Small businesses often skip privacy audits because they seem like an enterprise concern. They’re not. A single data breach at a small company can cost $50,000, $500,000 in recovery costs, regulatory fines, and lost customers. Most breaches exploit simple, fixable problems.
This checklist is organized into eight areas. Work through each section, mark what’s done, and create a remediation task for anything that isn’t.
Table of Contents
- 1. Data Inventory
- 2. Access Controls
- 3. Third-Party Vendor Review
- 4. Website Privacy
- 5. Email Security
- 6. Device and Endpoint Security
- 7. Incident Response Plan
- 8. Employee Awareness
- Audit Schedule
- Data Inventory
You can’t protect data you don’t know you have. Start by mapping what personal data your business collects and where it lives.
Questions to answer:
- What personal data do you collect? (names, emails, phone numbers, payment cards, addresses, health data, behavioral data)
- Where is it stored? (SaaS tools, local databases, spreadsheets, email inboxes, paper files)
- Who can access it?
- How long do you keep it?
- Do you share it with third parties?
Action - Create a data register
A simple spreadsheet works:
| Data Type | Where Stored | Who Has Access | Retention Period | Shared With |
|---|---|---|---|---|
| Customer emails | Mailchimp | Marketing team | 3 years | Mailchimp (processor) |
| Payment card numbers | Stripe | Nobody (Stripe holds) | N/A | Stripe |
| Employee records | Google Drive | HR only | 7 years | Payroll provider |
The goal is to identify data you’re keeping unnecessarily. delete it, or stop collecting it.
- Access Controls
Employees should only access data they need for their role. Audit this now.
Checklist:
- Every employee has their own individual account (no shared logins)
- Admin accounts are separate from daily-use accounts
- Former employees’ accounts are deactivated within 24 hours of departure
- Access to customer data is role-restricted (not everyone can export the customer list)
- Password manager deployed for the whole team
- MFA enabled for all business-critical accounts (email, cloud storage, CRM, accounting)
- A process exists for quarterly access reviews
Quick audit:
If using Google Workspace. export user list and review
Google Admin Console > Users > Export users
Check for inactive accounts (Google Admin > Reports > User activity)
For AWS/cloud infrastructure:
List IAM users with console access
aws iam list-users --query 'Users[*].[UserName,CreateDate]' --output table
Find users with no recent activity
aws iam generate-credential-report
aws iam get-credential-report --query 'Content' --output text | base64 -d | \
awk -F',' '$5 < "2025-01-01" {print $1, $5}'
- Third-Party Vendor Review
Every SaaS tool you use is a potential breach vector. Review your vendor list.
Checklist:
- List every third-party tool that handles personal data
- Confirm each vendor has a Data Processing Agreement (DPA) if you serve EU customers (GDPR requirement)
- Review each vendor’s privacy policy and data retention practices
- Remove or replace tools that have had recent security incidents without adequate response
- Verify each vendor has SOC 2 Type II, ISO 27001, or equivalent certification for sensitive data
Common tools to audit:
- Email marketing (Mailchimp, Klaviyo, Brevo)
- CRM (Salesforce, HubSpot, Pipedrive)
- Analytics (Google Analytics, Mixpanel, Amplitude)
- Payment processing (Stripe, Square, PayPal)
- HR/payroll (Gusto, ADP, Rippling)
- Customer support (Zendesk, Intercom, Freshdesk)
- Cloud storage (Google Drive, Dropbox, Box)
For GDPR compliance, every vendor in this list that processes EU personal data needs a signed DPA. Most provide them on request or in their terms.
