Step-by-Step Guide

How to conduct a face data audit

A practical, follow-along guide. By the end, you will know where face data exists in your organization, what your exposure looks like, and what to do about it. When a DSAR request arrives, you will be ready to respond.

1

Map your photo sources

You cannot audit what you have not found. Start by listing every place photos live in your organization.

Public-facing sources

Corporate website

Team pages, about pages, blog author photos, event recaps, press releases, customer testimonials

Social media accounts

LinkedIn, Facebook, Instagram — company pages and linked employee profiles

Press and media kits

Downloadable press photos, executive headshots, product images with people

Recruitment pages

Employee testimonials, office photos, team portraits on career pages

Internal sources

Shared drives and cloud storage

SharePoint, Google Drive, OneDrive, Dropbox — look for "Photos," "Events," "Marketing" folders

Marketing asset libraries

DAM systems, brand portals, campaign asset folders — often the largest single source

HR and intranet systems

Profile photos, org charts, internal newsletters, training materials

Email and messaging archives

Photos shared as attachments, embedded in newsletters, in Slack/Teams channels

Forgotten sources

These are the ones that catch people off guard during audits. Check them explicitly.

Old website versions still accessible via subdomains or archive.org

Event management platforms (Eventbrite, conference apps) with uploaded photos

Third-party platforms where you published content (Medium, industry directories)

Backup systems and disaster recovery archives

Physical media (USB drives, SD cards) from events

For each source, document:

Volume estimate

How many photos? How many likely contain faces? A rough count is fine — you are establishing scale, not precision.

Categories of data subjects

Employees, customers, members of the public, minors? Different categories may have different legal bases and risk profiles.

Legal basis

What justifies processing these photos? Consent, legitimate interest, contractual necessity? Is it documented?

Access and sharing

Who has access to these photos? Are they public? Shared with third parties? Accessible to all employees?

Retention

How long do you keep these photos? Is there a defined retention period, or do they accumulate indefinitely?

Practical tip

Use a spreadsheet. One row per source. Columns for each of the above. It does not need to be fancy — it needs to be complete. This spreadsheet becomes your working document for the rest of the audit and feeds directly into your Record of Processing Activities.

2

Assess each source

For every photo source you identified, gather the information your compliance documentation requires.

3

Update your compliance records

Your audit findings need to flow into your existing GDPR documentation.

Record of Processing Activities (RoPA)

If photo processing is not already in your RoPA, add it. For each processing activity involving face data, document:

Purpose of processing (e.g., marketing, HR records, event documentation)
Categories of data subjects and personal data
Recipients or categories of recipients
Retention periods
Technical and organizational security measures

Data Protection Impact Assessment

If you are using (or plan to use) face recognition technology on your photo archives, a DPIA is very likely required. Even if you are just holding photos with faces and making them available via a searchable system, consider whether a DPIA is warranted. The threshold is lower than most organizations assume — any "systematic monitoring" or "large scale processing" of biometric data triggers the requirement.

Gap analysis

Compare what you found to what your compliance documentation claims. Common gaps: sources not listed in the RoPA, no documented legal basis for certain photo uses, no process to handle access or erasure requests for photo data, retention periods not enforced.

What ongoing monitoring looks like

Website monitoring

Your website changes constantly. New blog posts, updated team pages, event galleries. Each change can introduce new face data. Automated crawling catches these changes as they happen, rather than waiting for the next annual audit.

Internal library monitoring

Marketing uploads new campaign photos. HR adds new employee portraits. Event coordinators dump event photos into shared drives. A monitoring process flags new face data as it enters your systems.

Periodic re-audits

Even with automated monitoring, conduct a full re-audit annually. New systems get adopted, new photo sources appear, organizational changes create new data flows. The annual audit catches what automated monitoring might miss.

Where Ansikt fits in

Ansikt automates the most labor-intensive parts of this guide. It crawls your websites, scans your photo libraries, detects and indexes every face, and maintains a continuously updated inventory. When you need to find all photos of a specific person — for a DSAR, an audit, or an erasure request — the search takes seconds instead of days. All processing stays within the EU, with no third-party data sharing.

4

Establish ongoing monitoring

An audit is a snapshot. Compliance is continuous. Build processes that keep up as your photo libraries grow.

Start your audit with a free website scan

Step 1 of your face data audit: find out what is on your website. Our free scan crawls your site and reports how many photos contain identifiable faces. No signup required.

Scan your website free See how Ansikt works