CINXE.COM

<!DOCTYPE html><html lang=en-US class="no-js no-svg"><head><meta charset=UTF-8><meta name=viewport content="width=device-width, initial-scale=1.0"><link rel=profile href=http://gmpg.org/xfn/11><link type=text/css media=all href=https://gdpr.eu/wp-content/cache/autoptimize/css/autoptimize_88073fbb10b912e714cec31503f2ec90.css rel=stylesheet><title>GDPR compliance checklist - GDPR.eu</title> <script>(function(d, s, id){ var js, fjs = d.getElementsByTagName(s)[0]; if (d.getElementById(id)) {return;} js = d.createElement(s); js.id = id; js.src = "//connect.facebook.net/en_US/sdk.js#xfbml=1&version=v2.6"; fjs.parentNode.insertBefore(js, fjs); }(document, 'script', 'facebook-jssdk'));</script> <meta name=description content="Use this GDPR compliance checklist to plan your organization's data privacy and security measures. Document your steps to show compliance."><meta name=robots content="max-snippet:-1, max-image-preview:large, max-video-preview:-1"><link rel=canonical href=https://gdpr.eu/checklist/ ><meta property=og:locale content=en_US><meta property=og:type content=article><meta property=og:title content="GDPR compliance checklist - GDPR.eu"><meta property=og:description content="Use this GDPR compliance checklist to plan your organization's data privacy and security measures. Document your steps to show compliance."><meta property=og:url content=https://gdpr.eu/checklist/ ><meta property=og:site_name content=GDPR.eu><meta name=twitter:card content=summary_large_image><meta name=twitter:description content="Use this GDPR compliance checklist to plan your organization's data privacy and security measures. Document your steps to show compliance."><meta name=twitter:title content="GDPR compliance checklist - GDPR.eu"> <script type=application/ld+json class='yoast-schema-graph yoast-schema-graph--main'>{"@context":"https://schema.org","@graph":[{"@type":"Organization","@id":"https://gdpr.eu/#organization","name":"GDPR.eu","url":"https://gdpr.eu/","sameAs":[],"logo":{"@type":"ImageObject","@id":"https://gdpr.eu/#logo","url":"https://gdpr.eu/wp-content/uploads/2019/02/profile-pic-PH-gdpr.jpg","width":900,"height":900,"caption":"GDPR.eu"},"image":{"@id":"https://gdpr.eu/#logo"}},{"@type":"WebSite","@id":"https://gdpr.eu/#website","url":"https://gdpr.eu/","name":"GDPR.eu","publisher":{"@id":"https://gdpr.eu/#organization"},"potentialAction":{"@type":"SearchAction","target":"https://gdpr.eu/?s={search_term_string}","query-input":"required name=search_term_string"}},{"@type":"WebPage","@id":"https://gdpr.eu/checklist/#webpage","url":"https://gdpr.eu/checklist/","inLanguage":"en-US","name":"GDPR compliance checklist - GDPR.eu","isPartOf":{"@id":"https://gdpr.eu/#website"},"datePublished":"2018-06-20T10:07:12+00:00","dateModified":"2022-05-26T14:50:39+00:00","description":"Use this GDPR compliance checklist to plan your organization's data privacy and security measures. Document your steps to show compliance."}]}</script> <link rel=dns-prefetch href=//ws.sharethis.com><link rel=dns-prefetch href=//cdn.jsdelivr.net><link rel=dns-prefetch href=//maxcdn.bootstrapcdn.com><link rel=dns-prefetch href=//fonts.googleapis.com><link rel=dns-prefetch href=//use.fontawesome.com><link rel=dns-prefetch href=//s.w.org><link rel=alternate type=application/rss+xml title="GDPR.eu » Feed" href=https://gdpr.eu/feed/ ><link rel=alternate type=application/rss+xml title="GDPR.eu » Comments Feed" href=https://gdpr.eu/comments/feed/ > <script>window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/12.0.0-1\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/12.0.0-1\/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/gdpr.eu\/wp-includes\/js\/wp-emoji-release.min.js?ver=8c03ada028d9ba4936249699216631ae"}}; !function(e,a,t){var n,r,o,i=a.createElement("canvas"),p=i.getContext&&i.getContext("2d");function s(e,t){var a=String.fromCharCode;p.clearRect(0,0,i.width,i.height),p.fillText(a.apply(this,e),0,0);e=i.toDataURL();return p.clearRect(0,0,i.width,i.height),p.fillText(a.apply(this,t),0,0),e===i.toDataURL()}function