Conducting a GDPR Data Audit for Your Charity: Step-by-Step Guide
A GDPR data audit — mapping what personal data your charity holds, where it is stored, who has access, what it is used for, and how long it is kept — is the foundation of any data protection programme. Many charities have never conducted a structured data audit and hold data they have forgotten about, in systems they no longer use, under lawful bases they cannot identify, for longer than they have any reason to retain it. The data audit is not just a compliance exercise — it is the moment of genuine understanding that enables effective data management.
Charities that conduct a GDPR data audit identify an average of 4 personal data processing activities with no clear lawful basis — and 6 data stores they were no longer aware of.
How to Conduct a Charity GDPR Data Audit
A structured charity data audit covers five steps: Step 1 — Identify all personal data sources (interview each team about what data they collect, where it comes from, and how it is used; include CRM, case management, email, shared drives, paper records, and any third-party systems); Step 2 — Document the data flows (create a Records of Processing Activity entry for each processing activity: what data, what purpose, what lawful basis, what retention period, who has access, which processors are involved); Step 3 — Assess lawful basis (for each processing activity, confirm you have a valid lawful basis under GDPR Article 6 and, where applicable, Article 9 for special category data); Step 4 — Apply data minimisation (identify and delete data that is no longer needed, is held in the wrong system, or has no clear purpose); Step 5 — Identify and remediate gaps (document and address any processing activities without a clear lawful basis, missing DPAs, or inadequate security controls).
Using Audit Results to Build Your ROPA
The output of the data audit should be a Records of Processing Activity (ROPA) — a structured document that records each processing activity, its purpose, lawful basis, data categories, retention periods, recipients, and security measures. The ROPA does not need to be complex — a well-maintained spreadsheet is entirely adequate for most charities. It should be reviewed and updated at least annually and when new processing activities are introduced. The ROPA serves multiple purposes: it is the primary evidence that the charity understands its data processing obligations; it guides data retention and deletion decisions; it is the starting point for Data Protection Impact Assessments for new processing activities; and it is the first document an ICO auditor or investigator will request. Kyanite Blue provides ROPA template and data audit support for charities.
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.