This is a simple GDPR compliance checklist for controllers that you can use to ensure you have considered most important aspects of the GDPR. Before starting, you should first determine whether you process personal data as a “controller” or “processor”. The definition of these two terms can be found in our “GDPR Basics: Are you a Controller or a Processor?” article.
Data mapping and records of processing activities
Conduct information audit to map personal data flows
- organise an information audit across your organisation to identify the data that you process and how it flows into, through and out of your organisation;
- involve stakeholders with in-depth knowledge of your working practices;
- create a register of third parties with whom you may share personal information.
Document what personal data you hold, where it came from, who you share it with and what you do with it.
- maintain records of processing activities detailing what personal data you hold, where it came from, who you share it with and what you do with it;
- records of processing activities should be kept in electronic form;
- ensure you have procedures to share this information with stakeholders and maintain ongoing changes when needed
Identify your lawful bases for processing and documented them.
- look at the various types of data processing you have documented in the section above;
- identify your lawful bases for carrying it out;
- document it into your records of processing activities.
Actions basing on specific legal bases
Review how you ask for and record consent.
- Identify from your records of processing activities which activities use consent as a legal basis of processing.
- Make sure you obtain valid consent from individuals.
- Make sure individuals can withdraw consent at any time.
- Don’t make consent a precondition of service.
Create systems to record and manage ongoing consent.
- Keep a record of when and how you got consent from the individual.
- Keep a record of the consent form and texts provided in it.
If you process data on basis of vital interests of an individual, document the circumstances where it will be relevant. Document your justification for relying on this basis and informs individuals where necessary.
- ensure guidance is available for staff on the circumstances where they need to use this lawful basis for processing;
- review your existing processing to identify if you have any ongoing processing for this reason, or are likely to need to process for this reason in future; and then
- document where you rely on this basis and inform individuals if relevant.
If you are relying on legitimate interests as the lawful basis for processing, apply the three-part test and demonstrate you have fully considered and protected individual’s rights and interests.
- conduct a legitimate interests assessment (LIA) and keep a record of it, to ensure that you can justify your decision;
- if your LIA identifies significant risks, consider whether you need to do a data protection impact assessment (DPIA) to assess the risk and potential mitigation in more detail;
- keep your LIA under review, and repeat it if circumstances change; and
- include information about your legitimate interests in your privacy information.
Rights of individuals
Make Privacy Notice readily available to individuals.
- let individuals know who you are, why you are processing their data and who you share it with;
- be concise and to the point;
- be easy to understand;
- be clearly signposted and easy to access;
- be written in clear and plain language, particularly if addressed to a child;
- be free of charge;
- include different information depending on whether you obtained the data directly from the individual or not;
- explain the risks involved in the processing and the safeguards you have put in place.
Establish a process to recognise and respond to individuals’ requests to access their personal data.
- ensure a process is in place to allow you to recognise and respond to any requests for personal data within the timescales ;
- establish a policy on how to record any requests you receive verbally;
- include right of access procedures within your data protection policy;
- provide awareness training to all staff and specialist training to individuals who deal with any requests.
Make sure you have processes in place to ensure that the personal data you hold remains accurate and up to date.
- implement procedures to allow individuals to challenge the accuracy of the information you hold about them and have it corrected if necessary;
- create records management policies, with rules for creating and keeping records (including emails);
- conduct regular data quality reviews of systems and manual records you hold to ensure the information continues to be adequate for the purposes of processing;
- regularly review information to identify when you need to correct inaccurate records, remove irrelevant ones and update out-of-date ones.
Implement a process to securely dispose of personal data that is no longer required or where an individual has asked for it to be deleted.
- have procedures in place that allow individuals to request the deletion or erasure of information you hold about them if there is no compelling reason for you to continue processing it;
- have procedures to inform any other organisations you have shared the information with about the request for erasure;
- introduce procedures, if the data has been made public in an online environment, to inform other controllers who are processing the personal data to erase links to, copies or replication of that data;
- have procedures to delete information from any back-up systems;
- implement a written retention policy or schedule to remind you when to dispose of various categories of data, and help you plan for its secure disposal;
- regularly review the retention schedule to make sure it continues to meet business and statutory requirements.
Make sure you have procedures in place to respond to an individual’s request to restrict the processing of their personal data.