c(e){var t=a.createElement("script");t.src=e,t.defer=t.type="text/javascript",a.getElementsByTagName("head")[0].appendChild(t)}for(o=Array("flag","emoji"),t.supports={everything:!0,everythingExceptFlag:!0},r=0;r<o.length;r++)t.supports[o[r]]=function(e){if(!p||!p.fillText)return!1;switch(p.textBaseline="top",p.font="600 32px Arial",e){case"flag":return s([127987,65039,8205,9895,65039],[127987,65039,8203,9895,65039])?!1:!s([55356,56826,55356,56819],[55356,56826,8203,55356,56819])&&!s([55356,57332,56128,56423,56128,56418,56128,56421,56128,56430,56128,56423,56128,56447],[55356,57332,8203,56128,56423,8203,56128,56418,8203,56128,56421,8203,56128,56430,8203,56128,56423,8203,56128,56447]);case"emoji":return!s([55357,56424,55356,57342,8205,55358,56605,8205,55357,56424,55356,57340],[55357,56424,55356,57342,8203,55358,56605,8203,55357,56424,55356,57340])}return!1}(o[r]),t.supports.everything=t.supports.everything&&t.supports[o[r]],"flag"!==o[r]&&(t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&t.supports[o[r]]);t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&!t.supports.flag,t.DOMReady=!1,t.readyCallback=function(){t.DOMReady=!0},t.supports.everything||(n=function(){t.readyCallback()},a.addEventListener?(a.addEventListener("DOMContentLoaded",n,!1),e.addEventListener("load",n,!1)):(e.attachEvent("onload",n),a.attachEvent("onreadystatechange",function(){"complete"===a.readyState&&t.readyCallback()})),(n=t.source||{}).concatemoji?c(n.concatemoji):n.wpemoji&&n.twemoji&&(c(n.twemoji),c(n.wpemoji)))}(window,document,window._wpemojiSettings);</script> <style>img.wp-smiley, img.emoji { display: inline !important; border: none !important; box-shadow: none !important; height: 1em !important; width: 1em !important; margin: 0 .07em !important; vertical-align: -0.1em !important; background: none !important; padding: 0 !important; }</style><link rel=stylesheet id=simple-share-buttons-adder-font-awesome-css href='//maxcdn.bootstrapcdn.com/font-awesome/4.3.0/css/font-awesome.min.css?ver=8c03ada028d9ba4936249699216631ae' type=text/css media=all><link rel=stylesheet id=opensans-css href='https://fonts.googleapis.com/css?family=Open+Sans' type=text/css media=all><link rel=stylesheet id=font-awesome-css href=https://use.fontawesome.com/releases/v5.1.1/css/all.css type=text/css media=all> <script src="https://gdpr.eu/wp-content/cache/minify/c7035.js"></script> <script id=st_insights_js src='https://ws.sharethis.com/button/st_insights.js?publisher=4d48b7c5-0ae3-43d4-bfbe-3ff8c17a8ae6&product=simpleshare'></script> <link rel=https://api.w.org/ href=https://gdpr.eu/wp-json/ ><link rel=EditURI type=application/rsd+xml title=RSD href=https://gdpr.eu/xmlrpc.php?rsd><link rel=wlwmanifest type=application/wlwmanifest+xml href=https://gdpr.eu/wp-includes/wlwmanifest.xml><link rel=shortlink href='https://gdpr.eu/?p=140'><link rel=alternate type=application/json+oembed href="https://gdpr.eu/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fgdpr.eu%2Fchecklist%2F"><link rel=alternate type=text/xml+oembed href="https://gdpr.eu/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fgdpr.eu%2Fchecklist%2F&format=xml"><link rel="shortcut icon" href=https://gdpr.eu/wp-content/themes/gdpr/assets/favicon.ico><link rel=apple-touch-icon sizes=57x57 href=https://gdpr.eu/wp-content/themes/gdpr/assets/apple-icon-57x57.png><link rel=apple-touch-icon sizes=60x60 href=https://gdpr.eu/wp-content/themes/gdpr/assets/apple-icon-60x60.png><link rel=apple-touch-icon sizes=72x72 href=https://gdpr.eu/wp-content/themes/gdpr/assets/apple-icon-72x72.png><link rel=apple-touch-icon sizes=76x76 href=https://gdpr.eu/wp-content/themes/gdpr/assets/apple-icon-76x76.png><link rel=apple-touch-icon sizes=114x114 href=https://gdpr.eu/wp-content/themes/gdpr/assets/apple-icon-114x114.png><link rel=apple-touch-icon sizes=120x120 href=https://gdpr.eu/wp-content/themes/gdpr/assets/apple-icon-120x120.png><link rel=apple-touch-icon sizes=144x144 href=https://gdpr.eu/wp-content/themes/gdpr/assets/apple-icon-144x144.png><link