Achieving GDPR compliance can feel overwhelming – but it shouldn’t have to be a struggle. To simplify matters, we’ve put together this checklist to help you understand and strengthen your GDPR compliance.

Please note that the contents of this checklist do not constitute legal advice. If you are looking for advice relating to the interpretation of this information and its accuracy, or you need help applying the GDPR laws to your specific circumstances, we recommend that you consult an attorney specializing in GDPR compliance.

Data Controllers, Data Processors, and Data Subjects

Before you go through this checklist, you need to determine what GDPR items apply to you and your company or organization. Here, we distinguish between items relevant to the data subject, the data controller, and the data processor.

To quickly navigate the checklist below, select your role to view only the checklist items relevant to you and your organization.

The Data subject

The data subject is the user: the natural person or individual whose personal data is collected, stored, or processed. This means that the data subject is any individual who can be identified – directly or indirectly – via an identifier such as a name, an ID number, location data, or via factors specific to the individual’s physical, physiological, genetic, mental, economic, cultural, or social identity.

The Data controller

The data controller is the entity – the person, organization, etc. – that determines the purposes for which and how personal data is processed. This means that if your company or organization decides ‘why’ and ‘how’ the personal data should be processed, it is the data controller.

If your company or organization jointly determines the ‘why’ and ‘how’ of personal data processing together with one or more organizations, it is a joint controller. Joint controllers must enter into an arrangement that specifies the respective roles and responsibilities for complying with the GDPR rules.

The Data processor

The data processor processes personal data only on behalf of the data controller. Thus, the data processor is usually a third party external to the company. The duties of the data processor towards the controller must be specified in a contract or another legal act.

In some situations, an organization may have both roles.

The GDPR Compliance Checklist

User rights

Right to receive transparent information and communication.

As a user, you have the right to receive any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing. This information should be given to you in a transparent and easily accessible form.

Discover more:

GDPR Article 12 – Transparent information, communication and modalities for the exercise of the rights of the data subject

Relevant to: Data subjects

Right to receive specific information when your personal data are collected from you directly and when your personal data are not collected from you directly.

Your rights to receive specific information include but are not limited to information relating to the data controller’s contact details, the purposes of the data processing, and the legal basis for the processing.

Discover more:

GDPR Article 13 – Information to be provided where personal data are collected from the data subject

GDPR Article 14 – Information to be provided where personal data have not been obtained from the data subject

Relevant to: Data subjects

Right to obtain confirmation as to whether or not your personal data are being processed and, where that is the case, access to your personal data.

Your rights to access include, but are not limited to: the purposes of the processing, the categories of personal data concerned, and the recipients to whom the personal data are disclosed.

Discover more:

GDPR Article 15 – Right of access by the data subject

Relevant to: Data subjects

Right to the rectification of inaccurate personal data.

Considering the purposes of the processing, your right to rectification gives you the right to have incomplete personal data completed.

Discover more:

GDPR Article 16 – Right to rectification

Relevant to: Data subjects

Right to the erasure of your personal data.

Under some circumstances, the data controller is obligated to erase your personal data without undue delay. The circumstances include but are not limited to, if your data are no longer necessary to the purposes for which they were collected, you withdraw your consent for processing, or there is no other legal ground for the processing.

Discover more:

GDPR Article 17 – Right to erasure (‘right to be forgotten)

Relevant to: Data subjects

Right to restriction of the processing.

Under a number of circumstances, you have the right to restriction of processing from the data controller. The circumstances include, but are not limited to: if your data are inaccurate, the processing is unlawful, or the data controller no longer needs your personal data for processing.

Discover more:

GDPR Article 18 – Right to restriction of processing

Relevant to: Data subjects

Right to the notification.

You have the right to be notified of rectification or erasure of your personal data or restriction of processing.

Discover more:

GDPR Article 19 – Notification obligation regarding rectification or erasure of personal data or restriction of processing

Relevant to: Data subjects

Right to data portability.

You have the right to receive the data you have provided to a controller in a structured, commonly used, and machine-readable format. You also have the right to transmit those data to another controller without hindrance from the controller with whom your personal data have been given.

Discover more:

GDPR Article 20 – Right to data portability

Relevant to: Data subjects

Right to object.

At any time, you have the right to object to the processing of your personal data based on points (e) or (f) of GDPR Article 6. When you object, the controller should no longer process your personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your objections.

Discover more:

GDPR Article 21 – Right to object

Relevant to: Data subjects

Right not to be subject to automated decision-making.

