy of your customer or contact data!

6: Data retention

This is an opportunity to identify reasonable timeframes for keeping data or asking for re-consent. If you have legal requirements (eg. for tax purposes), note them here. This information about your data retention will go in your privacy policy.

7: Access & Sharing

If you’re a one-person show, this might look easy! But think carefully: do you share personal data with any people or companies that you haven’t already listed under your tools and services?

For example, if you create shipping labels manually (without using a shipping management tool) you might not have listed anything under Tools & Services. But you are sharing this data with your postal service or courier company and will need to put that in your privacy policy! (You won’t need consent, though, as it’s just part of fulfilling the sale.)

How to choose GDPR compliant tools & services

You need to make sure all the tools and services you use to collect, store, process and access data are also GDPR compliant. In fact, using GDPR compliant tools is the easiest way to make sure you’re compliant!

Jump to the spreadsheet sheet “My Tools” and enter the tools & services you already listed across the top.

Prioritize your tools based on risk

This audit is more time consuming than the data audit. You might like to prioritize which tools to audit first based on a few risk factors like:

  • The kind of data they store (personal contact details vs fairly anonymous data).
  • How likely you already think they are to be compliant and secure (a big tool vs tiny startup).
  • How intrusive the data use is to the data subjects themselves, which could invite complaints (a private spreadsheet of customer data vs an email marketing list you send to weekly).

How to complete the audit

  1. Critically assess why you use this tool and whether you need to keep using it.
  2. Google that tool’s name + “GDPR”. If they have a page about how they’re becoming compliant, use that to complete your audit.
  3. Read their new Privacy Policy or Terms of Use to discover whether they see themselves as a Data Controller or Data Processor (or both), and in what circumstances. They should explain what obligations this gives to you.
  4. Double-check that the tool supports all the Individual Rights of the GDPR, such as being able to completely delete a person’s data!
  5. If you rely on a user’s Consent to add their data to this tool, will it help you ask for or store that consent? (eg. Adding special tick boxes or legal text to forms, or automatically showing a pop-up consent box.)

Leave a Reply

Your email address will not be published. Required fields are marked *