rel=apple-touch-icon sizes=152x152 href=https://gdpr.eu/wp-content/themes/gdpr/assets/apple-icon-152x152.png><link rel=apple-touch-icon sizes=180x180 href=https://gdpr.eu/wp-content/themes/gdpr/assets/apple-icon-180x180.png><link rel=icon type=image/png sizes=192x192 href=https://gdpr.eu/wp-content/themes/gdpr/assets/android-icon-192x192.png><link rel=icon type=image/png sizes=32x32 href=https://gdpr.eu/wp-content/themes/gdpr/assets/favicon-32x32.png><link rel=icon type=image/png sizes=96x96 href=https://gdpr.eu/wp-content/themes/gdpr/assets/favicon-96x96.png><link rel=icon type=image/png sizes=16x16 href=https://gdpr.eu/wp-content/themes/gdpr/assets/favicon-16x16.png><link rel=manifest href=https://gdpr.eu/wp-content/themes/gdpr/assets/manifest.json><meta name=msapplication-TileColor content=#ffffff><meta name=msapplication-TileImage content=https://gdpr.eu/wp-content/themes/gdpr/assets/ms-icon-144x144.png><meta name=theme-color content=#ffffff><style>.recentcomments a{display:inline !important;padding:0 !important;margin:0 !important;}</style></head><body class="page-template page-template-page-templates page-template-template-checklist page-template-page-templatestemplate-checklist-php page page-id-140 cookies-not-set"><div id=wrapper><header id=header><div id=social><div class="container text-right"> <a target=_blank href="http://www.facebook.com/sharer.php?u=https://gdpr.eu/"><em class="fab fa-facebook"></em> <span>Facebook</span></a> <a target=_blank href="http://twitter.com/share?url=https://gdpr.eu/"><em class="fab fa-twitter"></em> <span>Twitter</span></a></div></div><div id=top><div class=container><div class=pull-right><div class=search-box><form role=search method=get class=search-form action=https://gdpr.eu/ > <input type=search id=search-form-67d45e355b5db class=textbox placeholder=Search... value name=s> <button type=submit class=button><i class=icon-search></i><span>Search</span></button></form></div></div> <span id=logo> <a href=https://gdpr.eu/ class=gdpr></a> <a target=_blank href=https://ec.europa.eu/programmes/horizon2020/en/ class=horizon></a> <img class=full src=https://gdpr.eu/wp-content/themes/gdpr/images/logo-gdpr-eu.svg alt=GDPR.eu> <img class=short src=https://gdpr.eu/wp-content/themes/gdpr/images/logo-gdpr-eu-notext.svg alt=GDPR.eu> </span></div></div><nav id=nav><div class=container><div id=searchx><div class=search-box><form role=search method=get class=search-form action=https://gdpr.eu/ > <input type=search id=search-form-67d45e355b709 class=textbox placeholder=Search... value name=s> <button type=submit class=button><i class=icon-search></i><span>Search</span></button></form></div></div><nav id=mainmenu class=menu-primary-menu-container><ul><li id=menu-item-309 class="menu-item menu-item-type-post_type menu-item-object-page menu-item-home menu-item-309"><a href=https://gdpr.eu/ >Home</a></li><li id=menu-item-351 class="menu-item menu-item-type-post_type menu-item-object-page current-menu-item page_item page-item-140 current_page_item menu-item-351"><a href=https://gdpr.eu/checklist/ aria-current=page>Checklist</a></li><li id=menu-item-8150 class="menu-item menu-item-type-post_type menu-item-object-page menu-item-8150"><a href=https://gdpr.eu/faq/ >FAQ</a></li><li id=menu-item-394 class="menu-item menu-item-type-taxonomy menu-item-object-post_tag menu-item-394"><a href=https://gdpr.eu/tag/gdpr/ >GDPR</a></li><li id=menu-item-350 class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-350"><a href=https://gdpr.eu/category/news-updates/ >News & Updates</a></li></ul></nav></div></nav></header><div class=page-banner-box style=background-image:url(https://gdpr.eu/wp-content/uploads/2018/06/checklist-page-banner.jpg);><div class="container narrow"><div class=page-title-box><h1>GDPR checklist for data controllers</h1><p>Are you ready for the GDPR? Our GDPR checklist can help you secure your organization, protect your customers’ data, and avoid costly fines for non-compliance.