The GDPR Compliance Checklist

This is a list of the actual types (columns) of information being held (eg Name, social security nr, address,..). For each type, a source should be documented, the parties this information is shared with, the purpose of the information and the duration for which the company will keep this information.

Reference:

• GDPR Article 30 – Records of processing activities
• GDPR Data Map Template

This could be a list of databases (eg Mysql), but it could also include offline datastores (paper).

Reference:

• GDPR Article 30 – Records of processing activities

You should include information about all processes related to the handling of personal information. This document should include (or have links to) the types of personal information the company holds, and where it holds them.

Reference:

• GDPR Article 30 – Records of processing activities

It should contain a reason for data processing, eg the fulfillment of a contract.

Reference:

• GDPR Article 6 – Lawfulness of processing

A DPO is only required in three scenarios: (1) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; (2) the core activities of the business consist of processing operations which, by virtue of their nature, scope, and/or purposes, require regular and systematic monitoring of data subjects on a large scale, or (3) the core activities of the business consist of processing on a large scale special categories of data (sensitive data) pursuant to Article 9 and personal data relating to criminal convictions or offenses pursuant to Article 10. If a DPO is required, the DPO should have knowledge of GDPR guidelines as well as knowledge about the internal processes that involve personal information.

Reference:

• GDPR Article 37 – Designation of the data protection officer

Make sure key people and decision makers have up-to-date knowledge about the data protection legislation.

Reference:

• GDPR Article 25 – Data protection by design and by default

For SaaS software companies, use the SaaS CTO security checklist as a starting point below.

Reference:

• SaaS CTO security checklist
• GDPR Article 25 – Data protection by design and by default

A lot of security vulnerabilities involve cooperation of an unwitting person with access to internal systems. Make sure your employees are aware of these risks.

Reference:

• GDPR Article 25 – Data protection by design and by default

You should inform your customers of the use of any sub-processor. They should consent by accepting your privacy policy.

Reference:

• GDPR Article 28 – Processor
• ComplianceRank - Keep track of the compliance of cloud services & subprocessors

If you have a business outside of the EU and you collect data on EU citizens, you should assign a representative in one of the member states for your business. This person should handle all issues related to processing. In particular, a local authority should be able to contact this person.

Reference:

• GDPR Article 27 – Representatives of controllers or processors not established in the Union

Personal data breaches should be reported within 72 hours to the local authority. You should report what data has been lost, what the consequences are and what countermeasures you have taken. Unless the data leaked was encrypted, you should also report the breach to the person (data subject) whose data you lost.

Reference:

• GDPR Article 33 – Notification of a personal data breach to the supervisory authority
• GDPR Article 34 – Communication of a personal data breach to the data subject

The contract should contain explicit instructions for the storage or processing of data by the processor. The contract should set out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. For example, this could include a contract with your hosting provider. The same contract requirements apply when a processor engages a sub-processor to assist it in fulfilling processing activities on behalf of the controller

Reference:

• GDPR Article 28 – Processor
• GDPR Article 29 – Processing under the authority of the controller or processor
• ComplianceRank - Track hosting centers, DPAs & infrastructure partners from cloud services & subprocessors

If you do not already have a process defined for this, we've made an easy online form below.

Reference:

• GDPR Form: Easy-to-configure web form to manage data requests from your customers & website visitors.
• GDPR Article 15 – Right of access by the data subject

If you do not already have a process defined for this, we've made an easy online form below.

Reference:

• GDPR Form: Easy-to-configure web form to manage data requests from your customers & website visitors.
• GDPR Article 16 – Right to rectification

You should automate deletion of data you no longer need. For example, you should automatically delete data for customers whose contracts have not been renewed.

Reference:

• GDPR Article 5 – Principles relating to processing of personal data

If you do not already have a process defined for this, we've made an easy online form below.

Reference:

• GDPR Form: Easy-to-configure web form to manage data requests from your customers & website visitors.
• GDPR Article 17 – Right to erasure (‘right to be forgotten’)

If you do not already have a process defined for this, we've made an easy online form below.

Reference:

• GDPR Form: Easy-to-configure web form to manage data requests from your customers & website visitors.
• GDPR Article 18 – Right to restriction of processing

If you do not already have a process defined for this, we've made an easy online form below.

Reference:

• GDPR Form: Easy-to-configure web form to manage data requests from your customers & website visitors.
• GDPR Article 20 – Right to data portability

This is only applicable if your company does profiling or any other automated decision making. If you do not already have a process defined for this, we've made an easy online form below.

