The 10 Step GDPR Compliance Checklist

Step 1: Designate a Data Protection Officer (if required)

This step may not be required for every business, but we recommend starting here. If you designate a DPO, the rest of the tasks in this checklist can be delegated to them!

What Is a Data Protection Officer?

A Data Protection Officer (DPO) is a person designated by your organization to monitor, advise, and uphold your business’s GDPR compliance obligations. They report directly to the highest management level and act as the primary contact point for supervisory authorities and data subjects for all inquiries regarding data processing within your organization.

Read our guide on designating a Data Protection Officer.

Do all organizations need a DPO?

No, not all organizations are legally required to have a DPO, but most businesses benefit from having one. Your organization is only legally required by the GDPR to designate a DPO if your “core activities” are classified as high risk, which equates to:

1. Tracking and profiling individuals on a large scale
2. Processing high-risk categories of data on a large scale

To be clear, “core activities” are your organization’s primary activities. If you’re an indoor plant retailer, your “core activities” might be maintaining an inventory of beautiful plants or delivering plants to your online customers. Yes, you might run Google Analytics for your Shopify store, but that would (presumably) be to support your core activities, so you won’t legally need a DPO.

Step 2: Map your business’s data processing activities

The GDPR requires organizations to keep ‘records of processing activities’. Thankfully, for most small- to medium-sized businesses, this is quite straightforward, and it’s going to be extremely helpful for the steps that follow, so you may as well do it.

Does every business need to map their personal data processing activities?

Almost always. The only exception is if the data processing your business carries out is “occasional” (meaning you only process personal data 1–2 times a year). So unless you’re a cash-only farmers market vendor that refuses to take future orders, it’s unlikely you’ll meet the criteria.

What do I need to include in my records of processing activities for the GDPR?

Your data processing records need to contain:

• The name and contact details of your business (the controller) and any representative, e.g., your DPO.
• The purposes of the processing.
• A description of the categories of data subjects and personal data.
• The categories of recipients to whom data is disclosed, including in third countries.
• The envisaged time limits for erasure of different data categories.
• A general description of technical and organizational security measures.
• Any transfers of personal data to a third country or an international organization, including the identification of that third country or international organization.

These records must be in writing (including electronic form) and available to the supervisory authority upon request to demonstrate compliance. The easiest way to map the personal data processing activities of your business is with a spreadsheet.

Step 3: Create and implement internal data protection policies and procedures

Next, you’ll need to create some internal policies and guidelines that explain how your business handles personal data. Unlike your privacy policy, these policies are intended for internal use, and should clearly instruct your staff and contractors on how to uphold your organization’s commitment to lawful data processing.

If you’re ever inspected by regulators, these policies demonstrate that you’ve properly assessed the risks your business creates and taken appropriate steps to protect people’s data. This is sometimes referred to as demonstrating your business’s accountability under the GDPR’s risk-based approach.

Which policies and procedures are required for GDPR compliance?

There are seven internal data protection policies we recommend for GDPR compliance:

1. General Data Protection Policy: Defines the roles, responsibilities, and organizational commitment to data protection.
2. Data Protection by Design and Default Policy: Explains how your business implements data protection practices into all processing activities and business operations, from initial system design through ongoing operations.
3. Security of Processing Policy: Addresses the security requirements for processing personal data in your organization, e.g., your encryption, access controls, system resilience, backup procedures, and regular security testing measures.
4. Staff Access and Processing Instructions Policy: Establishes clear staff access permissions and processing instructions. This policy usually explains who accesses personal data, under what conditions, and how your organization monitors staff data processing activities.
5. Data Retention Policy: Defines storage time limits for different data types and establishes the deletion procedures of your organization.
6. Data Breach Documentation and Response Policy: Explains your organization’s procedures for detecting, handling, documenting, and reporting personal data breaches to authorities.
7. Records of Processing Activities Policy: Documents your business’s personal data processing activities for use during a regulatory inspection. This typically includes the name and contact details of the organization and DPO, purposes of processing, categories of data subjects and personal data processed, data recipients, retention schedules, and descriptions of technical and organizational security measures.

The GDPR requires all businesses to implement privacy and data protection proactively into the very core of their operations, products, and services. This means treating it as a fundamental design requirement, not an afterthought. By making sure that each of these policies is embedded into your systems and processes, you’ll be checking this box.

