GDPR Auditing and Risk Assessment

One challenge with GDPR is that it is written into law without full consideration of the size of the organisation, the complexity or the practical application of how you as a business will implement, monitor or maintain compliance.

There is no overarching standard like you have in the payment card industry (with the PCI DSS), or defined auditable process accompanying GDPR. As such businesses are challenged to define current compliance levels and come to conclusions themselves about the best way to achieve compliance.

Bytes have developed a range of GDPR auditing and compliance assessment services with specialist data consultancy partner Risk-X to aid in this process. Our services enable businesses to gain a clear picture of how compliant they are and strategies and processes they can adopt to improve that.

Key Areas of GDPR Audit and Assessment

Current data singularity, accuracy, erasure & correction capability

Profiling of data store locations, clean up and design of storage

Document and design basis for data processing & consent collection

Legal counsel on basis of processing, storage and retention of data

Design of PII replacement solutions (tokenisation)

Privacy certification (ISO 29100) & privacy impact assessment

Assurance and penetration testing to assess solution strength


Bytes and Risk-X Auditing Services

GDP Base and GDP Plus

General Data Protection Base (GDP)

Designed in line with the international standard for the security of information – ISO27001, the premise of GDP Base is to identify what data you have and how you use it. Once you understand this then a Privacy Information Management System (PIMS) can be created to manage this data.

The process that we use to do this is as follows:


When you complete GDP+ you will have a workable Privacy Information Management System (PIMS) and be able to address the 12 key points that the UK Information Commissioner’s Office (ICO) has recommended that UK businesses should focus on to ensure that they can meet the new Regulation.


This consultant led interactive service leaves you with a working system and all the policies you require to comply with the GDPR.

General Data Protection Plus (GDP+)

Extends work already completed to the operational, physical, technical areas of your business and considers their implemented state. Consultants look at the scope generated with the Base service and use ISO27001 (aligned with privacy frameworks) to review how your data is protected.

The report will provide the following:

  • A statement of applicability of controls - showing what controls are required for the security of PII, and which you have in place
  • A risk-prioritised remediation plan for areas non-conformant to ISO27001, as per the example shown here

The GDP+ process looks at all areas of the business in scope for privacy information and provides a baseline of all controls in place. Further guidance is provided to allow you to remediate any failures. ISO27001 is a great standard to use for this and lends itself directly to privacy requirements.


It is worth noting that the GDP+ process does not have to directly follow the GDP Base service, it is recommended, but can be bolted on later.

Request More Information on GDPR Auditing and Assessment

To speak to a Bytes consultant about GDPR auditing, contact the Bytes Security Partnerships team Call us on 0845 075 0560 or email us at

Get a quote...

Email instead Call us