</p></div></div></div><div id=main><div id=primary class="content-area one-column"><div id=content class=site-content><div class="section-row checklist-contain-info"><div class=container><p>To understand the GDPR checklist, it is also useful to know some of the terminology and the basic structure of the law. You can find this information on our <a href=https://gdpr.eu/what-is-gdpr/ >What is GDPR?</a> page. Please keep in mind that nothing on this page constitutes legal advice. We recommend you speak with an attorney specialized in GDPR compliance who can apply the law to your specific circumstances.</p></div></div><div class="section-row tab-checklist-section"><div class=container><div class=tab-checklist-box><div class=small-title><h5> <i class="fa fa-balance-scale"></i> Lawful basis and transparency</h5></div><div class=checklist-box><div class="tabnav tab-data"><ul class="nav nav-tabs"><li class=nav-item> <a href=#tab-1-1 class="nav-link active" data-toggle=tab role=tab> <em class=fa></em> Conduct an information audit to determine what information you process and who has access to it. </a></li><li class=nav-item> <a href=#tab-1-2 class=nav-link data-toggle=tab role=tab> <em class=fa></em> Have a legal justification for your data processing activities. </a></li><li class=nav-item> <a href=#tab-1-3 class=nav-link data-toggle=tab role=tab> <em class=fa></em> Provide clear information about your data processing and legal justification in your privacy policy. </a></li></ul><div class=tab-content id=content-1><div class="card tab-pane active show fade" role=tabpanel id=tab-1-1><div class=card-header role=tab id=heading-1-1><h5 class="mb-0"> <em class=fa></em> <a class=collapsed data-toggle=collapse href=#collapse-1-1 data-parent=#content-1 aria-expanded=true aria-controls=collapse-1-1> Conduct an information audit to determine what information you process and who has access to it. </a></h5></div><div id=collapse-1-1 class="collapse show" role=tabpanel aria-labelledby=heading-1-1><div class=card-body><p>Organizations that have at least 250 employees or conduct higher-risk data processing are required to keep an up-to-date and detailed <a href=https://gdpr.eu/article-30-records-of-processing-activities/ >list of their processing activities</a> and be prepared to show that list to regulators upon request. The best way to demonstrate GDPR compliance is using a <a href=https://gdpr.eu/data-protection-impact-assessment-template/ >data protection impact assessment</a> Organizations with fewer than 250 employees should also conduct an assessment because it will make complying with the GDPR's other requirements easier. In your list, you should include: the purposes of the processing, what kind of data you process, who has access to it in your organization, any third parties (and where they are located) that have access, what you're doing to protect the data (e.g. encryption), and when you plan to erase it (if possible).</p></div></div></div><div class="card tab-pane fade" role=tabpanel id=tab-1-2><div class=card-header role=tab id=heading-1-2><h5 class="mb-0"> <em class=fa></em> <a data-toggle=collapse href=#collapse-1-2 data-parent=#content-1 aria-expanded=false aria-controls=collapse-1-2> Have a legal justification for your data processing activities. </a></h5></div><div id=collapse-1-2 class="collapse fade" role=tabpanel aria-labelledby=heading-1-2><div class=card-body><p>Processing of data is illegal under the GDPR unless you can justify it according to one of six conditions listed in <a href=https://gdpr.eu/article-6-how-to-process-personal-data-legally/ >Article 6</a>. There are other provisions related to children and special categories of personal data in <a href=https://gdpr.eu/tag/chapter-2/ >Articles 7-11</a>. Review these provisions, choose a lawful basis for processing, and document your rationale. Note that if you choose "consent" as your lawful basis, there are <a href=https://gdpr.eu/gdpr-consent-requirements/ >extra obligations</a>, including giving data subjects the ongoing opportunity to revoke consent. If "legitimate interests" is your lawful basis, you must be able to demonstrate you have conducted a privacy impact assessment.