This website uses cookies. View our cookie policy
Close
United Kingdom
Select regional store:

GDPR Compliance Checklist [Updated for 2019]

The principle of accountability is key to compliance with the EU GDPR (General Data Protection Regulation). Organisations that process personal data must not only comply with the Regulation’s requirements – they must also be able to demonstrate their compliance.


The GDPR compliance checklist:

  1. Establish an accountability and governance framework
  2. Scope and plan your project
  3. Conduct a data inventory and data flow audit
  4. Conduct a detailed gap analysis
  5. Develop operational policies, procedures and processes
  6. Secure personal data through procedural and technical measures
  7. Communications
  8. Monitor and audit compliance

 

1. Establish an accountability and governance framework

GDPR compliance requires board-level support. It’s therefore essential that the board understands the implications of the Regulation – both positive and negative – so that they can allocate the resources needed to achieve and maintain compliance.

What you need to do

  • Advise the board about data protection risks and the benefits of GDPR compliance.
  • Obtain management support for a GDPR compliance project.
  • Assign accountability for GDPR compliance to a director.
  • Incorporate data protection risk into your corporate risk management activities.

How we can help you

 

2. Scope and plan your project

Once you have obtained top-level support, you will need to work out what areas of your organisation fall under the GDPR’s scope.

What you need to do

  • Appoint and train a project manager.
  • Appoint a DPO (data protection officer) if necessary. If you’re unsure about whether or how to appoint a DPO, visit our DPO information page.
  • Identify other standards or management systems that could provide a framework for compliance, e.g. implementing ISO 27001 demonstrates that you follow information security management best practice, which helps you meet requirements for appropriate technical and organisational security measures.
  • Assess whether data protection by design and by default has been incorporated into processes and systems.
  • Consider the implications of Brexit in your planning.

How we can help you

 

3. Conduct a data inventory and data flow audit

To comply with the GDPR's data processing requirements you must be able to fully understand what data you process and how you process it. You should therefore:

What you need to do

  • Assess the categories of data you hold, where it comes from and the lawful basis for processing.
  • Create a map that shows how data flows to, through and from your organisation.
  • Use the data map to identify the risks in your data processing activities and determine whether a DPIA (data protection impact assessment is required.
  • Create records of personal data processing activities, as required by Article 30, drawn from the data flow audit and gap analysis.

How we can help you

  • Data Flow Mapping Tool and Compliance Manager
    Simplify the process of creating data flow maps and gain a thorough understanding of the personal data your organisation processes. Integration with Compliance Manager helps you track your compliance against specific GDPR articles.

    Shop now

  • GDPR data flow audit
    Our experts will conduct a thorough on-site audit of the personal data your organisation collects and processes, and provide a map that plots personal data in all its forms, wherever it is processed.

     Enquire now

 

4. Conduct a detailed gap analysis

You should assess your current workflows, processes and procedures to identify the gaps that you need to fill.

What you need to do

  • Audit your current compliance position against the GDPR’s requirements.
  • Determine which compliance gaps require remediation.

How we can help you

  • EU GDPR Compliance Gap Assessment Tool
    This questionnaire-driven tool helps you assess your organisation’s compliance position and identify any gaps for remediation.

    Shop now

  • GDPR Gap Analysis
    Get an on-site assessment of your privacy management and data processing practices from our data protection consultants, who will summarise your compliance gaps and provide remediation recommendations.

    Book now

 

5. Develop operational policies, procedures and processes

Having established your compliance gaps, you should bring your existing policies, processes and procedures into line with the GDPR’s requirements, and develop new ones to ensure you fulfil all of your legal obligations.

What you need to do

  • Ensure your data protection policies and privacy notices are in line with the GDPR.
  • Where you rely on consent as your lawful basis for processing, ensure it meets the GDPR’s requirements.
  • Review employee, customer and supplier contracts, and update them if necessary to cover personal data processing.
  • Plan how to recognise and handle DSARs (data subject access requests) and provide responses within one calendar month.
  • Have a process in place for determining whether a DPIA is required.
  • Review whether your mechanisms for transferring data outside the EEA are compliant, especially after Brexit.

How we can help you

  • GDPR contract and legal services
    Get expert legal advice and support to update privacy notices, data protection policies, supplier contracts and international data transfer agreements in accordance with the GDPR.

    Enquire now 

  • EU GDPR Documentation Toolkit
    Demonstrate your GDPR compliance with more than 80 indispensable policies, procedures, templates and worksheets to save you time and money on your GDPR compliance project.

    Shop now

  • DPIA Workshop
    This one-day workshop covers when to conduct a DPIA under the GDPR and uses a real-life case study to demonstrate best practices and methodologies, including the application of a DPIA tool to help assess and address privacy risks.

    Book now

 

6. Secure personal data through procedural and technical measures

The GDPR requires organisations to implement “appropriate technical and organisational measures” to ensure that personal data is processed appropriately.

What you need to do

How we can help you

 

7. Communications

Staff awareness and education is a key component of any organisation’s GDPR compliance framework. Everyone involved in processing data must be appropriately trained to follow approved processes and procedures.

What you need to do

  • Ensure internal communications with stakeholders and staff effective.
  • Train your employees to understand the importance of data protection, basic GDPR principles and the procedures you have implemented to ensure compliance.

How we can help you

 

8. Monitor and audit compliance

GDPR compliance is an ongoing project – a journey rather than a destination. You should undertake periodic internal audits and regularly update your data protection processes. This includes checking your records of processing activities and consent, testing information security controls, and conducting DPIAs.

What you need to do

  • Schedule regular audits of data processing activities and security controls.
  • Keep records of personal data processing up to date.
  • Undertake DPIAs where required.

How we can help you


How IT Governance can help you comply with the GDPR

IT Governance, a leading global provider of IT governance, risk management and compliance solutions, is at the forefront of helping organisations globally address the challenges of GDPR compliance.

Browse our range of comprehensive solutions to help you meet your GDPR compliance objectives.


Speak to a GDPR expert

f you need help with your GDPR compliance project or are unsure about which of our products and services are best suited to your specific needs, get in touch with one of our GDPR experts today.