GDPR Compliance Checklist
If your organization collects or processes the personal data of European Union residents, it’s subject to the General Data Protection Regulation (GDPR). The GDPR enumerates specific requirements for both data controllers (organizations that determine the purpose and means of processing personal data) and data processors (businesses that are responsible for processing data on behalf of a controller), and the penalties for non-compliance are steep.
This article provides checklists to help you achieve and maintain GDPR compliance. You might also want to seek professional legal advice.
Getting Started Checklist
Your top-level GDPR requirements list should, at a minimum, include the following:
- Hire a data protection officer or appoint a person to take on the DPO role — A data protection officer is responsible for overseeing a company’s data protection strategy and its implementation. The DPO role is mandatory if any “special category” of data is processed or data processing is carried out by a public authority. If your company does not have an office in the EU, you must appoint an official representative in the EU.
- Perform a data protection impact assessment (DPIA) — Inventory all of your processes that involve the collection, storage, use or deletion of personal data, and then assess how valuable or confidential the information is and what damage or distress individuals might suffer in the event of a security breach. Use the results to help choose appropriate security measures, policies and procedures. Remember that all processes need to be designed with privacy protection in mind, and privacy must be applied by default whenever new products or services are released to the public.
- Outline your data governance plan — Data governance involves assembling the people, processes and technologies required to consistently and properly handle data across the business.
- Get consent for data collection, retention and erasure — GDPR compliance requires ensuring transparency and giving consumers more control over their data.
- Document your compliance, auditing and record-keeping techniques — Data controllers must be able to prove that their organization complies with GDPR regulations. In particular, make sure you have a documented, lawful basis for storing and processing data.
- Prepare for data breaches — Data controllers are obliged to notify the supervisory authority within 72 hours of becoming aware of a data breach, while data processors must notify the relevant data controllers about every data breach. If a breach poses a high risk to data subjects, then they must also be informed unless effective protection measures, such as pseudonymization or full anonymization, were in place.
- Document your data protection measures — Auditors will want to see what controls you have implemented.
- Maintain an up-to-date list of processing activities. If your organization has at least 250 employees or takes part in high-risk data processing, you'll need to keep a list of your processing activities that you can show to regulators at any time.
GDPR Audit Checklist
Your final audit checklist will depend on various factors, including the scale of your operations, the amount and types of data you collect, and the results of your data protection impact assessment. However, here are the key things you need to do and questions to ask as you work to comply with the GDPR:
- Document the personal data you collect — What data are we collecting?
- Minimize what you collect — Do we have a function for every piece of data?
- Understand your data flows — Where are we storing the data?
- Choose strong security measures — How do we protect and document the data?
- Refine your data retention policy — How long do we keep the data?
- Assess risks — Do we have adequate measures in place to protect data from all sources, including emails and forms?
- Have an internal security policy — What do team members need to know about keeping data safe? Are there steps they need to take to maintain security levels?
- Prepare for data subject access requests (DSARs) — What is the process for honoring a request to delete, amend or access the data we store? (The rights of data subjects and your corresponding obligations are detailed below.)
Data Subject Rights Checklist
Make sure you uphold the following eight rights of data subjects:
- Right to be informed — Individuals can require you to provide clear and concise information about what you do with their personal data.
- Right of access — Any data subject can require you to provide a copy of their personal data, along with supplementary information to help them understand how and why you are using their data and check whether you are doing so lawfully.
- Right to rectification — Individuals have the right to have inaccurate personal data corrected. Depending on the purposes of data processing, individuals might also have the right to require that incomplete personal data be completed (for example, by adding a supplementary statement).
- Right to erasure (right to be forgotten) — Individuals have the right to have their personal data erased. The right is not absolute and applies only in certain circumstances.
- Right to restrict processing — The GDPR gives individuals the right to limit how an organization may use their data.
- Right to data portability — Individuals have the right to receive the personal data they provided to a controller in a structured, commonly used and machine-readable format. They can also request that the controller transmit this data directly to another controller.
- Right to object to processing — Individuals may object to the processing of their personal data at any time, and the controller must stop processing it.
- Rights concerning automated decision-making during processing of personal data — Individuals have the right not to be subject to decisions that are based solely on automated processing (such as profiling) that have a legal effect on them.
You're required to make it easy for data subjects to exercise these rights, either by providing a self-service page with clear buttons and options, or via direct request from outside forms of contact.
Make the following information publicly available in clear, easy-to-understand language:
- Data retention policy — Make it clear that you never store data for longer than necessary for the purposes for which it was collected. Make sure you automatically delete or anonymize personal data that is no longer needed.
- Terms of data transfer to other countries — Explain under what conditions you allow international transfers of personal data.
- Data protection policy — Explain how personal data will be protected in compliance with the GDPR.
- Contact information — Provide your organization’s legal address, as well as details for contacting your data protection officer (if you have one).
Registration Page Checklist
Keep the following requirements in mind when designing your registration page:
- The number of fields must be minimal and reasonable.
- It must be clear to data subjects what they are consenting to. You must give them granular control over what marketing materials they receive from you, not just lump all consent into one checkbox. You need a separate checkbox if you want to enable users to subscribe to a mailing list.
Audit Document Checklist
The following documents are required during a GDPR compliance check:
- Personal data protection policy
- Inventory of processing activities
- Security incident response policy
- Data breach notification form to the supervisory authority
- Data breach notification form to the data subjects
- Data retention policy
- The following policies can be combined in a single information governance policy:
- Data disposal policy
- Backup and business continuity policy
- System access control policy
- SLA and escalation procedures
- Cryptographic control policy
- Disaster recovery and business continuity policy
- Coding standards and roll-out procedure
- Employment policy and processes
- User termination policy
- Audit policy
- Risk assessment policy
- Awareness & training policy
Data Protection Checklists
The GDPR does not specify particular security controls for compliance, but it does require you to honor the principle of data protection by design and by default. The following checklists will help you implement appropriate technical and organizational measures and practices.
Data Protection Checklist: Technical Measures
- Network security — Network security design, firewalls, VPN access
- Encryption for data at rest — Whole disk encryption, database encryption
- Encryption for data in transit — HTTPS, IPSec, TLS, PPTP, SSH
- Access controls (physical and technical):
- Restrict access to your system to trusted sources
- Implement insider threat detection and prevention
- Limit user and group permissions according to job needs
- Restrict the use of privileged accounts
- Enforce a strong password policy
- Implement a lockout policy
- Intrusion prevention and detection
- Health monitoring
- Regular backups
- Backup encryption
- Multifactor authentication (MFA), strict authorization
- Antivirus solution
- Regular infrastructure scans
- Software installation policy, software update policy, equipment upgrade policy
Data Protection Checklist: Organizational Measures
- Due diligence — Your security measures are moot if you pass data to third parties who cannot guarantee data protection. Thoroughly checking your suppliers and service providers is as important as internal audits and reporting.
- Reviews & audits — To ensure that your policies and procedures are effective, you should conduct regular policy reviews and audits. It can help to have templates for these reviews.
- Training — You need to ensure that your employees and contractors are aware of legal risks and have proper skills.
- Reporting — Regular reports to senior management are essential to enterprise-wide accountability, as well as for obtaining adequate funding and other resources for GDPR compliance.