A 17-Step GDPR Compliance Checklist to Keep Personal Data Secure

  • June 01, 2023
Author

Emily Bonnie

Content Marketing

Reviewer

Jonathan Leach

Manager, Customer Success

In 2015, the European Union passed the General Data Protection Regulation (GDPR), reshaping how organizations around the world can collect and process personal data. The goal of GDPR is clear: help consumers understand and control what kind of data companies collect, who it’s shared with, and what it’s used for.

The how of GDPR compliance is a little murkier. The law requires organizations to take steps to safeguard personal data and keep users informed of their data privacy rights but doesn’t specify what all of those safeguards should be. While this flexibility is meant to allow organizations to tailor their approach to their unique systems, processes, and customers, it can make it difficult for companies to ensure they’re complying with the law.

To help clarify what’s required to comply with GDPR, we’ve created an interactive checklist you can use to verify you’ve put the proper safeguards in place.

Who needs to comply with the GDPR?

The first question to ask is: do GDPR regulations apply to your organization?

GDPR is a data privacy law that gives EU citizens and residents greater insights into and control over the personal data organizations collect and how it’s processed.

While the GDPR is EU legislation, it has far-reaching implications. GDPR applies to any organization that collects and processes personal data from EU citizens or residents — even companies outside of the EU. Any organization with a global presence should strive to be GDPR compliant.

An overview of GDPR requirements

The actual GDPR document is fairly lengthy — 88 pages of legal text that includes 99 articles and 173 recitals. If you’re interested in diving deeper into what’s necessary to become GDPR compliant, check out our article that explains GDPR requirements in detail. Here, we’ll summarize the essentials before jumping into the compliance checklist.

1. Establish a legal basis for data processing

Whether your organization is a data processor or a data controller, it must have a valid legal basis for collecting and processing personal data. Under GDPR, these legal bases include:  

  • A data subject freely gave clear, unambiguous consent for personal data processing.
  • Data processing is necessary to fulfill contractual or legal obligations.
  • Processing the data will save somebody’s life.
  • Processing the data is in the public interest.
  • The organization has a “legitimate interest” — in other words, whenever an organization uses personal data in a way that the data subject would already expect. For example, a financial institution that analyzes personal data to detect and prevent fraudulent transactions.  

Organizations are required to document their lawful basis and notify data subjects.

2. Obtain explicit consent from data subjects

Organizations that use a data subject’s consent as its legal basis must be able to prove that it obtained that consent fairly. Data subjects have to be fully informed about how you process their data, and they have to freely and unambiguously agree to the processing of personal data.

In other words, you are required to explain to data subjects how you process their data and their data privacy rights under GDPR in clear, simple terms. Many organizations do this through a privacy notice that’s publicly posted on their website.

You can’t coerce or trick users into giving consent, and you can’t leave out details that keep them from exercising their rights under GDPR, such as their right to opt-out of data processing or request their personal data be erased.

3. Respect data subject rights

Data subjects have certain rights under the GDPR that organizations are required to uphold. These include:

  • The right to be informed: Data subjects must be informed of how you process personal data and for what purpose. This requirement applies even if data is being transferred to a third party. 
  • The right of access: Data subjects have the right to know what personal data you’ve collected about them, where and how it’s being collected, why it’s being processed, and how long it will be kept. 
  • The right of rectification: Data subjects have the right to correct any inaccurate or incomplete personal data. 
  • The right to erasure: Data subjects can request deletion of their personal information. 
  • The right to restrict processing: In certain situations, data subjects can request that you change how you process their personal information. 
  • The right to data portability: If a data subject requests their personal data, you must provide it to them free of charge and in an easily accessible format.
  • The right to object: Data subjects can object to the processing of their personal data. You must honor that objection unless you can prove that you have a legal basis for processing it. 

4. Implement technical and organizational safeguards

Organizations must establish “appropriate technical and organizational measures” to ensure any customer data that’s processed is properly secured.

The GDPR doesn’t specify an exact list of security measures, allowing organizations some flexibility in building an information security posture that suits their unique needs. Examples of data security controls are multi-factor authentication, data encryption, firewalls, user access controls, and security awareness training.

5. Send breach notifications

In the event of a data breach, GDPR requires organizations to notify affected data subjects within 72 hours (or have adequate justification for a delay).

Breach notifications must explain how many people and data records were affected, the likely consequences, and what the data controller has done to mitigate the effects of the breach. Notifications also need to include the name and contact information of the organization’s data protection officer.

6. Appoint a data protection officer (if applicable)

Data protection officers (DPOs) oversee the organization’s overall data protection strategy. They’re responsible for ensuring employees are trained on GDPR requirements, completing regular compliance audits, and maintaining documentation to prove compliance.

