The GDPR compliance checklist

GDPR

Achieving GDPR compliance can feel overwhelming – but it shouldn’t have to be a struggle. To simplify matters, we’ve put together this checklist to help you understand and strengthen your GDPR compliance.

Please note that the contents of this checklist do not constitute legal advice. If you are looking for advice relating to interpretation of this information and its accuracy, or you need help applying the GDPR laws to your specific circumstances, we recommend that you consult an attorney specialising in GDPR compliance.

Data controllers, data processors, and data subjects

Before you go through this checklist, you need to determine what GDPR items apply to you and your company or organisation. Here, we distinguish between items relevant to the data subject, the data controller, and the data processor.

To quickly navigate the checklist below, select your role to view only the checklist items relevant to you and your organisation.

The data subject

The data subject is the user: the natural person or individual whose personal data is collected, stored or processed. This means that the data subject is any individual who can be identified – directly or indirectly – via an identifier such as a name, an ID number, location data, or via factors specific to the individual’s physical, physiological, genetic, mental, economic, cultural, or social identity.

The data controller

The data controller is the entity – the person, organisation etc. – that determines the purposes for which and how personal data is processed. This means that if your company or organisation decides ‘why’ and ‘how’ the personal data should be processed, it is the data controller.

If your company or organisation jointly determines the ‘why’ and ‘how’ of personal data processing together with one or more organisations, it is a joint controller. Joint controllers must enter into an arrangement that specifies the respective roles and responsibilities for complying with the GDPR rules.

The data processor

The data processor processes personal data only on behalf of the data controller. Thus, the data processor is usually a third party external to the company. The duties of the data processor towards the controller must be specified in a contract or another legal act.

In some situations, an organisation may have both roles.

The GDPR compliance checklist

GDPR Checklist

User rights

Learn more:

GDPR Article 12 – Transparent information, communication and modalities for the exercise of the rights of the data subject

Relevant to: data subjects

Learn more:

GDPR Article 13 – Information to be provided where personal data are collected from the data subject

GDPR Article 14 – Information to be provided where personal data have not been obtained from the data subject

Relevant to: data subjects

Learn more:

GDPR Article 15 – Right of access by the data subject

Relevant to: data subjects

Learn more:

GDPR Article 16 – Right to rectification

Relevant to: data subjects

Learn more:

GDPR Article 17 – Right to erasure (‘right to be forgotten’)

Relevant to: data subjects

Learn more:

GDPR Article 18 – Right to restriction of processing

Relevant to: data subjects

Learn more:

GDPR Article 19 – Notification obligation regarding rectification or erasure of personal data or restriction of processing

Relevant to: data subjects

Learn more:

GDPR Article 20 – Right to data portability

Relevant to: data subjects

Learn more:

GDPR Article 21 – Right to object

Relevant to: data subjects

Learn more:

GDPR Article 22 – Automated individual decision-making, including profiling

Relevant to: data subjects

Lawful basis and transparency

Learn more:

GDPR Article 6 – Lawfulness of processing

Relevant to: data controllers

Learn more:

GDPR Article 12 – Transparent information, communication and modalities

GDPR Article 30 – Records of processing activities

Relevant to: data controllers and data processors

Data and security

Relevant to: data controllers and data processors

Learn more:

GDPR Article 25 – Data protection by design and by default

GDPR Article 30 – Records of processing activities

Relevant to: data controllers and data processors

Even if your technical security is robust and operational security can still be a weak link. To minimise security risks, train your staff to be aware of data protection. Employees who have access to personal data and non-technical employees should receive extra training in GDPR requirements.

Learn more:

GDPR Article 25 – Data protection by design and by default

Relevant to: data processors

Management and accountability

The person you appoint should be empowered to evaluate data protection policies and the implementation of those policies.

Learn more:

GDPR Article 25 – Data protection by design and by default

Relevant to: data controllers

Learn more:

GDPR Article 37 – Designation of the data protection officer

Relevant to: data controllers and data processors

Learn more:

GDPR Article 25 – Data protection by design and by default

Relevant to: data controllers and data processors

Learn more:

GDPR Article 28 – Processor

Relevant to: data processors

Learn more:

GDPR Article 27 – Representatives of controllers or processors not established in the Union

Relevant to: data controllers and data processors

To identify and minimise the data protection risks of a project, you must do a DPIA for processing that is likely to result in a high risk to the rights and freedoms of natural persons. You must consider both the likelihood and the severity of any impact on individuals in order to assess the level of risk.

Learn more:

GDPR Article 35 – Data protection impact assessment

Relevant to: data controllers and data processors

In the event of a personal data breach, you should notify the violation to local authority within 72 hours after discovery. In addition, you should report the nature of the data breach, the number of data subjects involved, the likely consequences of the data breach, and the measures you have taken to address the personal data breach. Unless the personal data leaked was encrypted, you should also communicate the data breach to the data subject whose data you lost.

Learn more:

GDPR Article 33 – Notification of a personal data breach to the supervisory authority

GDPR Article 34 – Communication of a personal data breach to the data subject

Relevant to: data controllers and data processors

Transfers of personal data to third countries or international organisations

The European Commission has the power to decide whether a country outside the EU offers an adequate level of data protection. Only if the Commission determines that an adequate level of protection is ensured may you transfer personal data to a third country or international organisation. Derogations for specific situations include, but are not limited to conditions where the data subject has explicitly consented to the proposed transfer, and where the transfer is necessary for important reasons of public interest.

Learn more:

GDPR Article 45 – Transfers on the basis of an adequacy decision
GDPR Article 46 – Transfers subject to appropriate safeguards
GDPR Article 49 – Derogations for specific situations

Relevant to: data controllers and data processors

Privacy rights

Your customers have the right to see what personal data you have on them, how you are using them, how long you plan to store them, and why you keep them for that duration.

Learn more:

GDPR Article 15 – Right of access by the data subject

Relevant to: data controllers and data processors

Learn more:

GDPR Article 15 – Right of access by the data subject

Relevant to: data controllers and data processors

Learn more:

GDPR Article 17 – Right to erasure (‘right to be forgotten’)

Relevant to: data controllers and data processors

Learn more:

GDPR Article 18 – Right to restriction of processing

Relevant to: data controllers and data processors

Learn more:

GDPR Article 20 – Right to data portability

Relevant to: data controllers and data processors

This is only applicable if you use automated processes to help you make decisions about people that have legal or ‘similarly significant’ effects. If you think this applies to you, you are required to set up a procedure to ensure the protection of people’s rights, freedoms, and legitimate interests.

Learn more:

GDPR Article 22 – Automated individual decision-making, including profiling

Relevant to: data controllers

Consent

Learn more:

GDPR Article 7 – Conditions for consent

Relevant to: data controllers

Learn more:

GDPR Article 7 – Conditions for consent

Relevant to: data controllers

For children younger than 16, a legal guardian must give consent for data processing. If consent is provided via your website, you should, to the best of your capability, make sure that approval was actually given by the legal guardian and not by the child.

Learn more:

GDPR Article 8 – Conditions applicable to child’s consent in relation to information society services

Relevant to: data controllers

Learn more:

GDPR Article 7 – Conditions for consent

Relevant to: data controllers

Follow-up

Learn more:

GDPR Article 25 – Data protection by design and by default

Relevant to: data controllers

Contact LogPoint

Get in touch with us and learn why leading brands choose LogPoint:

Get in touch