This website uses cookies. View our cookie policy
Close
United Kingdom
Select regional store:

GDPR Compliance Checklist

The principle of accountability is key to the GDPR (General Data Protection Regulation): organisations that process personal data must not only comply, but also be able to demonstrate their compliance, with the Regulation’s requirements.

The checklist below sets out the eight essential areas you should check to ensure you can demonstrate your organisation’s compliance with the GDPR.

It also provides links to the IT Governance products and services that will help you meet your compliance obligations.

If you’re looking for help with your GDPR compliance efforts and aren’t sure where to start, get in touch with our GDPR experts who can advise you on which of our products and services are best suited to your needs.

Unsure where to start with GDPR compliance?

Our GDPR experts are on hand to advise you. Get in touch today for a free, no-obligation consultation.

Speak to an expert

The GDPR compliance checklist:

  1. Establish an accountability and governance framework
  2. Scope and plan your project
  3. Conduct a data inventory and data flow audit
  4. Conduct a detailed gap analysis
  5. Develop operational policies, procedures and processes
  6. Secure personal data through procedural and technical measures
  7. Communications
  8. Monitor and audit compliance

 

1. Establish an accountability and governance framework

GDPR compliance requires board-level support. It’s therefore essential that the board understands the implications of the Regulation – both positive and negative – so that they can allocate the resources needed to achieve and maintain compliance.

What you need to do

  • Advise the board about GDPR risks and opportunities.
  • Gain management support for a GDPR compliance project.
  • Assign a director with accountability for the GDPR.
  • Incorporate data protection risk into the corporate risk management and internal control framework.

How we can help you

  • EU GDPR – A Pocket Guide
    Now in its second edition, this pocket guide explains the terms and definitions used in the GDPR, the Regulation’s key requirements, and how to comply.

    Shop now

  • GDPR Ask Us
    Need a quick answer to a GDPR question? Ask us. We make it quick and easy to get expert guidance.

    Shop now

 

2. Scope and plan your project

Once you have obtained top-level support, you will need to work out what areas of your organisation fall under the GDPR’s scope, and consider which existing approaches might be affected or could help your compliance efforts.

What you need to do

  • Appoint and train a project manager, and appoint a DPO (data protection officer) if necessary.
  • Identify which entities will be in scope: business units, territories, jurisdictions etc.
  • Identify other standards or management systems that could provide a framework for compliance, e.g. implementing ISO 27001 demonstrates that you follow information security management best practice.
  • Assess the principle of data protection by design and by default against current or new processes and systems.
  • Consider Brexit implications in your planning.

How we can help you

 

3. Conduct a data inventory and data flow audit

It's impossible to comply with the GDPR's data processing requirements if you don't fully understand what data you process and how you process it.

What you need to do

  • Assess the categories of data held, where it comes from and the lawful basis for processing.
  • Map data flows to, through and from your organisation.
  • Use the data map to identify the risks in your data processing activities and determine whether a DPIA (data protection impact assessment) is needed.
  • Create Article 30 documentation - the record of personal data processing activities drawn from the data flow audit and gap analysis.

How we can help you

  • Data Flow Mapping Tool and Compliance Manager
    The Data Flow Mapping Tool simplifies the process of creating data flow maps, giving you a thorough understanding of the personal data your organisation processes. Integration with Compliance Manager helps you track your compliance against specific GDPR articles.

    Shop now

  • GDPR data flow audit
    Our experts will conduct a thorough on-site audit of the personal data your organisation collects and processes, and provide a map that plots personal data in all its forms, origins, paths, exit points and storage locations.

     Enquire now

 

4. Conduct a detailed gap analysis

The sensible approach to compliance is to establish what you don’t already do – assess your current workflows, processes and procedures – to identify the gaps that you need to fill.

What you need to do

  • Audit your current compliance position against the GDPR’s requirements.
  • Identify compliance gaps requiring remediation.

How we can help you

  • EU GDPR Compliance Gap Assessment Tool
    This questionnaire-driven tool helps you to make an assessment of your organisation’s compliance position and identify the gaps for remediation.

    Shop now

  • GDPR Gap Analysis
    Our data protection consultants will provide an on-site assessment of your privacy management and data processing practices, and produce a report summarising your compliance gaps and providing remediation recommendations.

    Book now

 

5. Develop operational policies, procedures and processes

Our data protection consultants will provide an on-site assessment of your privacy management and data processing practices, and produce a report summarising your compliance gaps and providing remediation recommendations.

What you need to do

  • Ensure data protection policies and privacy notices are in line with the GDPR.
  • Where relying on consent, ensure quality of consent meets the GDPR’s requirements.
  • Review employee, customer and supplier contracts and update if necessary.
  • Plan how to recognise and handle DSARs (data subject access requests) and provide responses within one calendar month.
  • Have a process in place for determining whether a DPIA is required.
  • Review whether the mechanisms for data transfers outside the EEA are compliant.

How we can help you

  • GDPR contract and legal services
    Get legal advice and support in updating privacy notices, data protection policies, supplier contracts and international data transfer agreements to conform with the GDPR.

    Enquire now 

  • EU GDPR Documentation Toolkit
    Demonstrating your GDPR compliance is essential. Our GDPR Documentation Toolkit gives you a complete set of easily customisable GDPR-compliant documentation templates, to help you demonstrate your compliance with the GDPR's requirements.

    Download a free trial 

    Shop now

  • DPIA Workshop
    This one-day workshop covers when to conduct a DPIA under the GDPR, and uses a real-life case study to demonstrate best practices and methodologies, including the application of a DPIA tool to help assess and address privacy risks.

    Book now

 

6. Secure personal data through procedural and technical measures

The GDPR requires organisations to implement “appropriate technical and organisational measures” to ensure that personal data is processed appropriately.

What you need to do

  • Have an information security policy in place.
  • Put in place basic technical controls such as those specified by established frameworks like Cyber Essentials.
  • Use encryption and/or pseudonymisation where appropriate.
  • Ensure policies and procedures are in place to detect, report and investigate personal data breaches.

How we can help you

 

7. Communications

Maintaining your compliance with the GDPR relies heavily on your staff properly understanding what they should do and why. Everyone involved in processing data must be appropriately trained to follow approved processes and procedures.

What you need to do

  • Complying with the GDPR is a business change project – effective internal communications with stakeholders and staff are key.
  • Employees need to understand the importance of data protection and be trained on basic GDPR principles and the procedures being implemented to ensure compliance.

How we can help you

 

8. Monitor and audit compliance

GDPR compliance is an ongoing project – a journey rather than a destination. You should undertake periodic internal audits and update your data protection processes, including checking your records of processing activities and consent, testing information security controls, and conducting DPIAs.

What you need to do

  • Schedule regular audits of data processing activities and security controls.
  • Keep records of personal data processing up to date.
  • Undertake DPIAs where required.

How we can help you


Download our free GDPR resources


Speak to a GDPR expert

If you need help with your GDPR compliance project or are unsure about which of our products and services are best suited to your specific needs, get in touch with one of our GDPR experts today.