</p></div></div></div><div class="card tab-pane fade" role=tabpanel id=tab-1-3><div class=card-header role=tab id=heading-1-3><h5 class="mb-0"> <em class=fa></em> <a data-toggle=collapse href=#collapse-1-3 data-parent=#content-1 aria-expanded=false aria-controls=collapse-1-3> Provide clear information about your data processing and legal justification in your privacy policy. </a></h5></div><div id=collapse-1-3 class="collapse fade" role=tabpanel aria-labelledby=heading-1-3><div class=card-body><p>You need to tell people that you're collecting their data and why (<a href=https://gdpr.eu/article-12-how-controllers-should-provide-personal-data-to-the-subject/ >Article 12</a>). You should explain how the data is processed, who has access to it, and how you're keeping it safe. This information should be included in your privacy policy and provided to data subjects at the time you collect their data. It must be presented "in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child."</p></div></div></div></div></div></div></div><div class=tab-checklist-box><div class=small-title><h5> <i class="fa fa-database"></i> Data security</h5></div><div class=checklist-box><div class="tabnav tab-data"><ul class="nav nav-tabs"><li class=nav-item> <a href=#tab-2-1 class="nav-link active" data-toggle=tab role=tab> <em class=fa></em> Take data protection into account at all times, from the moment you begin developing a product to each time you process data. </a></li><li class=nav-item> <a href=#tab-2-2 class=nav-link data-toggle=tab role=tab> <em class=fa></em> Encrypt, pseudonymize, or anonymize personal data wherever possible. </a></li><li class=nav-item> <a href=#tab-2-3 class=nav-link data-toggle=tab role=tab> <em class=fa></em> Create an internal security policy for your team members, and build awareness about data protection. </a></li><li class=nav-item> <a href=#tab-2-4 class=nav-link data-toggle=tab role=tab> <em class=fa></em> Know when to conduct a data protection impact assessment, and have a process in place to carry it out. </a></li><li class=nav-item> <a href=#tab-2-5 class=nav-link data-toggle=tab role=tab> <em class=fa></em> Have a process in place to notify the authorities and your data subjects in the event of a data breach. </a></li></ul><div class=tab-content id=content-2><div class="card tab-pane active show fade" role=tabpanel id=tab-2-1><div class=card-header role=tab id=heading-2-1><h5 class="mb-0"> <em class=fa></em> <a class=collapsed data-toggle=collapse href=#collapse-2-1 data-parent=#content-2 aria-expanded=true aria-controls=collapse-2-1> Take data protection into account at all times, from the moment you begin developing a product to each time you process data. </a></h5></div><div id=collapse-2-1 class="collapse show" role=tabpanel aria-labelledby=heading-2-1><div class=card-body><p>You must follow the principles of "<a href=https://gdpr.eu/article-25-data-protection-by-design/ >data protection by design and by default</a>," including implementing "appropriate technical and organizational measures" to protect data. In other words, data protection is something you now have to consider whenever you do anything with other people's personal data. You also need to make sure any processing of personal data adheres to the data protection principles outlined in <a href=https://gdpr.eu/article-5-how-to-process-personal-data/ >Article 5</a>. Technical measures include encryption, and organizational measures are things like limiting the amount of personal data you collect or deleting data you no longer need. The point is that it needs to be something you and your employees are always aware of.