GDPR Compliance Checklist

1. Obtain board-level support and establish accountability

GDPR compliance requires board-level support. It’s therefore essential that the board understands the implications of the Regulation – both positive and negative – so that it can allocate the resources needed to achieve and maintain compliance.

What you need to do:

•  Advise the board about data protection risks and the benefits of GDPR compliance.

•  Obtain management support for your GDPR compliance project.

•  Assign accountability for GDPR compliance to a director.

2. Scope and plan your GDPR compliance project

Once you have obtained top-level support, you will need to work out what areas of your organisation fall under the GDPR’s scope.

What you need to do:

•  Appoint and train a project manager.

•  Appoint a DPO (data protection officer) if necessary. If you’re unsure about whether or how to appoint a DPO. Visit our dedicated DPO page for more information..

•  Identify standards that could provide a framework to help you establish your compliance priorities:

• The international information security standard ISO 27001 can help you apply data security best practice, which helps you meet requirements for appropriate technical and organisational security measures of the GDPR (Article 32).
• Other standards such as ISO 27701 which provides the specifications for implementing a PIMS (privacy information management system).

•  Assess whether data protection by design and by default has been incorporated into processes and systems.

•  Consider the implications of Brexit in your planning.

3. Conduct a data inventory and data flow audit

To comply with the GDPR's data processing requirements you must be able to fully understand what data you process and how you process it.

What you need to do:

•  Assess the categories of data you hold, where it comes from and the lawful basis for processing.

•  Create a map that shows how data flows to, through and from your organisation.

•  Use the data map to identify the risks in your data processing activities and determine whether a DPIA (data protection impact assessment is required.

•  Create records of personal data processing activities, as required by Article 30, drawn from the data flow audit and gap analysis.

4. Undertake a comprehensive risk assessment

Risk assessments play a crucial role in any GDPR compliance plan. The GDPR encourages a risk-based approach to data processing.  This enables organisations to develop appropriate measures to manage their risks. However, the Regulation does not clarify how you should assess and quantify those risks.

What you need to do:

•  Establish the risk assessment plan.

•  Identify your risks.

•  Analyse and evaluate your risks.

•  Determine ways to control your risks.

5. Conduct a detailed gap analysis

Conducting a GDPR gap analysis will help you assess your current workflows, processes and procedures to identify any compliance gaps that you need to rectify. 

What you need to do:

•  Audit your current compliance position against the GDPR’s requirements.

•  Determine which compliance gaps require remediation.

6. Develop operational policies, procedures and processes

Having established your compliance gaps, you should bring your existing policies, processes and procedures into line with the GDPR’s requirements, and develop new ones to ensure you fulfil your legal obligations.

What you need to do:

•  Ensure your data protection policies and privacy notices are in line with the GDPR.

•  Where you rely on consent as your lawful basis for processing, ensure it meets the GDPR’s requirements.

•  Review employee, customer and supplier contracts, and update them if necessary to cover personal data processing.

•  Plan how to recognise and handle DSARs (data subject access requests) and provide responses within one calendar month.

•  Have a process in place for determining whether a DPIA is required.

•  Review whether your mechanisms for transferring data outside the EEA are compliant, especially after Brexit.

7. Secure personal data through procedural and technical measures

Article 32 of the GDPR requires organisations to implement “appropriate technical and organisational measures” to ensure that personal data is processed appropriately.

What you need to do:

•  Have an information security policy in place.

•  Implement basic technical controls such as those specified by established frameworks like Cyber Essentials.

•  Use encryption and/or pseudonymisation where appropriate.

•  Ensure policies and procedures are in place to detect, report and investigate personal data breaches.

8. Ensure teams are trained and competent

Staff awareness and education is a key component of any organisation’s GDPR compliance framework. Everyone involved in processing data must be appropriately trained to follow approved processes and procedures.

What you need to do:

•  Ensure internal communications with stakeholders and staff are effective.

•  Train your employees to understand the importance of data protection, basic GDPR principles and the procedures you have implemented to ensure compliance.

9. Monitor and audit compliance

GDPR compliance is an ongoing project – a journey rather than a destination. You should undertake periodic internal audits and regularly update your data protection processes. This includes checking your records of processing activities and consent, testing information security controls, and conducting DPIAs.

What you need to do:

•  Schedule regular audits of data processing activities and security controls.

•  Keep records of personal data processing up to date.

•  Undertake DPIAs where required.

•  Assess data protection practices and manage some of the more demanding elements of GDPR compliance.