In Ireland, data controllers in the private and public sectors hold increasing amounts of personal data on individuals. The decreasing cost of electronic storage and processing has greatly contributed to this. Organizations also increasingly outsource data processing to third parties (data processors). Many organizations also continue to hold large quantities of personal data in manual form – often in off-site locations. Data controllers need to regularly audit their holdings of personal data and the procedures they have in place to protect data. What questions should they ask?