GDPR is an ongoing process, our data classification template can help!


GDPR is not a one off exercise, so we have created an easy to understand spreadsheet to help you make sense of your data, identify risks and meet some of the accountability principles of the legislation.


General Data Protection Regulation (GDPR) is really (Analog & Digital) Data Protection, and for a small to medium sized business knowing where to start with GDPR can be a nightmare. It is important to understand though that most GDPR tasks are something you probably needed to be doing anyway or probably already do without realising, namely:


Business Process, Shadow IT, Retention, Marketing, Rights/Sharing, DLP/BC/DR. Responsibilities & Legal Requirements


Think of this as a series of questions about your data when it comes to personal information. What do you hold, Who do you have data on, Why do you have it, Where is it stored, When did you get it, How did you get it, etc. etc.

GDPR questions to ask

These questions need to be answered to classify your data for GDPR and decide whether a Data Protection Impact Assessment (DPIA) is required, no matter the size of your business. For small and medium businesses a good starting point is our GDPR Data Classification Template which lists over 60 types of personal data that you might be holding and the basic questions that need answering, spread across 3 worksheets. 

GDPR Data Classification Template

Each section is colour coded, with any variations of a yes/no answer ready for you to just copy and paste.

Buy the GDPR template

Once you have filled in the main spreadsheet, you can move onto the detailed Where sheet, which helps identify more granular risks and of course, exactly where the data is.

GDPR Data Classification Template - Where in detail
GDPR Data Classification Template - Where

There is also the detailed 3rd party Access sheet, which helps identify who has authorized access to your systems and the associated supply chain risks to your organisation.


You can fill everything with little or no knowledge of GDPR, all that is needed is a good knowledge of your business. The templates also double up as a shadow IT report or can be used as a starting point to give to a GDPR consultant.


If you are looking for a GDPR consultant, one I highly recommend is Athene Secure, check them out at:

just mention Nick or Boolean please.

Buy the GDPR template

Other GDPR Resources

Article - GDPR-defined personal data can be hard to find—here's where to look

For guidance on Data Protection Impact Assessments (DPIAs) see the UK Information Commissioner's Office (ICO) which also includes a sample DPIA template for you to adapt if you wish. 


To directly download the template visit: 


Or alternatively you could use the free DPIA software by the French Data Protection Authority, at:


UK ICO Resources

Data protection self-assessment toolkit for SMEs


Data Breach Reporting webinar