Data protection officers also act as the main point of contact for both supervisory authorities and data subjects. If a data subject requests their personal data be erased, the data protection officer is required to respond to that request within one calendar month. 

7. Design with privacy in mind

Organizations must take data privacy and protection into consideration when designing any new products or services. At every stage of development, companies need to limit personal data collection to what’s absolutely necessary to deliver the product or service, and detail the specific steps they’ll take to keep that data safe. 

8. Conduct a data protection impact assessment

Whenever a data subject consents to data collection or processing, they are taking on a certain level of risk. Their data might be stolen or leaked in a personal data breach and used for fraudulent purposes. A Data Protection Impact Assessment (DPIA) explains how your organization identifies and minimizes those risks. 

9. Restrict personal data transfers

GDPR includes strict conditions for transferring personal data outside of the EU. When data transfers are allowed, GDPR requires both the data importer and data exporter to take appropriate steps to protect the personal data being transferred.  

10. Complete regular data privacy training

Because GDPR legislation is fairly complex, regular data privacy training is required to help employees handle different categories of personal data securely. GDPR training should explain what the law is and where it applies, data subject rights, the responsibilities of both data controllers and data processors, and how to respond to a cybersecurity incident.

GDPR checklist: Assess your organization’s approach to data privacy

To help you gauge your organization’s level of GDPR compliance, we’ve created this interactive checklist. Check out the steps below to verify you’re fully compliant, or identify and remedy any gaps. 

*This checklist is intended as guidance only and is not a substitute for legal advice. Always consult with a lawyer to ensure your organization is fully compliant with GDPR. 

GDPR Compliance Checklist

Comply with data processing requirements

Yes
No

Inform users of data privacy practices

Yes
No

Implement data security safeguards

Yes
No

Get 100% confidence in your GDPR compliance with Secureframe

We make the GDPR compliance process simple and straightforward. Get a library of policies vetted by GDPR experts, proprietary GDPR training for employees, and access to in-house compliance experts that will keep you up-to-date on the latest GDPR regulations. You’ll get assurance of full GDPR compliance so you can focus on serving your customers and growing your business.

Learn more about our GDPR compliance offering, or schedule a demo to see our compliance automation platform in action.

FAQs

Do I have to comply with GDPR?

If your organization collects or processes the personal information of EU citizens or residents, it must be GDPR compliant.

What are the 7 principles of GDPR?

Article 5.1-2 of the GDPR document outlines seven protection and accountability principles organizations must abide by when processing personal data. They are: 

  1. Lawfulness, fairness, and transparency: Data processing must be lawful, fair, and transparent to the data subject. 
  2. Purpose limitation: Data processing must be limited to the purposes explicitly stated to the data subject when you collected it. 
  3. Data minimization: Organizations may only process as much data as absolutely necessary for the purposes specified. 
  4. Accuracy: Personal data must be kept accurate and up-to-date.
  5. Storage limitation: Personal data may only be stored for as long as necessary for its specified purpose. 
  6. Integrity and confidentiality: Data must be processed in a way that ensures security, integrity, and confidentiality. 
  7. Accountability: Data controllers need to be able to demonstrate that their data processing activities are compliant with all of these GDPR principles. 

What are the penalties for GDPR non-compliance?

Data protection authorities (DPAs) issue two tiers of penalties for non-compliance with GDPR. Less severe violations result in fines of up to 10 million euros, or 2% of the company’s global annual revenue from the previous financial year, whichever is higher. 

The second tier of penalties is for violating the core principles of GDPR and can result in fines of up to 20 million euros, or 4% of the company’s global annual revenue from the previous financial year, whichever is higher. Those affected by the breach also have the right to seek compensation for damages. 

What is a data protection officer?

Data protection officers oversee the organization’s data protection strategy and its implementation. Data protection officers also act as the main point of contact for both supervisory authorities and data subjects. If a data subject inquires about how their data is being processed or submits a request for erasure, the data protection officer must respond. 

What are the different categories of personal data?

GDPR specifies certain ‘special categories of personal data.’ These categories include sensitive data that requires greater levels of protection:

  • Racial or ethnic data
  • Political affiliation or opinions
  • Religious beliefs
  • Trade union memberships
  • Biometric data
  • Health data
  • Sexual orientation or activity
  • Genetic data 

What is a data controller vs a data processor?

GDPR differentiates between a data controller and a data processor, and not all organizations involved in data processing have the same responsibilities.

  • Data controllers: The individual that decides how and why personal data will be processed. Example: Organization employees who manage or handle data. 
  • Data processors: Any third party that processes personal data on behalf of a data controller. Examples: Cloud service providers, email service providers.