You have the right not to be subject to a decision based solely on automated processing – such as profiling – which produces legal effects or affects you significantly in a similar way. However, this does not apply if the decision is necessary for entering a contract between you and the data controller.

Discover more:

GDPR Article 22 – Automated individual decision-making, including profiling

Relevant to: data subjects

Lawful basis and transparency

Have legal justification for why your company needs to process personal data.

Processing data is illegal unless you can justify it according to one of six conditions listed in the GDPR Article 6. Therefore, your privacy policy should include a lawful basis for data processing – e.g. the fulfilment of a contract.

Discover more:

GDPR Article 6 – Lawfulness of processing

Relevant to: Data controllers

Provide clear information about your data processing in your privacy policy and keep a record of the personal information your company holds.

Your privacy policy should explain how personal data are processed, who has access to them, and how you are keeping them safe. Further, your record should include the types of data held by your company (such as name, special security number, address etc.). For every kind of data, you should document the source of the data, the parties to whom these data are disclosed, the purpose of the data, and your expected time limit for the erasure of these data.

Discover more:

GDPR Article 12 – Transparent Information, communication, and modalities

GDPR Article 30 – Records of processing activities

Relevant to: Data controllers and Data processors

Ensure that your technical security is up to date.

It would help if you implemented appropriate technical and organisational measures for ensuring that, by default, only personal data necessary for each specific purpose of the processing are processed.

Data and security

Relevant to: Data controllers and Data processors

Make the privacy policy of your company publicly accessible and outline all processes relating to personal data.

Your privacy policy includes information about all processes related to your handling of personal data. This document should link to the types of personal data your company holds and where they are held.

Discover more:

GDPR Article 25 – Data protection by design and by default

GDPR Article 30 – Records of processing activities

Relevant to: data controllers and data processors

Create an internal security policy that ensures your team members are knowledgeable about data security.

Discover more:

GDPR Article 25 – Data protection by design and by default

Relevant to: Data processors

Management and accountability

Designate a person responsible for ensuring GDPR compliance across your organization

Discover more:

GDPR Article 25 – Data protection by design and by default

Relevant to: Data controllers

Appoint a Data Protection Officer (DPO) if necessary.

A DPO is required in any case where:

the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;

the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or

the core activities of the controller or the processor consist of processing on a large scale of special categories of data according to Article 9 and personal data relating to criminal convictions and offenses referred to in Article 10.

Discover more:

GDPR Article 37 – Designation of the data protection officer

Relevant to: Data controllers and Data processors

Build awareness of GDPR guidelines among decision-makers.

You should ensure that key people and decision-makers have up-to-date knowledge about data protection legislation.

Discover more:

GDPR Article 25 – Data protection by design and by default

Relevant to: Data controllers and Data processors

Sign a data processing agreement between your company and any third parties that process personal data on behalf of your company.

Your data processing agreement should include any third-party services that handle the personal data of your data subjects. This includes analytics software, e-mail services, cloud servers, etc. You should only use third parties that are reliable and can make sufficient data protection guarantees.

Discover more:

GDPR Article 28 – Processor

Relevant to: Data processors

If you have business outside of the EU, appoint a business representative within the EU.

If your company operates outside the EU and collects data from EU citizens, you should designate a company representative in the Union. Your representative should handle all issues relating to processing. A local authority should be able to contact your representative.

Discover more:

GDPR Article 27 – Representatives of controllers or processors not established in the Union

Relevant to: Data controllers and Data processors

Do a Data Protection Impact Assessment (DPIA) for processing that is likely to result in a high risk to individuals.

To identify and minimise the data protection risks of a project, you must do a DPIA for processing that is likely to result in a high risk to the rights and freedoms of natural persons. You must consider both the likelihood and the severity of any impact on individuals in order to assess the level of risk.

Discover more:

GDPR Article 35 – Data protection impact assessment

Relevant to: Data controllers and Data processors

Report data breaches involving personal data to the local authority and to the data subject affected.

In the event of a personal data breach, you should notify the violation to local authority within 72 hours after discovery. In addition, you should report the nature of the data breach, the number of data subjects involved, the likely consequences of the data breach, and the measures you have taken to address the personal data breach. Unless the personal data leaked was encrypted, you should also communicate the data breach to the data subject whose data you lost.

