GDPR Compliance Checklist


Checklist for GDPR compliance

The General Data Protection Regulation (GDPR) is a large and complex piece of legislation, which can make it difficult to comply with. In this article, we have created a list of some key questions that you and your organisation should consider in order to work out whether you are in breach of the GDPR or not.

Be aware that this list is not exhaustive and may not be appropriate for all organisations, so legal advice should be obtained if you are unsure whether you are fully compliant with the GDPR.

If you are looking for more information about the GDPR, including what it means and how the UK GDPR differs from the EU GDPR, click here to visit our GDPR FAQ article.


Lawful basis and transparency

Have you conducted an information audit?

Access control is an important facet of information security, so it is important to determine what sensitive information is processed and who has access to it

Data controllers with 250 or more employees, or who conduct high-risk data processing, are required to record their data processing activities. They must also be prepared to provide this list to regulators upon request.

The best way to demonstrate GDPR compliance (which is required by the GDPR) is to perform a Data Protection Impact Assessment (DPIA).

Smaller organisations with fewer than 250 employees should also perform a DPIA, as it will make it easier to meet the other requirements of the GDPR.

Remember to include:

  • The purposes of the processing
  • The kind of data that is processed
  • Who has access to any sensitive data within the organisation
  • Any third parties that also have access and where they are located
  • How the data is protected (such as the encryption methods used) and use of GDPR compliant services for data processing
  • When data will be erased

Do you have legal justification for your data processing activities?

Data processing is illegal under the GDPR unless it can be justified with one of the lawful bases.

Remember that:

  • If 'consent' is the lawful basis used, the requirements for consent must be met.
  • If 'legitimate interests' is the lawful basis used, a DPIA must be performed and recorded.

Do you provide clear information about your data processing and legal justification in your privacy notice?

The right to be informed means that organisations are required to tell people that their data is being collected, how it is processed, who has access to it and how you are keeping it safe. This information must be available to the person at the point at which their data is collected.

This is best done in the form of a privacy notice. It should be easy to access, concise, intelligible and use plain and simple language.


Data security

Do you take data protection into account at all times?

The principles of data protection by design and by default should be followed at all times. This means that both technical and organisational measures should be implemented to ensure data security.

Technical measures include encryption of the data being stored. Organisational measures include limiting the amount of personal data that is stored and deleting data when it is no longer needed.

Are you encrypting, pseudonymising or anonymising data where possible?

The GDPR requires encryption or pseudonymisation to be used where possible to improve data privacy.

Most productivity tools, such as email, messaging services and cloud storage, have encryption built in. However, organisations should always check the services that they use and are planning to use to make sure that this is definitely the case.

Have you created an internal security policy for your team members? Are they aware of the importance of data protection?

Operational security is just as important as technical security. This means that employees must be trained in the requirements of GDPR and data security.

Organisations should create a security policy that ensures all staff members are knowledgeable about data security, including guidance on:

  • Email security
  • Passwords
  • Two-factor-authentication
  • Device encryption
  • VPNs

Any employees with access to personal data or who are non-technical should receive extra training on GDPR requirements.

Are you aware of when a Data Protection Impact Assessment (DPIA) needs to be conducted? Do you have a process in place to carry it out?

DPIAs are used in order to gain an understanding of how a product or service could jeopardise customer data, and how the risk of this can be minimised.

The GDPR requires that this is performed whenever personal data is used in a way that is likely to present a high risk to the data subjects, but the Information Commissioner’s Office (ICO) recommends performing a DPIA every time an organisation intends to process personal data.

Do you have a process in place to notify the authorities in the event of a personal data breach?

In the event of unauthorised access to personal data, a notification must be made within 72 hours. This means that an organisation should have two plans in place to be used in the event of a data breach: one for informing the supervisory authority and another for contacting data subjects if required.

In the UK, this supervisory authority is the ICO.


Accountability and governance

Have you designated somebody to be responsible for ensuring GDPR compliance across your organisation?

As part of adopting data protection by design and by default, somebody in the organisation should be made responsible for ensuring GDPR compliance.

The person responsible should have the power to evaluate data protection policies and their implementation to keep them up to date with the latest technology and legislation.

Do you have data processing agreements in place between your organisation and any third parties that process personal data on your behalf?

Any third-party service that handles personal data that an organisation collects should have a data processing agreement with them. These services may include analytics software, email services and cloud servers.

Most services will have a standard data processing agreement on their website. Only use third parties that are reliable and can make sufficient data protection guarantees.

Have you appointed a representative within the UK?

Organisations outside of the UK that offer goods or services to individuals in the UK, or monitor the behaviour of individuals in the UK, must have a UK-based representative. This does not apply in certain circumstances, so click here to view the relevant ICO guidance.

Have you appointed a Data Protection Officer (DPO)?

An organisation must appoint a DPO if any of the following apply:

  • The organisation is a public body or authority and processes personal data (this doesn’t include courts or other independent judicial authorities).
  • The processing of personal data is the core activity of the organisation, and they regularly and systematically observe your data subjects on a large scale.
  • The organisation’s core activity is the processing of personal data that falls under one or more of the special categories of personal data (as defined in Article 9).

Their role is to monitor the organisation’s GDPR compliance, assess data protection risks, advise on DPIAs and cooperate with the regulatory authorities.


Privacy rights

Is it easy for customers to request and receive all the information you hold on them?

All organisations must uphold the privacy rights enshrined in the GDPR. This means that people must be able to request to see the personal data held on them.

Any copies sent must be easily accessible, and sent within one month of the request. If possible, oral formats should be offered to aid the visually impaired, and paper copies for people without computer access.

Also, the first copy they request must be free of charge, and a reasonable fee can be charged for any subsequent copies.

Finally, organisations must verify the identity of the person making the request.

Is it easy for customers to correct or update inaccurate or incomplete information you hold on them?

Make sure a data quality process is in place. It should make it easy for customers to view and update their personal information for accuracy and completeness.

Again, organisations must verify the identity of the person making the request and comply with it within one month.

Is it easy for customers to request their data be deleted?

People have the right to ask for their personal data to be deleted, and organisations must make this easy for people to do by, for example, providing a request form.

Is it easy for customers to ask you to stop processing their data?

Make sure that procedures are in place to deal with this type of request.

Remember that this type of request is usually only approved when there is a dispute regarding the lawfulness of any processing, and that the data can still be stored while processing is suspended.

Is it easy for customers to receive a copy of their personal data in a format that can be transferred to other companies easily?

When an organisation provides people with copies of their personal data, it must be in a format that is commonly readable, such as a spreadsheet.

Is it easy for customers to object to you processing their data?

Organisations must have a system in place to facilitate this type of request.

If a customer requests that their data is no longer used for direct marketing, this must be honoured immediately. Otherwise, processing may be allowed to continue if an organisation can demonstrate that they have a legitimate interest in doing so.

Do you have a procedure in place to protect people’s rights when making decisions based on automated processes?

If an organisation uses automated processes to help make decisions about people that have legal or similarly significant effects, they must make it easy for people to request human intervention and to challenge decisions that have already been made using automated processes.


Online GDPR Training

If you or your organisation are looking to learn more about the UK GDPR, consider taking our: