An audit of this type begins with a site visit (probably about 4 hours on site) and then an off-site review of documentation. Such a visit may be at the start of a major compliance project, or alternatively it may be a regular activity.
We will ask to see your breach logs and subject access request records, so the audit is covered by a non-disclosure agreement. It’s not necessary for us to see the data from any access requests.
You should expect that we will want to take a tour of the premises and talk to the key people dealing with data protection. We will look at physical security of IT equipment, but this is not an IT security audit.
We will ask for copies of your privacy notices, and your various policies (GDPR Policy and breach policy for example). After the visit we will review your policies and produce a report that includes our observations from the day. Where issues are noted, we will provide high level suggestions for solutions.