</p></div></div></div><div class="card tab-pane fade" role=tabpanel id=tab-2-2><div class=card-header role=tab id=heading-2-2><h5 class="mb-0"> <em class=fa></em> <a data-toggle=collapse href=#collapse-2-2 data-parent=#content-2 aria-expanded=false aria-controls=collapse-2-2> Encrypt, pseudonymize, or anonymize personal data wherever possible. </a></h5></div><div id=collapse-2-2 class="collapse fade" role=tabpanel aria-labelledby=heading-2-2><div class=card-body><p>Most of the productivity tools used by businesses are now available with <a href="https://proton.me/mail?ref=gdpreu">end-to-end encryption</a> built in, including email, messaging, notes, and cloud storage. The GDPR requires organizations to <a href=https://gdpr.eu/article-32-security-of-processing/ >use encryption or pseudeonymization</a> whenever feasible.</p></div></div></div><div class="card tab-pane fade" role=tabpanel id=tab-2-3><div class=card-header role=tab id=heading-2-3><h5 class="mb-0"> <em class=fa></em> <a data-toggle=collapse href=#collapse-2-3 data-parent=#content-2 aria-expanded=false aria-controls=collapse-2-3> Create an internal security policy for your team members, and build awareness about data protection. </a></h5></div><div id=collapse-2-3 class="collapse fade" role=tabpanel aria-labelledby=heading-2-3><div class=card-body><p>Even if your technical security is strong, <a href=https://gdpr.eu/recital-78-appropriate-technical-and-organisational-measures/ >operational security</a> can still be a weak link. Create a security policy that ensures your team members are knowledgeable about data security. It should include guidance about email security, passwords, two-factor authentication, device encryption, and <a href=https://protonvpn.com>VPNs</a>. Employees who have access to personal data and non-technical employees should receive extra training in the requirements of the GDPR.</p></div></div></div><div class="card tab-pane fade" role=tabpanel id=tab-2-4><div class=card-header role=tab id=heading-2-4><h5 class="mb-0"> <em class=fa></em> <a data-toggle=collapse href=#collapse-2-4 data-parent=#content-2 aria-expanded=false aria-controls=collapse-2-4> Know when to conduct a data protection impact assessment, and have a process in place to carry it out. </a></h5></div><div id=collapse-2-4 class="collapse fade" role=tabpanel aria-labelledby=heading-2-4><div class=card-body><p>A <a href=https://gdpr.eu/article-35-impact-assessment/ >data protection impact assessment</a> (aka privacy impact assessment) is a way to help you understand how your product or service could jeopardize your customers' data, as well as how to minimize those risks. The UK Information Commissioner's Office (ICO) has a data protection impact assessment checklist on its website. The GDPR requires organizations to carry out this kind of analysis whenever they plan to use people's data in such a way that it's "likely to result in a high risk to [their] rights and freedoms." The ICO recommends just doing it anytime you're about to process personal data.</p></div></div></div><div class="card tab-pane fade" role=tabpanel id=tab-2-5><div class=card-header role=tab id=heading-2-5><h5 class="mb-0"> <em class=fa></em> <a data-toggle=collapse href=#collapse-2-5 data-parent=#content-2 aria-expanded=false aria-controls=collapse-2-5> Have a process in place to notify the authorities and your data subjects in the event of a data breach. </a></h5></div><div id=collapse-2-5 class="collapse fade" role=tabpanel aria-labelledby=heading-2-5><div class=card-body><p>If there's a data breach and personal data is exposed, you are required to <a href=https://gdpr.eu/article-33-notification-of-a-personal-data-breach/ >notify the supervisory authority</a> in your jurisdiction within 72 hours. A list of many of the EU member states supervisory authorities can be found here. The GDPR does not specify whom you should notify if you are not an EU-based organization. For those in English-speaking non-EU countries, you may find it easiest to notify the Office of the Data Protection Commissioner in Ireland. You are also required to quickly <a href=https://gdpr.eu/article-34-communication-of-a-personal-data-breach/ >communicate data breaches to your data subjects</a> unless the breach is unlikely to put them at risk (for instance, if the stolen data is encrypted).