Achieving GDPR Compliance shouldn't feel like a struggle. This is a basic checklist you can use to harden your GDPR compliancy.
if your organisation is determining the purpose of the storage or processing of personal information, it is considered a controller. If your organisation stores or processes personal data on behalf of another organisation, it is considered a processor. It is possible for your organisation to have both roles. Use the filter below to view only the relevant checklist items for your organisation.
This list is far from a legal exhaustive document, it merely tries to help you overcome the struggle.
Feel free to contribute directly on GitHub!
Your company has a list of all types of personal information it holds, the source of that information, who you share it with, what you do with it and how long you will keep itprocessorcontroller
Your company has a list of places where it keeps personal information and the ways data flows between themcontrollerprocessor
Your company has appointed a Data Protection Officer (DPO)processorcontroller
Create awareness among decision makers about GPDR guidelinesprocessorcontroller
Make sure your technical security is up to date.processorcontroller
Train staff to be aware of data protectionprocessor
If your business operates outside the EU, you have appointed a representative within the EU.processorcontroller
You report data breaches involving personal data to the local authority and to the people (data subjects) involvedprocessorcontroller
There is a contract in place with any data processors that you share data withcontroller
Your customers can easily request access to their personal informationprocessorcontroller
Your customers can easily update their own personal information to keep it accurateprocessorcontroller
You automatically delete data that your business no longer has any use forprocessorcontroller
Your customers can easily request deletion of their personal dataprocessorcontroller
Your customers can easily request that you stop processing their dataprocessorcontroller
Your customers can easily request that their data be delivered to themselves or a 3rd partyprocessorcontroller
Your customers can easily object to profiling or automated decision making that could impact themcontroller
Ask consent when you start processing a person's informationcontroller
It should be as easy for your customers to withdraw consent as it was to give it in the first placecontroller
If you process children's personal data, verify their age and ask consent from their legal guardiancontroller
You regularly review policies for changes, effectiveness, changes in handling of data and changes to the state of affairs of other countries your data flows to.controller
Your business understands when you must conduct a DPIA for high-risk processing of sensitive data.controller
You should only transfer data outside of the EU to countries that offer an appropriate level of protectionprocessorcontroller