Discover more:

GDPR Article 33 – Notification of a personal data breach to the supervisory authority

GDPR Article 34 – Communication of a personal data breach to the data subject

Relevant to: Data controllers and Data processors

Transfers of personal data to third countries or international organisations

You provide appropriate safeguards when transferring personal data to a third country or international organisation.

The European Commission has the power to decide whether a country outside the EU offers an adequate level of data protection. Only if the Commission determines that an adequate level of protection is ensured may you transfer personal data to a third country or international organisation. Derogations for specific situations include, but are not limited to conditions where the data subject has explicitly consented to the proposed transfer, and where the transfer is necessary for important reasons of public interest.

Discover more:

GDPR Article 45 – Transfers on the basis of an adequacy decision
GDPR Article 46 – Transfers subject to appropriate safeguards
GDPR Article 49 – Derogations for specific situations

Relevant to: Data controllers and Data processors

Privacy Rights

Your customers can easily request and receive access to their personal information.

Your customers have the right to see what personal data you have on them, how you are using them, how long you plan to store them, and why you keep them for that duration.

Discover more:

GDPR Article 15 – Right of access by the data subject

Relevant to: Data controllers and Data processors

Your customers can easily correct or update their personal information.

To the best of your capability, keep data updated by having a data quality process in place and making it easy for your customers to view and update their personal information.

Discover more:

GDPR Article 15 – Right of access by the data subject

Relevant to: Data controllers and Data processors

Your customers can quickly request deletion of their personal data, and you automatically delete data that you no longer have use for.

Generally, your customers have the right to ask you to delete all the personal data you have about them, and you are required to honour that request within a month. You should also automatically delete data that you no longer need, e.g. data for customers whose contracts have not been renewed.

Discover more:

GDPR Article 17 – Right to erasure (‘right to be forgotten’)

Relevant to: Data controllers and Data processors

Your customers can easily ask you to stop processing their data.

If specific grounds apply – mainly in the event of a dispute about the lawfulness of the processing or the accuracy of the data – your data subjects can request to restrict or stop processing their data. You must honour their request within a month. You are still allowed to keep storing their data after processing is restricted.

Discover more:

GDPR Article 18 – Right to restriction of processing

Relevant to: data controllers and data processors

Your customers can easily receive a copy of their personal data in a format easily transferred to another company.

You should be able to send the data of your customers in a commonly readable format – e.g. a spreadsheet – either to them or to a third party designated by them.

Discover more:

GDPR Article 20 – Right to data portability

Relevant to: Data controllers and Data processors

You have a procedure in place to protect the rights of your customers if you make decisions about them based on automated processes.

This is only applicable if you use automated processes to help you make decisions about people that have legal or ‘similarly significant’ effects. If you think this applies to you, you are required to set up a procedure to ensure the protection of people’s rights, freedoms, and legitimate interests.

Discover more:

GDPR Article 22 – Automated individual decision-making, including profiling

Relevant to: Data controllers

Consent

Processing consent must be freely given, specific, informed, and revocable.

If your website collects personal data, you should have an easily visible link to your privacy policy and confirmation that the user has accepted your terms and conditions. Pre-ticked boxes are not permitted, as consent requires affirmative action. It should also be as easy for your customers to revoke their consent as it was to give it.

Discover more:

GDPR Article 7 – Conditions for consent

Relevant to: Data controllers

Your privacy policy is clear and concise.

Your privacy policy should be written in clear and straightforward terms. Attempts to conceal the intent of the policy could void the agreement entirely.

Discover more:

GDPR Article 7 – Conditions for consent

Relevant to: Data controllers

If you process children’s personal data, you must verify their age and receive consent from their legal guardian.

For children younger than 16, a legal guardian must give consent for data processing. If consent is provided via your website, you should, to the best of your capability, make sure that approval was actually given by the legal guardian and not by the child.

Discover more:

GDPR Article 8 – Conditions applicable to child’s consent in relation to information society services

Relevant to: Data controllers

You inform existing customers of any updates you make to your privacy policy.

If you update your privacy policy, you should inform your existing customers. For example, you should e-mail them in advance to prepare them for upcoming changes to your policy. In addition, you should explain clearly and concisely what has changed.

Discover more:

GDPR Article 7 – Conditions for consent

Relevant to: Data controllers

Follow-up

You follow up on best practices and changes to the policies in your local environment.

You regularly review policies for changes and effectiveness, changes in data handling, and changes to the state of affairs of other countries your data flow to.

Discover more:

GDPR Article 25 – Data protection by design and by default

Relevant to: Data controllers