Step 4: Publish a transparent privacy policy

The GDPR requires all data processing to be done “lawfully, fairly, and in a transparent manner in relation to the data subject.” To do this, you’ll need to explain your personal data processing activities (everything you collected in step 2) to your data subjects (anyone you collect personal data from), with an outward-facing document (your privacy policy).

How to make a privacy policy for your website

For businesses with standard data collection practices, the most economical way to create a privacy policy is with a privacy policy generator. This turns a job that could take days into a few minutes of work.

When to provide your privacy policy for GDPR compliance

Your privacy policy needs to be provided to data subjects the moment any personal data is collected. The easiest way to meet this requirement is to place your privacy policy on a dedicated page of your website, and link to it from your website’s footer or cookie banner.

Step 5: Implement a consent mechanism

If no other legal basis is met, the GDPR forbids you from processing personal data unless “the data subject has given consent to the processing of his or her personal data” for that specific purpose. This means to be GDPR compliant, you’ll need to implement a way for your data subjects to provide you with ‘valid consent’ for the collection of their personal data for each specific purpose, e.g., marketing, contacting them, fulfilling orders, etc.

It’s worth noting that you’re also accountable for proving consent has been given, should you be audited.

Steps for obtaining valid consent according to the GDPR

How to obtain valid consent for GDPR compliance on your website

The easiest way to obtain valid consent for GDPR compliance is with a Cookie Consent Banner. Cookie banners provide users with links to the relevant information, an opt-in mechanism, granular controls for specific purposes, and the freedom to opt out. They also make it easy for users to opt out at any point.

How to keep user consent logs in case you’re audited

The easiest way to document and manage user consent for compliance purposes is with a Consent Management Platform (CMP). CMPs keep anonymized logs of all users’ consent preferences, which can be shown to auditors if required. Usually, these come packaged with a cookie banner (ours does).

Step 6: Create a procedure for handling data subject requests

The GDPR requires you, the data controller, to respect the rights of your data subjects, and to facilitate and respond to their requests to exercise their rights or make complaints in a timely manner. Given how quickly time passes when you’re busy, we recommend putting in place a simple procedure for if and when the time comes.

How to respond to a GDPR data subject access request

How long do you have to respond to a data subject request or complaint?

You’ll need to respond to a data subject request within one month of receiving the request. This can be extended by two further months for large or complex requests, but if an extension is needed, you, as the controller, are responsible for informing the data subject about this extension. You’ll need to let them know of these delays within one month of receiving their original request, with an explanation for the delay.

What should your procedure for handling data subject requests include?

Your procedure for handling data subject requests should be written like an IKEA instruction manual (pictures optional), allowing your staff to complete a data subject request, even while you or your DPO is on holiday.

It should include:

1. The essential rules all staff need to follow when handling data subject requests.
2. What to do on receipt of a new data subject request (identification request, logging of the request).
3. How to correctly verify a data subject’s identity.
4. How to acknowledge a data subject request and respond with the required information.
5. The procedure for assessing the request and acquiring the requested data.
6. The procedure for actioning the request.
7. How to deliver a response to the data subject confirming the necessary action has been taken.
8. How to log the outcome of the request.
9. How to provide feedback on the effectiveness of the data subject request procedure.

Step 7: Implement data security measures

As a data controller, you have an obligation to implement appropriate and effective measures to minimize any risk associated with your data processing activities. This area of compliance is a head-scratcher for most businesses, so let us try to simplify it for you.

How strong do my data protection measures have to be for GDPR compliance?

The level of security you implement should be appropriate and effective for the level of risk posed by your data processing activities (established with a risk assessment). Some kinds of data require more protection, and some data processing activities are inherently riskier.

Do I just need to protect against a data breach?

No, but this is a common misconception. Data breaches are just one risk you need to protect against. You must also protect against anything that could lead to physical, material, or non-material damage, including discrimination, identity theft or fraud, financial loss, damage to reputation, loss of confidentiality, and any other significant economic or social disadvantage.

What security measures should my business be implementing for the GDPR?

Your security measures should ensure that personal data controlled by your organisation is:

• Protected from unauthorised access: Measures could include implementing secure passwords for your systems using a password manager and implementing a Clear Desk Policy.
• Protected from accidental or unlawful destruction, alteration, or disclosure: Measures could include backing up data to a secure local database or device.
• Always accessible to data subjects should they request to see, remove, or update it: Measures could include having a system restoration protocol in the case of an outage and appointing a DPO to manage data subject access requests (DSARs).
• Processed lawfully by your staff: Measures could include implementing a data processing policy and providing GDPR training for your staff.
• Never kept for longer than necessary: Measures could include training staff on how to securely dispose of confidential documents.
• Only processed for its original intended purpose: Measures could include using separate forms and lists for account/transactional versus marketing purposes.