Reference:

• GDPR Form: Easy-to-configure web form to manage data requests from your customers & website visitors.
• Article 22 – Automated individual decision-making, including profiling

If your website collects personal information in some way, you should have an easily visble link to your privacy policy and confirm that the user accepts your terms and conditions. Consent requires an affirmative action, so pre-ticked boxes are not permitted.

Reference:

• GDPR Article 7 – Conditions for consent

It should be written in clear and simple terms and not conceal it's intent in any way. Failing to do so could void the agreement entirely. When providing services to children, the privacy policy should be easy enough for them to understand.

Reference:

• Watchdog service for terms of service: Terms of Service; Didn't Read
• GDPR Article 7.2 – Conditions for consent

If you do not already have a process defined for this, we've made an easy online form below.

Reference:

• GDPR Form: Easy-to-configure web form to manage data requests from your customers & website visitors.
• GDPR Article 7.3 – Conditions for consent

For children younger than 16, you need to make sure a legal guardian has given consent for data processing. If consent is given via your website, you should try to make sure approval was actually given by the legal guardian (and not by the child).

Reference:

• GDPR Article 8 – Conditions applicable to child’s consent in relation to information society services

for example, by emailing upcoming changes of your privacy policy. Your communication should explain in a simple way what has changed.

Reference:

• GDPR Article 7 – Conditions for consent

You should follow up on best practies and changes to the policies in your local environment. Sign up at the bottom of this page to receive major updates to this list.

Reference:

• GDPR Article 25 – Data protection by design and by default
• ComplianceRank - Track hosting centers, DPAs & infrastructure partners from cloud services & subprocessors

This is only applies to businesses carrying out large-scale data processing, profiling and other activities with high risk to the rights and freedoms of people. A special assessment should be carried out in these cases.

Reference:

• DPIA according to the Dutch local authority (Dutch)
• GDPR Article 35 – Data protection impact assessment

You should also disclose these cross-border data flows in your privacy policy.

Reference:

• GDPR Article 45 – Transfers on the basis of an adequacy decision
• ComplianceRank - Track hosting center locations & hosting partners from cloud services & subprocessors

The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to you in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by you, the information may be provided orally, provided that your identity is proven by other means.

Reference:

• GDPR Article 12

This information is : 1) The identity and the contact details of the controller and, where applicable, of the controller’s representative. 2) The contact details of the data protection officer, where applicable. 3) The purposes of the processing for which the personal data are intended as well as the legal basis for the processing. 4) Where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party. 5) The recipients or categories of recipients of the personal data, if any. 6) Where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.

Reference:

• GDPR Article 13

This information is : 1) The identity and the contact details of the controller and, where applicable, of the controller’s representative. 2) The contact details of the data protection officer, where applicable. 3) The purposes of the processing for which the personal data are intended as well as the legal basis for the processing. 4) The categories of personal data concerned. 5) The recipients or categories of recipients of the personal data, if any. 6)Where applicable, that the controller intends to transfer personal data to a recipient in a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available.

Reference:

• GDPR Article 14

You also have to right to access the following information: 1) The purposes of the processing. 2) The categories of personal data concerned. 3) The recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations. 4) Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period. 5) The existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing. 6) The right to lodge a complaint with a supervisory authority. 7) Where the personal data are not collected from the data subject, any available information as to their source. 8) The existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Reference:

• GDPR Article 15

Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Reference:

• GDPR Article 16

The controller shall have the obligation to erase your personal data without undue delay where one of the following grounds applies: 1) The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed. 2) The data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing. 3) The data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2). 4) The personal data have been unlawfully processed. 5) The personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject. 6) The personal data have been collected in relation to the offer of information society services referred to in Article 8(1).

Reference:

• GDPR Article 17

This right applies in the following situations: 1) The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data. 2) The processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead. 3) The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims. 4) The data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.

Reference:

• GDPR Article 18

This right is carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform you about those recipients if you requests it.

Reference:

• GDPR Article 19

This processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and the processing is carried out by automated means.

Reference:

• GDPR Article 20

The controller shall no longer process your personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

Reference:

• GDPR Article 21

This does not applies if the decision: 1) is necessary for entering into, or performance of, a contract between the data subject and a data controller. 2) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests. 3) is based on the data subject’s explicit consent.

Reference:

• GDPR Article 22