The General Data Protection Regulation (GDPR) will be introduced into EU Privacy law on 25 May 2018. GDPR affects not just companies in EU but also a wide range of other companies around the world that work with or sell to EU companies. The changes being introduced by GDPR affect a wide array of functions within many organizations. Here’s a GDPR compliance checklist that’ll help you be prepared.

For every subsection of this GDPR compliance checklist, we’ll dive into the articles of the GDPR guidelines that it covers and a list of things you should take care of as part of the process.


One of the first things that we need to dive into as part of the GDPR compliance checklist is to ensure that as an organization you place data governance at the center of anything you do. Compliance has to be a serious focus for companies. Internally within the organization, it is important to create and increase awareness of data privacy issues and create a mindset where every employee feels responsible. The key thing here is to be proactive rather than reactive.

Actions Description Applicable Articles of GDPR
Record keeping Maintain records of the controller and Data Protection Officer (if applicable). Maintain categories of data, logs of transfers. Wherever possible add descriptions of possible measures taken to ensure security. Article 30
Data Protection Officer (DPO) Establish whether the company is required to have a DPO. If the company is not required to have a DPO, you may appoint a voluntary DPO.
DPO contact details must be notified to the regulatory authority and published to the public.
Article 37
Employee Training Employees who handle personal data of either customers or other employees must be trained to handle it according to GDPR principles. Article 5
Policies and Procedures There is a list that covers different policies and procedures. There is no fixed way to handle this but it should be done according to what is applicable for your business. Some of the items on the list are:

  • General Data Protection Policy
  • Data Subject Access Rights Procedure
  • Data Retention Policy
  • Data Breach Escalation and Checklist
  • Employee Privacy Policy and Notice
  • Processing customer data policy
  • Guidance on privacy notices
Article 5

Privacy Notices

Privacy notices basically put emphasis on the transparency requirement of GDPR. All notices issued must be information, concise and clear. Employees and customers need to be adequately informed of all data processing activities and information set out in Articles 14 and 14 must be provided.

Actions Description Applicable Articles of GDPR
Issue notices at the right time Notices must be given at the time that the data is obtained from the data subject, or if the data was received from a third party, within a reasonable period after obtaining the data but at the latest within one-month Articles 12-14
Be complete and concise Notices must be complete and provide all the required information, like the identity of the controller, purpose of processing, duration, consent, right to withdraw consent, etc. Articles 12-14
Easy to understand and comprehend The format of the notice should be easy to read, handle and understand Articles 12-14

Fair Processing

The Fair Processing category means that in order to lawfully process personal data, the conditions of processing must be met. This category is pretty much similar to what the processing rules were in the current Data Privacy Directive except for a few new requirements.

Actions Description Applicable Articles of GDPR
Establish a legal basis for processing all the personal data that you hold As a business, you need to be able to provide evidence that you have a legal basis to own and process personal data that you hold. Consent from the data subject, the legal obligation of the controller, and special care where data is that of a child is necessary. Articles 5, 6, 7, 9, 10, 85 to 91
Profiling A few questions to answer here:
– Does your company carry out profiling on employees or customers?
– If so, does this profiling result in making a decision about the individual which would have a significant legal effect or similar on that individual e.g. refusal of credit or refused for an interview?
– If the answer to (b) is yes, does your Company have the consent of the individuals to this profiling?
Articles 5, 6, 7, 9, 10, 85 to 91
Children If your business processes personal data of children, then consider the language used for privacy notices and plan out how to obtain valid consent from parents/guardians.  Articles 5, 6, 7, 9, 10, 85 to 91

Data Subject Rights

Current data subject rights require you to request access to data when you need it, rectify it or delete it. Under GDPR, it’s not just the right to access data but also provide it in a machine-readable format, also called data portability.

Actions Description Applicable Articles of GDPR
Data subject access right As a company, are your employees or customers allowed to get access to their personal data processed by your company?
Do you have employees that have been trained to respond to such requests within the stimulated timeframe of 1 month?
Article 15
Processed to allow subjects to exercise their rights This basically understands if as a company you have the technology and processes in place to allow data subjects to exercise their rights like the right to erasure, data portability, restriction of processing, and right to object. Article 16-21


Privacy by Design and Default

One of the major objectives of GDPR is to bring privacy consideration to the forefront of every organization. The GDPR requires data protection requirements to be considered when new technologies are designed or on-boarded or new projects using data are being considered. You should ensure that you perform an assessment to understand the impact to privacy as you onboard new projects.

Actions Description Applicable Articles of GDPR
Privacy by design The controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures in an effective manner. The controller is responsible to integrate the necessary safeguards into the processing in order to meet the requirements of this regulation and protect the rights of data subjects Article 25
Privacy by default The controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons. Article 25

International Data Export

Under the International Data Export rule of the GDPR, companies are permitted to export data within its group and third-party vendors outside the European Economic Area (EEA) if the country in which the recipient of such data is established offers an adequate level of protection.

Actions Description Applicable Articles of GDPR
Group companies or third-party vendors If you use group companies or third-party vendors to process data, there must be a written contract with each one of them validating that they meet the expectations set out in Article 28. Article 28
Transferring data out of EEA If you are exporting data outside of EEA, you need to follow an approved transfer mechanism, which includes one of the following:
(a) a country which has a finding of adequacy from the European Commission(b) If it is within The Company group, are binding corporate rules in place?(c) Standard contractual clauses as approved by the European Commission(d) If the transfer is to the US, on the basis of the Privacy Shield.

(e) With the consent of the data subject.

(f) The transfer is necessary to carry out a contract with the data subject

(g) The transfer is in the public interest

(h) The transfer is necessary to establish, exercise or defend legal rights

(i) The transfer is necessary to protect the vital interests of a person where the data subject is physically or legally incapable of giving consent.

Articles 44-49


Actions Description Applicable Articles of GDPR
Appropriate security measures for personal data Security has to be appropriate to the likely risks to individuals if data was lost, stolen or disclosed to unauthorized people.
It is important to note here that the security covers both organizational as well as technical measures.Some factors to consider are:
• Pseudonymisation
• Encryption
• Ensuring ongoing integrity, confidentiality, availability and resiliency
• The ability to restore in a timely manner
• Processes for testing security
Article 32

Data Breach Procedures

As part of the new GDPR compliance checklist is a data breach notification rule. The process requires organizations to act quickly, mitigate losses and, where mandatory notification thresholds are met, notify regulators and affected data subjects.

Actions Description Applicable Articles of GDPR
Mandatory notification Do you have the necessary procedures in place to report a breach within 72 hours of becoming aware of it?

The breach has to be investigated and details provided to the regulator and mitigations have to be taken to address it.

Article 33
Notification to affected individuals If the breach is likely to result in a high risk to the rights and freedoms of individuals, the company will need to notify the individuals affected. Only if the data is encrypted or otherwise unintelligible, then individuals will not need to be notified. Article 34