GDPR Compliance Checklist

If your organization collects or processes the personal data of EU residents, it’s subject to the General Data Protection Regulation (GDPR). The GDPR enumerates multiple specific requirements for both data controllers (organizations that determine the purpose and means of processing personal data) and data processors (businesses that are responsible for processing data on behalf of a controller). In particular, to be GDPR compliant, you must collect only the minimum amount of data you need from customers and process personal data only on lawful basis. 

Getting Started

Depending on scale of your business, you might want to seek the services of a third-party consulting agency for legal advice on what exactly is required to achieve compliance. However, based on GDPR guidelines, your top-level compliance checklist should, at a minimum, include the following:

  • Hire a data protection officer or appoint a person to take on the DPO role — A data protection officer is responsible for overseeing a company’s data protection strategy and its implementation to ensure compliance with GDPR requirements. The data protection officer role is mandatory if any “special category” of data is processed or data processing is carried out by a public authority. If your company does not have an office in the EU, you must appoint an official representative in the Union.
  • Perform a data privacy design assessment — Your processes need to be designed with privacy protection in mind and privacy must be applied by default whenever new products or services are released to the public. The best way to get started is to conduct a Data Protection Impact Assessment (DPIA): Inventory all of your processes that involve the collection, storage, use or deletion of personal data, and then assess how valuable or confidential the information is, and what damage or distress individuals might suffer in the event of a security breach. With a clear understanding of the privacy risks, you can begin to choose security measures, plan investments and activities, and prepare the necessary policies, procedures and documentation.
  • Outline your data governance plan — Data governance involves assembling the people, processes and technologies required to consistently and properly handle data across the business.
  • Get consent for data collection, retention & erasure — GDPR compliance requires ensuring transparency and giving consumers more control over their data.
  • Document your compliance, auditing & record keeping techniques — Data controllers must be able to prove that their organization is in compliance with GDPR regulations. Make sure you have documented, lawful basis for storing and processing data.
  • Outline and prepare for your data breach obligations — Data controllers are obliged to notify the supervisory authority within 72 hours of becoming aware of a data breach. Data processors must notify the relevant data controllers about every data breach. If a breach poses a high risk to data subjects, then they must also be informed unless effective protection measures, such as pseudonymization or full anonymization, were in place.
  • Document your data protection measures — Auditors will want to see what controls you have implemented.

GDPR Audit Checklist

Your final General Data Protection Regulation audit checklist will depend on a variety of factors, including the scale of your operations, the amount and types of data you collect, and the results of your data protection impact assessment. However, here are the key things you need to do and questions to ask:

  • Document the personal data you collect — “What data are we collecting?”
  • Minimize what you collect — “Do we have a function for every piece of data?
  • Understand your data flows — “Where are we storing the data?”
  • Choose strong security measures — “How do we protect and document the data?”
  • Refine your data retention policy — “How long do we keep the data?”
  • Assess risks — “Do we have adequate cybersecurity measures in place to protect data?”
  • Prepare for Data Subject Access Requests (DSARs) — “What is the process for honoring a request to delete, amend or access the data we store?” The rights of data subjects and your corresponding obligations are detailed below.

Upholding Data Subject Rights

Rights of Data Subjects

Organizations subject to the GDPR are required to uphold the following eight rights of data subjects upon request:

  • The right to be informed — Individuals can require you to provide clear and concise information about what you do with their personal data.
  • The right of access —Any data subject can require you to provide a copy of their personal data, along with supplementary information to help them understand how and why you are using their data and check whether you are doing so lawfully.
  • The right to rectification —Individuals have the right to have inaccurate personal data rectified. Depending on the purposes of data processing, individuals might also have the right to require that incomplete personal data be completed (for example, by adding a supplementary statement).
  • The right to erasure (right to be forgotten) — Individuals have the right to have their personal data erased. The right is not absolute and applies only in certain circumstances.
  • The right to restrict processing —The GDPR gives individuals the right to limit how an organization may use their data.
  • The right to data portability —Individuals have the right to receive the personal data they provided to a controller in a structured, commonly used and machine-readable format. They can also request that the controller transmit this data directly to another controller.
  • The right to object —Individuals may object to the processing of their personal data at any time, and the controller must stop processing it.
  • Rights in relation to automated decision-making during the processing of personal data — Individuals have the right to not be subject to decisions that are based solely on automated processing (such as profiling) that have a legal effect on them.

You should make it easy for data subjects to exercise these rights, either by providing a self-service page with clear buttons and options, or via direct request.

Disclosure Checklist

Another critical step in upholding your legal obligations to data subjects is to make the following information publicly available in clear, easy-to-understand language:

  • Privacy policy — Explain your data privacy and data security approach. Detail what personal and non-personal information you collect and why.
  • Data retention policy — Make it clear that you never store data for longer than necessary for the purposes for which it was collected. Make sure you automatically delete or anonymize personal data that is no longer needed.
  • Terms of data transfer to other countries — Explain under what conditions you allow international transfers of personal data.
  • Data protection policy — Explain how personal data will be protected in compliance with the GDPR.
  • Contact information — Provide your organization’s legal address, as well as details for contacting your data protection officer (if you have one).
  • Terms of use — If your system does not purposefully collect data from or about children, specify the following in bold text: “This website is available only to individuals who are at least 16 years old.” Otherwise, you need to add a checkbox to your registration page (as described below) and obtain parental consent for users who are under 16.
  • Payment policy & cookie policy — Specify how payments are processed and which cookies the system sets and uses.

Registration Page Checklist

Keep the following requirements in mind when designing your registration page:

  • The number of fields must be minimal and reasonable.
  • It must be clear to data subject what they are consenting to. You must give them granular control over what marketing materials they receive from you, not just lump all consent into one checkbox. You need a separate checkbox if you want to enable users to subscribe to a mailing list.
  • It is mandatory to have users explicitly agree to your terms of use and privacy policy.

Document Checklist

The following documents are required:

  • Privacy policy
  • Personal data protection policy
  • Inventory of processing activities
  • Security incident response policy
  • Data breach notification form to the supervisory authority
  • Data breach notification form to the data subjects
  • Data retention policy

The following policies can be combined in a single information governance policy:

  • Data disposal policy
  • Backup and business continuity policy
  • System access control policy
  • SLA and escalation procedures
  • Cryptographic control policy
  • Disaster recovery and business continuity policy
  • Coding standards and roll-out procedure
  • Employment policy and processes
  • User termination policy
  • Audit policy
  • Risk assessment policy
  • Awareness & training policy

Data Protection Checklists

The GDPR does not specify particular security controls for compliance, but it does require you to honor the principle of data protection by design and by default. The following checklists will help you implement appropriate technical and organizational measures and practices. 

Technical Data Protection Checklist

Organizational Data Protection Checklist

  • Due diligence — Your security measures are moot if you pass data to third parties who cannot guarantee data protection. Thoroughly checking your suppliers and service providers is as important as internal audits and reporting.
  • Reviews & audits — To ensure that your policies and procedures are effective, you should conduct regular policy reviews and audits.
  • Awareness & training — You need to ensure that your employees and contractors are aware of legal risks and have proper skills.
  • Management information & reporting — Regular reports to senior management are essential to enterprise-wide accountability, as well as for obtaining adequate funding and other resources for GDPR compliance.