Skip to Main Content
Learn for less: Save 10% on high-quality foundation and auditor training. Find out more
Privacy Audit Service

Privacy Audit Service

SKU: 5478
Authors: ITG
Format: Consultancy

The Privacy Audit service will validate that your data privacy practices meet your applicable regulatory requirements for either the GDPR (General Data Protection Regulation) and Data Protection Act 2018 (DPA), the PECR (Privacy and Electronic Communications Regulations), or both.

  • Validate your data privacy practices to meet applicable regulatory requirements and IT Governance best practice.
  • Identify areas of non-compliance.
  • Receive prioritised recommendations for improvement.
For more information about this service or to get a tailored quote for your organisation, please enquire below and one of our experts will be in touch shortly.Enquire about this service

Assess your privacy compliance

Regulatory compliance is not a one-off exercise. True compliance involves consistently identifying and managing emerging privacy and security risks. An internal audit, conducted by a privacy expert, can help you validate whether your practices are in line with the GDPR and/or PECR (as applicable).

The benefits of a privacy audit

  • Regulatory compliance

    Get independent assurance that your data privacy policies and practices meet the relevant legal requirements.

  • Reduce operational risk

    Identify and resolve operational and systemic weaknesses in your organisation’s handling of personal data and direct marketing practices.

  • Stakeholder confidence

    Gain stakeholder confidence in your data privacy processes.

  • Consumer trust

    Demonstrate your organisation’s commitment to data security and privacy, and protecting individuals’ rights and freedoms.

What you can expect

Our experienced data privacy team will assess your organisation’s data privacy and information security practices through an on-site compliance audit, checking them against relevant regulatory requirements, ICO (Information Commissioner’s Office) guidance and IT Governance best practice.

We will:

  • Review documentation (policies, procedures, records, etc.);
  • Check that required controls are in place (e.g. CCTV, access controls, and other security measures); and
  • Conduct interviews with key members of staff.

After the audit, you’ll receive a report that records the consultant’s observations and findings, as well as a separate audit tool workbook that contains the detailed audit results.

This is not a legal service, but our sister company GRCI Law Limited can offer legal advice where potential legal issues are identified.

What the service covers

Areas covered:

GDPR Audit PECR audit
  • Governance
  • Risk management
  • Ongoing GDPR compliance programme
  • DPO (data protection officer)
  • Roles and responsibilities
  • Scope of compliance
  • Process analysis (Article 30 requirements)
  • PIMS (personal information management system)
  • ISMS (information security management system), the sixth data processing principle and Article 32
  • Rights of data subjects
  • Scope of compliance
  • Governance
  • Solicited and unsolicited marketing
  • Consent
  • Marketing calls, faxes and post
  • Generating leads
  • Selling and buying marketing lists
  • Cookies and similar tracking technologies
  • Ongoing PECR compliance programme

What the service includes

  • Executive summary – a high-level overview of what was found.
  • Scope – the areas we looked at as part of the audit.
  • Findings – the consultant’s observations and findings regarding areas of good practice, issues or concerns.
  • Next steps – the next steps needed to close any compliance gaps.
  • The methodology that was used for the audit.
  • An audit dashboard that details the areas looked at, with comments that require action to remedy any nonconformities found.

For more information, download the service description

What’s the difference between a gap analysis and an audit?

Gap analysis Audit
Exclusively question-based (‘Do you do X?’). Evidence-based: the consultant needs to be able to see X is done (so must be on site).
Typically conducted at an early stage in the compliance programme. Typically conducted when the organisation believes it is already compliant.


The price is applicable for organisations with up to 500 employees, based at a single main site.

For larger or more complex organisations, please contact us for a custom quote by emailing

The fee excludes any necessary travel, accommodation and subsistence expenses. Expenses will be assessed and charged in arrears.

Discounts for multi-year audits only apply when a two- or three-year contract is agreed at the purchase of the first audit; discounts cannot be backdated.

Customer Reviews

This website uses cookies. View our cookie policy
SAVE 10%