Data Protection Impact Assessment (DPIA) for high-risk data processing

Remember when you assessed whether you needed a DPO in section 1? If you concluded that you are legally required to have a DPO, this means your data processing is classified as “high-risk,” and you will also need to conduct a DPIA. If the DPIA indicates that the processing would result in a high risk to the rights and freedoms of your data subjects, you must consult the supervisory authority (SA) before processing.

Step 8: Create Data Processing Agreements with third-party data processors

If you’re working with a third-party data processor, the GDPR requires that data processing be governed by a contract. The easiest way to meet this requirement is with a Data Processing Agreement (DPA).

What is a DPA?

A DPA is a contract between a data controller and a third-party data processor. It provides the processor with instructions regarding the subject, duration, and purpose of any data processing activities carried out on the controller’s behalf, as well as the obligations of both parties.

Are DPAs automatically signed?

No, DPAs are not automatically signed – you need to actively enter into them with data processors. Many businesses unknowingly operate without proper DPAs in place, which puts them at risk.

Why do you need a DPA?

As the controller, you’re accountable for ensuring that personal data is processed lawfully, whether you handle it yourself or a third party does it for you. By contrast, your data processor is only liable when they act outside the controller’s lawful instructions. If you haven’t provided clear instructions and the processor does anything unlawful, you may still be held liable. A DPA protects you if your data processor does anything non-compliant.

International data transfers with third parties

There’s a common misconception that the GDPR requires you to keep all personal data within the EU, but this isn’t the case. The real requirement is that people’s data protection rights follow their data wherever it goes. So, if you’re processing the personal data of an individual in the EU, those privacy rights must be respected no matter where the data is transferred.

Step 9: Create data breach detection and response procedures

The GDPR requires you to inform the data protection authority in your country of any data breach likely to pose a risk to the data subjects involved.

How to respond to a data breach under the GDPR

What counts as a data breach?

Any time personal information is accessed or disclosed without authorization, destroyed accidentally or unlawfully, altered, or stolen, it’s referred to as a data breach.

The causes of data breaches can be lumped into three categories:

1. Loss or theft: e.g. an employee laptop lost or stolen
2. Internal threats: e.g. an employee leaking information after being fired
3. External threats: e.g. hackers gaining unauthorized access to your website’s contact form submissions

What does the GDPR require you to do in the case of a data breach?

If you believe a data breach has occurred and that it’s likely to pose a risk to the data subjects involved, the GDPR requires you to notify the relevant data protection authority in your country within 72 hours. If you’ve assessed the breach and don’t see any risk to your data subjects’ rights, you don’t need to make a report.

Whether you make a report or not, the GDPR requires you to document every personal data breach, comprising the facts relating to the personal data breach, its effects, and the remedial action taken. This documentation may save you in the case of a serious breach, as the supervisory authority will use it to verify compliance.

Chapter 10: Regularly review your GDPR compliance measures

The GDPR requires you (the data controller) to implement appropriate technical and organizational measures to ensure, and be able to demonstrate, compliance and states that “those measures shall be reviewed and updated where necessary.” So, let’s make it a date to check-in as often as possible.

How often does the GDPR require you to audit and review your data processing activities?

To meet this requirement, set a recurring date as often as you deem necessary. For businesses with fairly low-risk data processing, we recommend reviewing your compliance policies and procedures once a year. Why not review your GDPR compliance on January 28 each year – That’s Data Privacy Day (also called Data Protection Day in Europe) for the uninitiated.

What should you be looking at during a review of your data processing?

• Checking for new risks or changes in technology or business operations that could affect data protection.
• Auditing all technical and organizational measures, data processing records, and compliance procedures.
• Reviewing DPIAs (if applicable), especially when there’s a change in the risk presented by processing operations.
• Maintaining all internal policies, privacy notices, data processing agreements, and records of processing.
• Continuously educating employees who handle personal data about their obligations and the latest compliance requirements. This is a task specifically mentioned for a Data Protection Officer (DPO), if one is designated.
• Reviewing your logs of staff data processing training and inductions, noting any staff without form