This website uses cookies. View our cookie policy
United Kingdom
Select regional store:

GDPR Compliance Checklist

The ability to prove GDPR (General Data Protection Regulation) compliance is critical – particularly in view of the accountability principle – and a comprehensive and effective privacy compliance framework will provide evidence to support your compliance claims.

This checklist with recommended solutions highlights the essential steps you need to take to comply with the GDPR and demonstrate the fact.

If you’re looking for help with your GDPR compliance efforts and aren’t sure where to start, get in touch with our GDPR experts, who can advise you on which of our products and services are best suited to your needs.

Speak to an expert

The GDPR compliance checklist:

  1. Establish an accountability and governance framework
  2. Scope and plan your project
  3. Conduct a data inventory and data flow audit
  4. Conduct a detailed gap analysis
  5. Develop operational policies, procedures and processes
  6. Secure personal data through procedural and technical measures
  7. Communications
  8. Monitor and audit compliance

GDPR compliance checklist steps

What you need to do

Our solutions

1. Establish an accountability and governance framework

  • Brief management on the GDPR risks and opportunities.
  • Gain management support for a GDPR compliance project.
  • Assign a director with accountability for the GDPR.
  • Incorporate data protection risk into the corporate risk management and internal control framework.

2. Scope and plan your project

  • Appoint and train a project manager, and appoint a DPO (data protection officer) if necessary.
  • Identify which entities will be in scope: business units, territories, jurisdictions.
  • Identify other standards or management systems that could provide a framework for compliance, e.g. implementing ISO 27001 demonstrates information security best practice.
  • Assess the principle of data protection by design and by default against current or new processes and systems.
  • Consider Brexit implications in your planning.
  • Certified EU GDPR training
    Gain knowledge of the Regulation, and a practical understanding of the methods and tools for implementing and managing an effective compliance framework.

    Shop now >>

  • DPO as a service (GDPR)
    A practical and cost-effective outsource solution for organisations that don’t have the requisite data protection expertise and knowledge to fulfil their DPO obligations under the GDPR.

    Shop now >>

3. Conduct a data inventory and data flow audit

  • Assess the categories of data held, where it comes from and the lawful basis for processing.
  • Map data flows to, through and from your organisation.
  • Use the data map to identify the risks in your data processing activities and whether a DPIA (data protection impact assessment) is needed.
  • Data Flow Mapping Tool and Compliance Manager
    The Data Flow Mapping Tool simplifies the process of creating data flow maps, giving you a thorough understanding of what personal data your organisation processes. Integration with Compliance Manager allows you to track your compliance against specific GDPR articles.

    Shop now >>

  • GDPR data flow audit
    Receive a through on-site audit, an inventory of the types of personal data collected and processed in your organisation, and a data flow map.

    Shop now >>

4. Conduct a detailed gap analysis

  • Audit your current compliance position against the GDPR’s requirements.
  • Identify compliance gaps requiring remediation.
  • GDPR Gap Analysis
    Get an on-site assessment of your organisation’s privacy management and data processing practices, and a report summarising compliance gaps and remediation recommendations.

    Shop now >>

5. Develop operational policies, procedures and processes

  • Create Article 30 documentation – the record of personal data processing activities drawn from the data flow audit and gap analysis.
  • Ensure data protection policies and privacy notices are in line with the GDPR.
  • Where relying on consent, ensure quality of consent meets the GDPR’s requirements.
  • Review employee, customer and supplier contracts and update if necessary.
  • Plan how to recognise and handle DSARs (data subject access requests) and provide responses within one calendar month.
  • Have a process in place for determining whether a DPIA is required.
  • Review whether the mechanisms for data transfers outside the EEA are compliant.
  • DPIA Workshop
    This one-day workshop covers when to conduct a DPIA under the GDPR, and uses a real-life case study to demonstrate best practices and methodologies, including the application of a DPIA tool to help assess and address privacy risks.

    Shop now >>

6. Secure personal data through procedural and technical measures

  • Have an information security policy in place.
  • Put in place basic technical controls such as those specified by established frameworks like Cyber Essentials.
  • Use encryption and/or pseudonymisation where appropriate.
  • Ensure policies and procedures are in place to detect, report and investigate personal data breaches.
  • Penetration testing
    Undertake a security assessment of your websites and IT systems to ensure there is adequate protection against cyber attacks.

    Shop now >>

7. Communications

  • Complying with the GDPR is a business change project – effective internal communications with stakeholders and staff are key.
  • Employees need to understand the importance of data protection and be trained on basic GDPR principles and the procedures being implemented to ensure compliance.

8. Monitor and audit compliance

  • Schedule regular audits of data processing activities and security controls.
  • Keep records of personal data processing up to date.
  • Undertake DPIAs where required.
  • Live Online GDPR Consultancy
    Purchase the number of hours’ consultancy support and receive quick, expert consultancy support on specific issues whenever you need guidance with your GDPR implementation.

    Shop now >>

  • GDPR Ask Us
    Need a quick answer to a GDPR question? Get quick and easy practical advice and guidance from a GDPR consultant by email or live chat.

    Shop now >>


Our GDPR webinar series

IT Governance runs regular webinars on the GDPR to help organisations plan and implement their GDPR compliance projects. With topics ranging from key responsibilities under the GDPR to how other information and cyber security requirements fall under the scope of GDPR compliance, you can learn from our experts and give yourself a head start.

Register for our upcoming webinars >>

Speak to a GDPR expert

If you need help woth your GDPR compliance project or are unsure about which of our products and services are best suited to your specific needs, get in touch with one of our GDPR experts today.