if your organisation is determining the purpose of the storage or processing of personal information, it is considered a controller. If your organisation stores or processes personal data on behalf of another organisation, it is considered a processor. It is possible for your organisation to have both roles. Use the filter below to view only the relevant checklist items for your organisation.
This list is far from a legal exhaustive document, it merely tries to help you overcome the struggle.
Feel free to contribute directly on GitHub!
Your company has a list of all types of personal information it holds, the source of that information, who you share it with, what you do with it and how long you will keep it
Your company has a list of places where it keeps personal information and the ways data flows between them
Your company has appointed a Data Protection Officer (DPO)
Create awareness among decision makers about GDPR guidelines
Make sure your technical security is up to date.
Train staff to be aware of data protection
If your business operates outside the EU, you have appointed a representative within the EU.
You report data breaches involving personal data to the local authority and to the people (data subjects) involved
There is a contract in place with any data processors that you share data with
Your customers can easily request access to their personal information
Your customers can easily update their own personal information to keep it accurate
You automatically delete data that your business no longer has any use for
Your customers can easily request deletion of their personal data
Your customers can easily request that you stop processing their data
Your customers can easily request that their data be delivered to themselves or a 3rd party
Your customers can easily object to profiling or automated decision making that could impact them
Where processing is based on consent, such consent must be freely given, specific, informed, and revocable
It should be as easy for your customers to withdraw consent as it was to give it in the first place
If you process children's personal data, verify their age and ask consent from their legal guardian
You regularly review policies for changes, effectiveness, changes in handling of data and changes to the state of affairs of other countries your data flows to.
Your business understands when you must conduct a DPIA for high-risk processing of sensitive data.
You should only transfer data outside of the EU to countries that offer an appropriate level of protection
Right to receive transparent information, communication and modalities for the exercise of your rights.
Right to receive specific information when your personal data are collected from you directly.
Right to receive specific information when your personal data are not collected from you directly.
Right of access: You have the right to obtain from the controller confirmation as to whether or not your personal data are being processed, and, where that is the case, access to your personal data.
Right to rectification: You have the right to obtain from the controller without undue delay the rectification of inaccurate personal data.
Right to erasure: You have the right to obtain from the controller the erasure of your personal data without undue delay.
Right to restriction of processing: You have the right to obtain from the controller restriction of processing.
Right to be notified regarding rectification or erasure of your personal data or restriction of processing: The controller shall communicate any rectification or erasure of your personal data or restriction of processing.
Right to portability: You have the right to receive your personal data, which you have provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which your personal data have been provided.
Right to object: You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions.
Right not to be subject to a decision based solely on automated processing: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you.
The information above is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy. In a nutshell, you may not rely on this as legal advice, nor as a recommendation of any particular legal understanding.