The GDPR Checklist

Achieving GDPR Compliance shouldn't feel like a struggle. This is a basic checklist you can use to harden your GDPR compliancy.

if your organisation is determining the purpose of the storage or processing of personal information, it is considered a controller. If your organisation stores or processes personal data on behalf of another organisation, it is considered a processor. It is possible for your organisation to have both roles. Use the filter below to view only the relevant checklist items for your organisation.

This list is far from a legal exhaustive document, it merely tries to help you overcome the struggle.

Feel free to contribute directly on GitHub!

Select your organisation's role:

Data Controller: I determine why data is processed
Data Processor: I store or process data for someone else

Your data

Your company has a list of all types of personal information it holds, the source of that information, who you share it with, what you do with it and how long you will keep it
processorcontroller
This is a list of the actual types (columns) of information being held (eg Name, social security nr, address,..). For each type, a source should be documented, the parties this information is shared with, the purpose of the information and the duration for which the company will keep this information.

Read more:
- GDPR Article 30 – Records of processing activities
- GDPR Data Map Template
Your company has a list of places where it keeps personal information and the ways data flows between them
controllerprocessor
This could be a list of databases (eg Mysql), but it could also include offline datastores (paper).

Read more:
- GDPR Article 30 – Records of processing activities
Your company has a publicly accessible privacy policy that outlines all processes related to personal data.
processorcontroller
You should include information about all processes related to the handling of personal information. This document should include (or have links to) the types of personal information the company holds, and where it holds them.

Read more:
- GDPR Article 30 – Records of processing activities
Your privacy policy should include a lawful basis to explain why the company needs to process personal information
controller
It should contain a reason for data processing, eg the fulfillment of a contract.

Read more:
- GDPR Article 6 – Lawfulness of processing

Accountability & management

Your company has appointed a Data Protection Officer (DPO)
processorcontroller
This person should have knowledge of GDPR guidelines as well as knowledge about the internal processes that involve personal information.

Read more:
- GDPR Article 37 – Designation of the data protection officer
Create awareness among decision makers about GDPR guidelines
processorcontroller
Make sure key people and decision makers have up-to-date knowledge about the data protection legislation.

Read more:
- GDPR Article 25 – Data protection by design and by default
Make sure your technical security is up to date.
processorcontroller
For SaaS software companies, use the SaaS CTO security checklist as a starting point below.

Read more:
- SaaS CTO security checklist
- GDPR Article 25 – Data protection by design and by default
Train staff to be aware of data protection
processor
A lot of security vulnerabilities involve cooperation of an unwitting person with access to internal systems. Make sure your employees are aware of these risks.

Read more:
- GDPR Article 25 – Data protection by design and by default
You have a list of sub-processors and your privacy policy mentions your use of this sub-processor
processor
You should inform your customers of the use of any sub-processor. They should consent by accepting your privacy policy.

Read more:
- GDPR Article 28 – Processor
- GDPR Tracker - Keep track of the GDPR compliance of cloud services & subprocessors
If your business operates outside the EU, you have appointed a representative within the EU.
processorcontroller
If you have a business outside of the EU and you collect data on EU citizens, you should assign a representative in one of the member states for your business. This person should handle all issues related to processing. In particular, a local authority should be able to contact this person.

Read more:
- GDPR Article 27 – Representatives of controllers or processors not established in the Union
You report data breaches involving personal data to the local authority and to the people (data subjects) involved
processorcontroller
Personal data breaches should be reported within 72 hours to the local authority. You should report what data has been lost, what the consequences are and what countermeasures you have taken. Unless the data leaked was encrypted, you should also report the breach to the person (data subject) whose data you lost.

Read more:
- GDPR Article 33 – Notification of a personal data breach to the supervisory authority
- GDPR Article 34 – Communication of a personal data breach to the data subject
There is a contract in place with any data processors that you share data with
controller
The contract should contain explicit instructions for the storage or processing of data by the processor. For example, this could include a contract with your hosting provider.

Read more:
- GDPR Article 29 – Processing under the authority of the controller or processor
- GDPR Tracker - Track hosting centers, DPAs & infrastructure partners from cloud services & subprocessors

New rights

Your customers can easily request access to their personal information
processorcontroller
If you do not already have a process defined for this, we've made an easy online form below.