- review your procedures to determine where you may be required to restrict the processing of personal data;
- implement a process that enables individuals to submit a request to you; have a process to act on an individual’s request to block or restrict the processing of their personal data;
- have procedures to inform any other organisations you have shared the information with, if possible;
- inform individuals when you decide to lift a restriction on processing.
Make sure you have processes in place to allow individuals to move, copy or transfer their personal data from one IT environment to another in a safe and secure way, without hindrance to usability.
- implement a process that will enable individuals to submit a request to you;
- have a process to allow you to recognise and respond to any individual requests in line with your legal obligations and statutory timescales;
- provide the personal data in a structured, commonly used and machine readable format;
- ensure that the medium in which you provide the data has appropriate technical measures in place to protect the data it contains;
- ensure that the medium in which you provide the data allows individuals to move, copy or transfer that data easily from one organisation to another without hindrance.
Make sure you have procedures in place to handle an individual’s objection to the processing of their personal data.
- review your processes and privacy information to ensure you inform individuals of their right to object “at the point of first communication”. You should display or give this information clearly and separately from any other information;
- implement a process that will enable individuals to submit an objection request (this could include an online option);
- provide training or raise awareness amongst your staff to ensure they are able to recognise and respond (or know where to refer the request to) to an objection raised by an individual;
- establish a policy on how to record any objections you receive verbally; have procedures in place to consider the individual’s objection to the processing of their personal data and record the outcome;
- have processes to demonstrate, where appropriate, your reasons to continue with the processing, based on the compelling legitimate grounds outlined within the GDPR; and
- inform individuals of the outcome of their objection.
Make sure you have identified whether any of your processing operations constitute automated decision making under Article 22 of the GDPR and have procedures in place to deal with the requirements.
- carry out a Data Protection Impact Assessment (DPIA) to identify whether any of your processing operations constitute solely automated decision making with significant effects ;
- establish whether you can rely on one of the GDPR exceptions for the processing and keep a record of it;
- identify the appropriate condition if you are processing special category personal data and keep a record of it;
- ensure you inform individuals about the processing in your privacy information;
- introduce a process for individuals to obtain an explanation of the decision and request a review; and
- implement procedures and safeguards to address the risks involved with this type of processing.
Accountability and governance
Your organisation has an appropriate data protection policy.
You should have a standalone policy statement or general staff policy that:
- sets out your approach to data protection together with responsibilities for implementing the policy and monitoring compliance;
- aligns with and covers the measures within this checklist as a minimum;
- management approve and you publish and communicate to all staff; and
- you review and update at planned intervals or when required to ensure it remains relevant.
Monitor your own compliance with data protection policies and regularly reviews the effectiveness of data handling and security controls.
- establish a process to monitor compliance to the policies;
- regularly test the measures that are detailed within the policies to provide assurances that they continue to be effective;
- ensure that responsibility for monitoring compliance with the policies is independent of the persons implementing the policy, to allow the monitoring to be unbiased; and
- report any results to senior management.
Provide data protection awareness training for all employees.
- provide induction training on or shortly after appointment;
- update all staff at regular intervals or when required (for example, intranet articles, circulars, team briefings and posters); and
- provide specialist training for staff with specific duties, such as marketing, information security and database management.
Make sure you have written contract with any processors you use.
- ensure that you have a written contract in place whenever you use a processor (a natural or legal person or organisation which processes personal data on your behalf);
- check both new and existing contracts in force include certain specific terms, as a minimum, to ensure that data processing meets the requirements of the GDPR;.
- outline in the contract the technical and organisational arrangements the processor must have in place;
- include arrangements for security of processing, keeping records of processing activities, and notification of data breaches;
- refer to the Data Processing Agreement article to clarify responsibilities and liabilities, and to help you draft new contracts and amend existing ones;
- add all agreements to special register of data processing agreements to be sure you have covered all of your third parties.
Ensure an adequate level of protection for any personal data processed by others on your behalf that is transferred outside the European Economic Area.
- ensure that any data you transfer outside the EU complies with the conditions for transfer set out in Chapter V of the GDPR;
- ensure that you have adequate safeguards and data security in place, that is documented in a written contract using standard data protection contract clauses; and
- implement measures to audit any documented security arrangements on a periodic basis.
Manage information risks in a structured way so that management understands the business impact of personal data related risks and manages them effectively.
