Data Audit Planning

Data audit planning works best when the key decision makers in your organization are on board and included in the process. This should include a representative from each department, such as IT, finance, C-level management, human resources, and so on. Once your team is assembled, you are ready to begin data audit planning.

1. Identify Data

First, consider the primary types of information that your company handles, such as social security numbers, payment card numbers, patient records, designs, and employee records. Prioritize what must be protected.

2. Locate Data

Identify and list where each item on the information list resides within your company, such as file servers, workstations, laptops, removable media, and databases.

3. Classify Data

A classification scheme lets you rank information assets based on how much harm would be caused if the information was disclosed or altered. Your team should strive to be realistic and aim for consensus.

Visibility of Information

Type of information


Marketing campaigns, contact information, financial reports


Phone lists, organizational charts, office policies

Internal (sensitive/confidential)

Business plans, strategic initiatives, non-disclosure agreements, customer lists, compensation information, merger and acquisition plans, layoff plan


Patient data, financial records

4. Report Findings

The final stage is to collate findings and report back with recommendations on how data management practices could be improved. Common data issues faced include:

  • Poor naming and filing systems so retrieval is a challenge.
  • Lack of storage space meaning employees revert to using external hard drives and laptops.
  • No active transfer of data on staff retirement or departure means legacy material is lost, mismanaged, or remains on the server unused.
  • Limited data archiving facilities, so employees often have to maintain their research outputs.
  • Growing space requirements.

5. Make Recommendations

Improvements to data management and security should include recommendations:

  • Guidance on creating data and metadata/documentation to enable retrieval and reuse.
  • Training and advisory support to help researchers adopt best practices through the lifecycle.
  • Assistance with composing data management plans and carrying out suggested actions.
  • Implementing data policies that clarify roles and responsibilities.
  • Support on selecting data for the long-term so that only what is needed is kept.
  • Additional storage when capacity is insufficient or to support different needs (active data).