The audit process will allow Datahub to deep dive into a customer’s data protection framework and to fully assess if there are any risk to the organisation, to the data subjects, to any partners that you work with.

So that we can achieve this, the audit is made up of three sections.

• Pre-assessment
• Audit
• Review
• Audit Report

The pre-assessment, review & audit report will be conducted from the Datahub offices. Whereas the audit will be conducted at the customers offices. For the audit we always do this at the customers offices as we will be looking at the security measures of the building like access control, the knowledge and awareness of staff, and also how data protection is embedded in the operations of the business. We also look at the general IT security awareness of staff, for example do they lock the machines when they leave their workstation, how frequent are passwords changed, are staff aware of what to do in the event of a data breach etc.

Early in the audit process the customer will be allocated a lead auditor. This will be the person that visits the organisation and conducts the audit. There will also be a secondary auditor. This person will review the audit in the review & report stage to ensure that the lead auditor has gathered all the necessary information, been fair and accurate with the audit, make recommendations, and to support with the action plan.

The pre-assessment usually will take up approx. 16 hours (2 days of work). But we understand that information will be fed to us over time. So, for this reason the 16 hours could be spread over 2 week period.

The audit, depending on the size of the organisation and the number of processes that involve personal information will take between 3-5 days. From our experience for an airline with many departments and lots of data containing personal information this will take 5 days. This will be based on the audit of the airline headquarters and excludes any country offices or airport offices etc. Then finally the review and audit report will take 3 days to complete.

We recommend an audit when an organisation starts working with Datahub Consulting. This could be for implementation of a data protection framework or DPO as a Service. We do this so that we have a full understanding of your business, the current data protection framework in place, how the business has adopted data protection, and an understanding of the areas where we can support.

We also recommend an audit periodically. This will very from 12 to 24 months based on your previous audit scores and any remedial actions recommended. This periodic audit could be either a full or lite audit. Data protection is a continual improvement process and constantly needs to be assessed. We would look at if there was any changes in a customer’s business processes, staff changes, changes that could affect risks to the personal information of the data subjects. Having periodic audits ensures continuity and compliance.

We start the audit with the pre-assessment to understand your business, how you use personal information, and the security measures in place. We will do this by asking for any documents and information to be sent though to us.

Information that we would request and review:

• Review the organisational structure. This will include management team and any staff that are part of your compliance team.
• Review any data protection policies, procedures currently in place.
• Review any logs that you have relating to data protection. For example, this would be Data Protection Impact Assessment (DPIA) logs, Subject Access Request (SAR) logs etc.
• Review any previous audit documents that another company may have completed.
• Understand if any new technology has been introduced. For example, if a new ERP has been implemented, or your organisation have started to use AI in any process involving personal information.
• Agree an audit schedule. As we travel internationally to visit a customer, we want to ensure that we meet with all departments that process personal information. Having a structured schedule allows us to plan the audit efficiently but also allow the department managers to know when we plan to visit them and make themselves available. We understand that the time of the management team is precious and having a schedule in place allows us to management the audit effectively.

The audit consists of 266 controls covering the 12 sections listed below. The controls measure the full scope of a business’s data protection capabilities. Creating our detailed audit was the collaboration of the Datahub Team from legal, risk, and IT security experts. Each having their input to provide a full and concise audit benchmark.

Sections covered in the audit:

• Governance & Accountability
• Legal Reason for Processing, and Information Disclosure
• Data Protection Officer (DPO) and EU/UK Representation
• Privacy By Design and Security Measures
• Data Protection Principles & Processing Activity
• Cross Border Data Transfers, Data Sharing, and Third Parties
• Data Subject Rights
• Data Subject Requests, Notifications, & Communication
• Data Breach Management
• Data Protection Impact Assessments (DPIA)
• Training & Competencies
• Audits, Monitoring, and Logs

After the audit visit we may be given further information or documents by the customer to validate information provided. The review will conclude all the audit notes, review the last of the documents, and to provide a Datahub internal peer review with the secondary auditor

We feel that we have a duty of care to the customer to provide an accurate, complete, and unbiased audit. The customer has placed their trust in Datahub to assess if their current compliance is sufficient to minimise any risks, and the processes in place are good enough to be considered compliant. This is why we have a secondary auditor to validate the audit.

For customers that partner with us we feel that we have a duty of care to provide an accurate, complete, and unbiased audit. The customer has placed their trust in Datahub to assess whether their current compliance is sufficient to minimise any risks, and whether the processes in place are robust enough to be considered compliant. This is why we assign a secondary auditor to independently validate the findings, ensuring consistency, impartiality, and the highest standards of quality in every audit we deliver.

The audit report is what the customer receives after the audit. The audit will be approx. 15-20 pages in length and will include scores generated using an algorithm based on the information collated during the audit. Of the 266 controls, they are not all equally weighted, so some have more importance than others.

For this reason, we use our unique algorithm to provide an accurate scoring process based on a weighting factor. Also, the algorithm takes into consideration any applicable data protection laws. For example, EU GDPR article 37 (Designation of a DPO) designates when a DPO is required. But there are data protection laws that don’t mandate the requirement for a DPO. Where these laws are being audited, even though Datahub will always recommend a DPO, the algorithm would ensure the audit score would not be affected.

What the report will consist of:

• Introduction including information about your organisation and the audit scope & exclusions, and scoring criteria.
• There are 12 sections covering all aspects of data protection best practice. Each of these sections are scored so that you understand in detail your strengths and weaknesses.
• Final overall audit score.
• Recommendations and action plan. Based on our findings we will collate our recommendations and a realistic action plan for you to address any issues. Datahub can support with the action plan for an efficient implementation. Alternatively, if the customers internal compliance team can implement the action.

Unlock the potential of smarter data governance through audits that drive strategic value.

At Datahub Consulting, we don’t just assess compliance, we uncover opportunities to strengthen your data governance, reduce risk, and build trust with stakeholders.

Our audits are designed to fit your industry, regulatory requirements, and business operations. Combining global data protection expertise with a practical approach, we deliver guidance that is actionable and aligned with your business priorities.

Discover how our audits empower you to not only meet standards, but exceed them.