- have a clearly communicated set of security policies and procedures, which reflect business objectives and assign responsibilities to support good information risk management;
- ensure that you have processes in place to analyse and log any identified threats, vulnerabilities, and potential impacts which are associated with your business activities and information (risk register); and
- apply controls to mitigate the risks you’ve identified within agreed appetites and regularly test these controls to ensure they remain effective.
Implement appropriate technical and organisational measures to integrate data protection into your processing activities.
- look to continually minimise the amount and type of data you collect, process and store, such as by undertaking regular information and internal process audits across appropriate areas of the business;
- consider pseudonymising the personal data where appropriate to render the data record less identifying and therefore reduce concerns with data sharing and data retention;
- reflect technical and organisational security measures in your records of processing activities;
- regularly undertake reviews of your public-facing documents, policies and privacy notice(s) to ensure they meet the renewed transparency requirements under the GDPR;
- ensure any current and/or new processes or systems enable you to comply with an individual’s rights under the GDPR; and
- create, review and improve your data security features and controls on an ongoing basis.
Understand when you must conduct a DPIA and has processes in place to action this.
- establish a policy which sets out when you should conduct a DPIA, who will authorise it and how it will be incorporated into the overall project plan. A DPIA screening process may be a useful tool in determining whether a DPIA is required;
- assign responsibility for completing DPIAs to a member of staff who has sufficient control over the project to effect change eg Project Lead/Manager;
- where a DPIA is required, ensure you complete the process before beginning the project;
- ensure your process for completing a DPIA includes consultation with the DPO/ data protection lead, data processors, third party contractors and with the public/their representatives in most cases;
- ensure the information contained within the DPIA complies with the requirements under the GDPR and that you detail the results within a report;
- where a DPIA indicates that the processing would result in a high risk and you are unable to mitigate those risks by reasonable means, ensure your business consults with the Data protection Authority in your country prior to commencing processing.
Read more in in our Data protection Impact assessment guide.
Make sure you have a DPIA framework which links to your existing risk management and project management processes.
- review your existing risk and project management processes and ensure there is consistency and links with your DPIA processes in place;
- drive awareness of DPIAs across your business, and particularly amongst risk and project teams so that they understand the requirements; and
- ensure DPIA documentation is readily available for staff to use and that you have trained them on how to conduct the assessment.
If required, appoint a DPO. In other cases, nominate a data protection lead.
- designate responsibility for data protection compliance to a suitable individual;
- support the appointed individual through provision of appropriate training;
- ensure there are appropriate reporting mechanisms in place between the individual responsible for data protection compliance and senior management;
- register the details of your DPO with the Data protection Inspectorate of your country; and
- document the internal analysis carried out to determine whether or not a DPO is to be appointed, unless it is obvious that your organisation is not required to designate a DPO.
Make sure decision makers and key people in your business demonstrate support for data protection legislation and promote a positive culture of data protection compliance across the business.
- clearly set out your business’s approach to data protection and assign management responsibilities;
- ensure you have a policy framework and information governance strategy in place to support a positive data protection and security culture which has been endorsed by management;
- assess and identify areas that could cause data protection or security compliance problems and record these on your business’s risk register;
- deliver training which encourages personal responsibility and good security behaviours; and
- run regular general awareness campaigns across your business to educate staff on their data protection and security responsibilities and promote data protection and security awareness and compliance.
Security and breach prevention
Create an information security policy supported by appropriate security measures.
- develop, implement and communicate an information security policy;
- ensure the policy covers key information security topics such as network security, physical security, access controls, secure configuration, patch management, email and internet use, data storage and maintenance and security breach / incident management;
- implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with your security policy;
- implement periodic checks for compliance with policy, to give assurances that security controls are operational and effective; and
- deliver regular staff training on all areas within the information security policy.
Make sure you have an effective process to identify, report, manage and resolve any personal data breaches.
- train staff how to recognise and report breaches;
- have a process to report breaches to the appropriate individuals as soon as staff become aware of them, and to investigate and implement recovery plans;
- put mechanisms in place to assess the likely risk to individuals and then, if necessary, notify the breach to the Data Protection Authority and inform affected individuals;
- monitor the type, volume and cost of incidents to identify trends and help prevent recurrences; and
- conclude a breach register and document all breaches there, even if you don’t need to report them.