- Website Privacy
Checklist:
- Privacy policy is accurate, up to date, and covers all data collected
- Cookie consent is implemented (required for EU visitors under ePrivacy Directive)
- Only necessary cookies load before consent is given
- Contact forms include a link to the privacy policy
- SSL/TLS is enforced (HTTPS everywhere, HTTP redirects to HTTPS)
- Google Analytics is configured with IP anonymization, or replaced with a privacy-first alternative
- No unnecessary third-party scripts load on the site (check with browser dev tools)
Check what’s loading on your site:
Check for third-party scripts with curl
curl -s https://yourwebsite.com | grep -oE 'src="[^"]*"' | grep -v "yourwebsite.com"
Or use a headless browser check
npx playwright chromium --screenshot https://yourwebsite.com screenshot.png
IP anonymization in Google Analytics (gtag.js):
gtag('config', 'GA_MEASUREMENT_ID', {
'anonymize_ip': true,
'storage': 'none',
'client_storage': 'none'
});
- Email Security
Checklist:
- SPF record configured for your domain
- DKIM signing enabled
- DMARC policy set to at least
p=quarantine - MFA enabled on all business email accounts
- Email forwarding rules audited (no unexpected auto-forwards)
- Business email stored by a reputable provider with encryption at rest
- Employees trained on phishing identification
Verify email authentication:
Check SPF
dig +short TXT yourdomain.com | grep spf
Check DMARC
dig +short TXT _dmarc.yourdomain.com
Check DKIM (replace 'default' with your selector)
dig +short TXT default._domainkey.yourdomain.com
Expected results:
- SPF:
v=spf1 ... -allor~all - DMARC:
v=DMARC1; p=quarantine; ...orp=reject - DKIM: Long RSA or Ed25519 public key
- Device and Endpoint Security
Checklist:
- Full-disk encryption enabled on all laptops (FileVault on macOS, BitLocker on Windows)
- Mobile Device Management (MDM) deployed if employees use personal phones for work
- Screen lock configured on all devices (automatic after 5 minutes)
- Company data wiped from departed employees’ devices
- Endpoint protection (antivirus/EDR) deployed
- Operating systems and software kept updated
- Backup solution in place for critical data
Check FileVault status:
fdesetup status
Check BitLocker:
manage-bde -status
- Incident Response Plan
Checklist:
- You know what constitutes a reportable breach (GDPR: 72-hour notification to supervisory authority for high-risk breaches; CCPA: notification to affected individuals)
- You have a list of who to notify internally if a breach is suspected
- You have contact information for your data protection authority
- You have a template for customer breach notification
- Backups are tested and can actually restore data
- Someone in the business owns the privacy/security responsibility
A minimal incident response document should cover:
- How to identify a potential breach
- Who to notify internally (CEO, legal, IT)
- How to assess what was exposed and to whom
- Regulatory notification timelines
-
Customer communication templates
- Employee Awareness
Technical controls fail when employees don’t understand basic threats.
Checklist:
- Employees know how to identify phishing emails
- Employees know not to send customer data via personal email
- Employees know to use the company password manager
- Policy exists prohibiting use of personal cloud storage for work files
- At least annual security awareness training conducted
Phishing simulation tools (for testing employee awareness):
- GoPhish (free, open source, self-hosted)
- KnowBe4 (commercial)
- Proofpoint Security Awareness Training
Audit Schedule
| Activity | Frequency |
|---|---|
| Review user access lists | Quarterly |
| Check for new third-party tools | Monthly |
| Verify MFA is enabled for all accounts | Quarterly |
| Review and update privacy policy | Annually |
| Run phishing simulation | Twice yearly |
| Test backup restoration | Annually |
| Full privacy audit (this checklist) | Annually |
Frequently Asked Questions
How do I prioritize which recommendations to implement first?
Start with changes that require the least effort but deliver the most impact. Quick wins build momentum and demonstrate value to stakeholders. Save larger structural changes for after you have established a baseline and can measure improvement.
Do these recommendations work for small teams?
Yes, most practices scale down well. Small teams can often implement changes faster because there are fewer people to coordinate. Adapt the specifics to your team size, a 5-person team does not need the same formal processes as a 50-person organization.
How do I measure whether these changes are working?
Define 2-3 measurable outcomes before you start. Track them weekly for at least a month to see trends. Common metrics include response time, completion rate, team satisfaction scores, and error frequency. Avoid measuring too many things at once.
Can I customize these recommendations for my specific situation?
Absolutely. Treat these as starting templates rather than rigid rules. Every team and project has unique constraints. Test each recommendation on a small scale, observe results, and adjust the approach based on what actually works in your context.
What is the biggest mistake people make when applying these practices?
Trying to change everything at once. Pick one or two practices, implement them well, and let the team adjust before adding more. Gradual adoption sticks better than wholesale transformation, which often overwhelms people and gets abandoned.
Related Articles
- Privacy Audit Checklist for SaaS Companies
- Enterprise Privacy Tool Deployment Checklist
- Privacy Audit Checklist for Web Applications: A Developer
- Windows 10 Privacy Settings Complete Checklist
- Privacy Notice Vs Privacy Policy Difference
- How to Audit What Source Code AI Coding Tools Transmit Built by theluckystrike. More at zovo.one