Read more:
- GDPRform.io: automated online GDPR Form for exercising data subject's rights
- GDPR Article 15 – Right of access by the data subject
Your customers can easily update their own personal information to keep it accurate
processorcontroller
If you do not already have a process defined for this, we've made an easy online form below.

Read more:
- GDPRform.io: automated online GDPR Form for exercising data subject's rights
- GDPR Article 16 – Right to rectification
You automatically delete data that your business no longer has any use for
processorcontroller
You should automate deletion of data you no longer need. For example, you should automatically delete data for customers whose contracts have not been renewed.

Read more:
- GDPR Article 5 – Principles relating to processing of personal data
Your customers can easily request deletion of their personal data
processorcontroller
If you do not already have a process defined for this, we've made an easy online form below.

Read more:
- GDPRform.io: automated online GDPR Form for exercising data subject's rights
- GDPR Article 17 – Right to erasure (‘right to be forgotten’)
Your customers can easily request that you stop processing their data
processorcontroller
If you do not already have a process defined for this, we've made an easy online form below.

Read more:
- GDPRform.io: automated online GDPR Form for exercising data subject's rights
- GDPR Article 18 – Right to restriction of processing
Your customers can easily request that their data be delivered to themselves or a 3rd party
processorcontroller
If you do not already have a process defined for this, we've made an easy online form below.

Read more:
- GDPRform.io: automated online GDPR Form for exercising data subject's rights
- GDPR Article 20 – Right to data portability
Your customers can easily object to profiling or automated decision making that could impact them
controller
This is only applicable if your company does profiling or any other automated decision making. If you do not already have a process defined for this, we've made an easy online form below.

Read more:
- GDPRform.io: automated online GDPR Form for exercising data subject's rights
- Article 22 – Automated individual decision-making, including profiling

Consent

Ask consent when you start processing a person's information
controller
If your website collects personal information in some way, you should have an easily visble link to your privacy policy and confirm that the user accepts your terms and conditions.

Read more:
- GDPR Article 7 – Conditions for consent
Your privacy policy should be written in clear and understandable terms
controller
It should be written in clear and simple terms and not conceal it's intent in any way. Failing to do so could void the agreement entirely. When providing services to children, the privacy policy should be easy enough for them to understand.

Read more:
- Watchdog service for terms of service: Terms of Service; Didn't Read
- GDPR Article 7.2 – Conditions for consent
It should be as easy for your customers to withdraw consent as it was to give it in the first place
controller
If you do not already have a process defined for this, we've made an easy online form below.

Read more:
- GDPRform.io: automated online GDPR Form for exercising data subject's rights
- GDPR Article 7.3 – Conditions for consent
If you process children's personal data, verify their age and ask consent from their legal guardian
controller
For children younger than 16, you need to make sure a legal guardian has given consent for data processing. If consent is given via your website, you should try to make sure approval was actually given by the legal guardian (and not by the child).

Read more:
- GDPR Article 8 – Conditions applicable to child’s consent in relation to information society services
When you update your privacy policy, you inform existing customers
controller
for example, by emailing upcoming changes of your privacy policy. Your communication should explain in a simple way what has changed.

Read more:
- GDPR Article 7 – Conditions for consent

Follow-up

You regularly review policies for changes, effectiveness, changes in handling of data and changes to the state of affairs of other countries your data flows to.
controller
You should follow up on best practies and changes to the policies in your local environment. Sign up at the bottom of this page to receive major updates to this list.

Read more:
- GDPR Article 25 – Data protection by design and by default
- GDPR Tracker - Track hosting centers, DPAs & infrastructure partners from cloud services & subprocessors

Special cases

Your business understands when you must conduct a DPIA for high-risk processing of sensitive data.
controller
This is only applies to businesses carrying out large-scale data processing, profiling and other activities with high risk to the rights and freedoms of people. A special assessment should be carried out in these cases.

Read more:
- DPIA according to the Dutch local authority (Dutch)
- GDPR Article 35 – Data protection impact assessment
You should only transfer data outside of the EU to countries that offer an appropriate level of protection
processorcontroller
You should also disclose these cross-border data flows in your privacy policy.

Read more:
- GDPR Article 45 – Transfers on the basis of an adequacy decision
- GDPR Tracker - Track hosting center locations & hosting partners from cloud services & subprocessors

Disclaimer

The information above is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy. In a nutshell, you may not rely on this as legal advice, nor as a recommendation of any particular legal understanding.