gdprcompliancecost.com
Independent reference.Not legal advice. Consult a qualified data protection lawyer for advice on your specific situation.Methodology and sources.
Audit cost

What a GDPR audit actually costs.

“GDPR audit” covers three distinct exercises with ranges that differ by an order of magnitude. The SERP routinely conflates them. We split internal audit, external advisory audit, and certification audit (ISO 27701 / Europrivacy) cleanly.

Definitions

Three audit shapes

Internal audit
£2,000 - £15,000 loaded

Cross-functional team time plus tooling. SME first cycle. Output: gap report and remediation plan. Defensible if conducted by someone independent of the controls being audited.

External advisory audit
£5,000 - £70,000

Third-party assurance, not certification. Day-rate or fixed-scope. Driven by processor count, jurisdiction count, prior maturity. Output: written report with findings and recommendations.

Certification audit
£12,000 - £80,000+

ISO 27701 or Europrivacy. Accredited certification body. Initial certification plus surveillance audits at 70-80% of initial cost recurring annually. Output: a certificate with defined scope.

Cost drivers

What drives the number

  • Data volume: number of data subjects, processing activities, and special-category records.
  • Processor count: sub-processor inventory length is one of the strongest cost drivers; 50+ processors typically pushes audit days into the mid-market range.
  • Jurisdiction count: UK plus three EU countries adds two-three audit days per jurisdiction beyond the second.
  • Prior maturity: an organisation with a maintained ROPA, signed-off DPIAs, and a current policy bundle is audited in roughly half the days of one without.
  • Scope agreement: audit scope creep is the single biggest in-engagement cost inflator. A specific signed scope before kickoff matters.
Where audits overrun

What teams underestimate

Mid-audit remediation discoveries (auditor finds a control gap that must be fixed before report sign-off) are the single most common overrun pattern. Evidence collection time during the audit window (the team is asked to produce records in three days that take three weeks to assemble) is the second. Surveillance audit budget under- allocation in years 2-3 is the third; the surveillance fee is rarely included in initial procurement, and 70-80% of year 1 cost recurring is a non-trivial line.

Two real shapes

Sanity check scenarios

SME first external advisory audit
£8,000 - £18,000

40-person UK SaaS, partial maturity, 12 sub-processors, UK only. 8-12 audit days at £1,200-£1,500 / day, scope-locked, single jurisdiction, written report with prioritised findings.

Mid-market ISO 27701 certification audit
£28,000 - £55,000 initial; £20k - £40k surveillance

200-person UK retailer, prior ISO 27001, 35 sub-processors, UK plus two EU countries. Initial certification including stage 1 and stage 2. Surveillance audits in years 2-3 at 70-80% of initial cost. Recertification at three years.

Existing ISMS

ISO 27001 overlap

Organisations with existing ISO 27001 certification typically reduce GDPR external audit days by 25-35% on the technical-and-organisational layer because the auditor can rely on the ISMS evidence. The privacy-specific layer (lawful basis, DSAR, transfer mechanisms, DPIA framework) is unaffected and remains the bulk of the audit effort. Detail on the control overlap sits at /iso-27001-overlap.

Many auditors view a documented audit programme with a clear scope, independence between auditor and auditee, and an evidence trail as evidence of the accountability principle in Article 5(2). This site does not opine on whether any particular audit programme satisfies accountability in your specific situation.