Checklist: Being GDPR Compliant

GDPR Checklist

This checklist guides your organization on understanding, applying, and staying updated with the GDPR.

1. Know Your Personal Data

Understand what personal data you have. This might be things like names, addresses, or even IP addresses. Know where this data is coming from and who you’re sharing it with. Refer to FAQ 4 for more on data processing operations.

2. Legal Grounds for Processing

Make sure you have a legal reason to process personal data. This could be because someone gave you their consent, or because a contract allows you to. If you need someone’s consent, they must give it clearly.

3. Uphold People’s Rights

Respect individuals’ rights over their data. This includes their rights to access, correct, delete, restrict processing of, and object to the processing of their data. Refer to FAQ 8 for more on data subject rights.

4. Ensure Data Security

Put in place security measures to keep personal data safe. This could be encrypting the data or limiting access to it. Have a plan ready in case a data breach happens.

5. Data Transfer Outside the EU

If you’re transferring personal data outside the EU, make sure it’s still protected.

6. Conduct DPIA and Appoint a DPO

Conduct a Data Protection Impact Assessment (DPIA) when data processing is likely to be risky. If necessary, appoint a Data Protection Officer (DPO). Refer to FAQ 10 and 12 for more on DPIA and DPO.

7. Practice ‘Privacy by Design and Default’

Always consider data protection when creating new systems. These systems should process as little personal data as possible by default.

Refer the FAQ below for a more in-depth understanding of GDPR concepts.

Frequently Asked Questions (FAQ)

  1. What is the GDPR? The General Data Protection Regulation (GDPR) is a European Union law that requires organizations to safeguard personal data and uphold the privacy rights of anyone in EU territory.
  2. Who enforces the GDPR? GDPR is enforced by supervisory authorities in each EU member state.
  3. What are the penalties for non-compliance with the GDPR? Organizations that fail to comply with GDPR can face fines of up to €20 million or 4% of their global annual revenue, whichever is greater.
  4. What is a GDPR Data Processing Operation? A GDPR Data Processing Operation is any operation or set of operations performed on personal data, such as collection, storage, use, and deletion.
  5. What documentation is needed to prove GDPR compliance? It’s a good idea to document everything about your GDPR process to demonstrate that you’ve taken the right investigative steps and made reasonable efforts to fix any issues.
  6. What are the data requirements for the GDPR? Data can only be processed for the reasons it was collected, must be accurate and kept up-to-date, and must be stored such that a subject is identifiable no longer than necessary.
  7. Does GDPR compliance differ based on the number of employees a company has? GDPR doesn’t differentiate between the size of organizations.
  8. What are the data subject rights under the GDPR? Data subjects have the right to access their personal data and information about how their personal data is being processed. They also have the right to file a complaint with a supervisory authority if they feel that any processing of their personal data was done in violation of GDPR regulations.
  9. How to comply with the seven principles of the GDPR? The GDPR comprises seven principles with which organizations must comply. They are: Lawfulness, fairness, and transparency; Purpose limitation; Data minimization; Accuracy; Storage limitation; Integrity and confidentiality (security); and Accountability.
  10. What is a Data Protection Impact Assessment (DPIA)? The GDPR requires controllers to conduct a DPIA where processing operations are likely to result in a high risk to individuals.
  11. What is Privacy by Design? Privacy by Design is a concept that requires organizations to consider privacy and data protection throughout the entire lifecycle of a product or service.
  12. What is a Data Protection Officer (DPO)? A DPO is a person responsible for ensuring that an organization is complying with GDPR requirements.
  13. How can I ensure GDPR compliance? Organizations can comply with GDPR by implementing technical and operational safeguards to protect personal data they control. The first step is to conduct a GDPR assessment to determine what personal data they control, where it is located, and how it is secured. They must also adhere to the privacy principles outlined in the GDPR, such as obtaining consent and ensuring data portability.


Drag the Words