GDPR Checklist

Your company has a list of all types of personal information it holds, the source of that information, who you share it with, what you do with it and how long you will keep it.

This is a list of the actual types (columns) of information being held (eg Name, social security nr, address,..). For each type, a source should be documented, the parties this information is shared with, the purpose of the information and the duration for which the company will keep this information.

Your company has a list of places where it keeps personal information and the ways data flows between them.

This could be a list of databases (eg Mysql), but it could also include offline datastores (paper).

Your company has a publicly accessible privacy policy that outlines all processes related to personal data.

You should include information about all processes related to the handling of personal information. This document should include (or have links to) the types of personal information the company holds, and where it holds them.

Your privacy policy should include a lawful basis to explain why the company needs to process personal information.

It should contain a reason for data processing, eg the fulfillment of a contract.

Your company has appointed a Data Protection Officer (DPO)

This person should have knowledge of GDPR guidelines as well as knowledge about the internal processes that involve personal information.

Create awareness among decision makers about GDPR guidelines

Make sure key people and decision makers have up-to-date knowledge about the data protection legislation.

Make sure your technical security is up to date.

Firewall, Antivirus, Antispam, Login protection and regular scheduled updates.
GDPR Article 25 – Data protection by design and by default

Train staff to be aware of data protection

A lot of security vulnerabilities involve cooperation of an unwitting person with access to internal systems. Make sure your employees are aware of these risks.

You have a list of sub-processors and your privacy policy mentions your use of this sub-processor

You should inform your customers of the use of any sub-processor. They should consent by accepting your privacy policy.

If your business operates outside the EU, you have appointed a representative within the EU.

If you have a business outside of the EU and you collect data on EU citizens, you should assign a representative in one of the member states for your business. This person should handle all issues related to processing. In particular, a local authority should be able to contact this person.

You report data breaches involving personal data to the local authority and to the people (data subjects) involved

Personal data breaches should be reported within 72 hours to the local authority. You should report what data has been lost, what the consequences are and what countermeasures you have taken. Unless the data leaked was encrypted, you should also report the breach to the person (data subject) whose data you lost.

There is a contract in place with any data processors that you share data with

The contract should contain explicit instructions for the storage or processing of data by the processor. For example, this could include a contract with your hosting provider.

You automatically delete data that your business no longer has any use for

You should automate deletion of data you no longer need. For example, you should automatically delete data for customers whose contracts have not been renewed.
GDPR Article 5 – Principles relating to processing of personal data

Your customers can easily request access to their personal information (gdpr Data Request page)

Create GDPR Data Request page.

Your customers can easily update their own personal information to keep it accurate (gdpr Data Request page)

Your customers can easily request deletion of their personal data (gdpr Data Request page)

Your customers can easily request that you stop processing their data (gdpr Data Request page)

Your customers can easily request that their data be delivered to themselves or a 3rd party (gdpr Data Request page)

Your customers can easily object to profiling or automated decision making that could impact them (gdpr Data Request page)

Only applicable if your company does profiling or any other automated decision making.

Ask consent when you start processing a person’s information

If your website collects personal information in some way, you should have an easily visible link to your privacy policy and confirm that the user accepts your terms and conditions.
(Cookie/Privacy optin)
GDPR Article 7 – Conditions for consent

Your privacy policy should be written in clear and understandable terms

It should be written in clear and simple terms and not conceal it’s intent in any way. Failing to do so could void the agreement entirely. When providing services to children, the privacy policy should be easy enough for them to understand.

It should be as easy for your customers to withdraw consent as it was to give it in the first place (gdpr Data Request page)

If you process children’s personal data, verify their age and ask consent from their legal guardian

For children younger than 16, you need to make sure a legal guardian has given consent for data processing. If consent is given via your website, you should try to make sure approval was actually given by the legal guardian (and not by the child).

When you update your privacy policy, you inform existing customers

For example, by emailing upcoming changes of your privacy policy. Your communication should explain in a simple way what has changed. It’s also acceptable to mark changes on the privacy page – this policy of updating notification should be included in the privacy policy itself as well.

You regularly review policies for changes, effectiveness, changes in handling of data and changes to the state of affairs of other countries your data flows to.

You should follow up on best practices and changes to the policies in your local environment.

Your business understands when you must conduct a DPIA for high-risk processing of sensitive data

This is only applies to businesses carrying out large-scale data processing, profiling and other activities with high risk to the rights and freedoms of people. A special assessment should be carried out in these cases.