Small businesses often skip privacy audits because they seem like an enterprise concern. They’re not. A single data breach at a small company can cost $50,000–$500,000 in recovery costs, regulatory fines, and lost customers. Most breaches exploit simple, fixable problems.
This checklist is organized into eight areas. Work through each section, mark what’s done, and create a remediation task for anything that isn’t.
1. Data Inventory
You can’t protect data you don’t know you have. Start by mapping what personal data your business collects and where it lives.
Questions to answer:
- What personal data do you collect? (names, emails, phone numbers, payment cards, addresses, health data, behavioral data)
- Where is it stored? (SaaS tools, local databases, spreadsheets, email inboxes, paper files)
- Who can access it?
- How long do you keep it?
- Do you share it with third parties?
Action: Create a data register
A simple spreadsheet works:
| Data Type | Where Stored | Who Has Access | Retention Period | Shared With |
|---|---|---|---|---|
| Customer emails | Mailchimp | Marketing team | 3 years | Mailchimp (processor) |
| Payment card numbers | Stripe | Nobody (Stripe holds) | N/A | Stripe |
| Employee records | Google Drive | HR only | 7 years | Payroll provider |
The goal is to identify data you’re keeping unnecessarily — delete it, or stop collecting it.
2. Access Controls
Employees should only access data they need for their role. Audit this now.
Checklist:
- Every employee has their own individual account (no shared logins)
- Admin accounts are separate from daily-use accounts
- Former employees’ accounts are deactivated within 24 hours of departure
- Access to customer data is role-restricted (not everyone can export the customer list)
- Password manager deployed for the whole team
- MFA enabled for all business-critical accounts (email, cloud storage, CRM, accounting)
- A process exists for quarterly access reviews
Quick audit:
# If using Google Workspace — export user list and review
# Google Admin Console > Users > Export users
# Check for inactive accounts (Google Admin > Reports > User activity)
For AWS/cloud infrastructure:
# List IAM users with console access
aws iam list-users --query 'Users[*].[UserName,CreateDate]' --output table
# Find users with no recent activity
aws iam generate-credential-report
aws iam get-credential-report --query 'Content' --output text | base64 -d | \
awk -F',' '$5 < "2025-01-01" {print $1, $5}'
3. Third-Party Vendor Review
Every SaaS tool you use is a potential breach vector. Review your vendor list.
Checklist:
- List every third-party tool that handles personal data
- Confirm each vendor has a Data Processing Agreement (DPA) if you serve EU customers (GDPR requirement)
- Review each vendor’s privacy policy and data retention practices
- Remove or replace tools that have had recent security incidents without adequate response
- Verify each vendor has SOC 2 Type II, ISO 27001, or equivalent certification for sensitive data
Common tools to audit:
- Email marketing (Mailchimp, Klaviyo, Brevo)
- CRM (Salesforce, HubSpot, Pipedrive)
- Analytics (Google Analytics, Mixpanel, Amplitude)
- Payment processing (Stripe, Square, PayPal)
- HR/payroll (Gusto, ADP, Rippling)
- Customer support (Zendesk, Intercom, Freshdesk)
- Cloud storage (Google Drive, Dropbox, Box)
For GDPR compliance, every vendor in this list that processes EU personal data needs a signed DPA. Most provide them on request or in their terms.
4. Website Privacy
Checklist:
- Privacy policy is accurate, up to date, and covers all data collected
- Cookie consent is implemented (required for EU visitors under ePrivacy Directive)
- Only necessary cookies load before consent is given
- Contact forms include a link to the privacy policy
- SSL/TLS is enforced (HTTPS everywhere, HTTP redirects to HTTPS)
- Google Analytics is configured with IP anonymization, or replaced with a privacy-first alternative
- No unnecessary third-party scripts load on the site (check with browser dev tools)
Check what’s loading on your site:
# Check for third-party scripts with curl
curl -s https://yourwebsite.com | grep -oE 'src="[^"]*"' | grep -v "yourwebsite.com"
# Or use a headless browser check
npx playwright chromium --screenshot https://yourwebsite.com screenshot.png
IP anonymization in Google Analytics (gtag.js):
gtag('config', 'GA_MEASUREMENT_ID', {
'anonymize_ip': true,
'storage': 'none',
'client_storage': 'none'
});
5. Email Security
Checklist:
- SPF record configured for your domain
- DKIM signing enabled
- DMARC policy set to at least
p=quarantine - MFA enabled on all business email accounts
- Email forwarding rules audited (no unexpected auto-forwards)
- Business email stored by a reputable provider with encryption at rest
- Employees trained on phishing identification
Verify email authentication:
# Check SPF
dig +short TXT yourdomain.com | grep spf
# Check DMARC
dig +short TXT _dmarc.yourdomain.com
# Check DKIM (replace 'default' with your selector)
dig +short TXT default._domainkey.yourdomain.com
Expected results:
- SPF:
v=spf1 ... -allor~all - DMARC:
v=DMARC1; p=quarantine; ...orp=reject - DKIM: Long RSA or Ed25519 public key
6. Device and Endpoint Security
Checklist:
- Full-disk encryption enabled on all laptops (FileVault on macOS, BitLocker on Windows)
- Mobile Device Management (MDM) deployed if employees use personal phones for work
- Screen lock configured on all devices (automatic after 5 minutes)
- Company data wiped from departed employees’ devices
- Endpoint protection (antivirus/EDR) deployed
- Operating systems and software kept updated
- Backup solution in place for critical data
Check FileVault status:
fdesetup status
Check BitLocker:
manage-bde -status
7. Incident Response Plan
Checklist:
- You know what constitutes a reportable breach (GDPR: 72-hour notification to supervisory authority for high-risk breaches; CCPA: notification to affected individuals)
- You have a list of who to notify internally if a breach is suspected
- You have contact information for your data protection authority
- You have a template for customer breach notification
- Backups are tested and can actually restore data
- Someone in the business owns the privacy/security responsibility
A minimal incident response document should cover:
- How to identify a potential breach
- Who to notify internally (CEO, legal, IT)
- How to assess what was exposed and to whom
- Regulatory notification timelines
- Customer communication templates
8. Employee Awareness
Technical controls fail when employees don’t understand basic threats.
Checklist:
- Employees know how to identify phishing emails
- Employees know not to send customer data via personal email
- Employees know to use the company password manager
- Policy exists prohibiting use of personal cloud storage for work files
- At least annual security awareness training conducted
Phishing simulation tools (for testing employee awareness):
- GoPhish (free, open source, self-hosted)
- KnowBe4 (commercial)
- Proofpoint Security Awareness Training
Audit Schedule
| Activity | Frequency |
|---|---|
| Review user access lists | Quarterly |
| Check for new third-party tools | Monthly |
| Verify MFA is enabled for all accounts | Quarterly |
| Review and update privacy policy | Annually |
| Run phishing simulation | Twice yearly |
| Test backup restoration | Annually |
| Full privacy audit (this checklist) | Annually |
Related Articles
- Privacy Audit Checklist for SaaS Companies
- Privacy Audit Checklist for Web Applications: A Developer
- Encrypted Cloud Storage for Small Business 2026
- Gdpr Compliance Tools For Small Business Complete Implementa
- Ccpa Compliance Requirements For Online Businesses
Built by theluckystrike — More at zovo.one