PII and Data Classification Audit Checklist
An audit checklist for discovering, classifying, and protecting PII across databases, logs, backups, and third-party systems. It covers classification, lawful basis, encryption, access control, retention, and data-subject rights. Use it for GDPR, CCPA, or pre-migration privacy reviews.
When to Use This Checklist
Use this checklist to audit how personally identifiable information (PII) is discovered, classified, and protected. PII is any data that can identify a person, directly or in combination. Run this audit before a migration that moves regulated data, ahead of a privacy assessment, or as a periodic control for GDPR, CCPA, or similar regimes.
How to Use This Checklist
Discovery comes first and is the hardest part: PII hides in logs, backups, caches, and third-party systems, not just primary databases. Once discovered, classify each dataset and map personal data to its lawful basis and purpose. The security items verify that sensitive classes are encrypted, access-controlled, and not leaking into logs or analytics. The compliance items confirm the rights and retention obligations are operational, not theoretical. Every finding needs an owner and a due date.
What Good Looks Like
A strong audit produces a complete inventory of where personal data lives, including the easy-to-forget places like logs and backups. Each dataset carries a classification tag that drives proportionate controls: encryption, masking, and least-privilege access. Personal data is tied to a lawful basis and a defined retention limit with a working deletion path. Data-subject access and erasure requests have a tested process. Findings are tracked to remediation rather than filed and forgotten.
Common Pitfalls
The biggest blind spot is non-primary stores: PII in application logs, analytics events, debug dumps, and old backups routinely escapes classification. Teams classify production tables but ship raw PII to log aggregators. Non-production environments often use real personal data instead of tokenized copies. Retention policies exist but lack an enforced deletion path, so data accumulates indefinitely. Finally, audits that end with a report but no owned remediation change nothing.
Related Resources
Apply privacy-by-design-7-principles and gdpr-compliance-engineering as the policy backbone, and use a data-governance-framework to assign ownership. Enforce access with principle-of-least-privilege and protect keys with secrets-management-best-practices.