</p></div></div></div></div></div></div></div><div class=tab-checklist-box><div class=small-title><h5> <i class="fa fa-paperclip"></i> Accountability and governance</h5></div><div class=checklist-box><div class="tabnav tab-data"><ul class="nav nav-tabs"><li class=nav-item> <a href=#tab-3-1 class="nav-link active" data-toggle=tab role=tab> <em class=fa></em> Designate someone responsible for ensuring GDPR compliance across your organization. </a></li><li class=nav-item> <a href=#tab-3-2 class=nav-link data-toggle=tab role=tab> <em class=fa></em> Sign a data processing agreement between your organization and any third parties that process personal data on your behalf. </a></li><li class=nav-item> <a href=#tab-3-3 class=nav-link data-toggle=tab role=tab> <em class=fa></em> If your organization is outside the EU, appoint a representative within one of the EU member states. </a></li><li class=nav-item> <a href=#tab-3-4 class=nav-link data-toggle=tab role=tab> <em class=fa></em> Appoint a Data Protection Officer (if necessary) </a></li></ul><div class=tab-content id=content-3><div class="card tab-pane active show fade" role=tabpanel id=tab-3-1><div class=card-header role=tab id=heading-3-1><h5 class="mb-0"> <em class=fa></em> <a class=collapsed data-toggle=collapse href=#collapse-3-1 data-parent=#content-3 aria-expanded=true aria-controls=collapse-3-1> Designate someone responsible for ensuring GDPR compliance across your organization. </a></h5></div><div id=collapse-3-1 class="collapse show" role=tabpanel aria-labelledby=heading-3-1><div class=card-body><p>Another part of "<a href=https://gdpr.eu/article-25-data-protection-by-design/ >data protection by design and by default</a>" is making sure someone in your organization is accountable for GDPR compliance. This person should be empowered to evaluate data protection policies and the implementation of those policies.</p></div></div></div><div class="card tab-pane fade" role=tabpanel id=tab-3-2><div class=card-header role=tab id=heading-3-2><h5 class="mb-0"> <em class=fa></em> <a data-toggle=collapse href=#collapse-3-2 data-parent=#content-3 aria-expanded=false aria-controls=collapse-3-2> Sign a data processing agreement between your organization and any third parties that process personal data on your behalf. </a></h5></div><div id=collapse-3-2 class="collapse fade" role=tabpanel aria-labelledby=heading-3-2><div class=card-body><p>This includes any third-party services that handle the personal data of your data subjects, including analytics software, email services, cloud servers, etc. The vast majority of services have a standard <a href=https://gdpr.eu/data-processing-agreement/ >data processing agreement</a> available on their websites for you to review. They spell out the rights and obligations of each party for GDPR compliance. You should only use third parties that are reliable and can make sufficient data protection guarantees.</p></div></div></div><div class="card tab-pane fade" role=tabpanel id=tab-3-3><div class=card-header role=tab id=heading-3-3><h5 class="mb-0"> <em class=fa></em> <a data-toggle=collapse href=#collapse-3-3 data-parent=#content-3 aria-expanded=false aria-controls=collapse-3-3> If your organization is outside the EU, appoint a representative within one of the EU member states. </a></h5></div><div id=collapse-3-3 class="collapse fade" role=tabpanel aria-labelledby=heading-3-3><div class=card-body><p>If you process data relating to people in one particular member state, you need to <a href=https://gdpr.eu/article-27-representatives-of-controllers-not-in-union/ >appoint a representative</a> in that country who can communicate on your behalf with data protection authorities. The GDPR and its official supporting documents do not give guidance for situations where processing affects EU individuals across multiple member states. Until this requirement is interpreted, it may be prudent to designate a representative in a member state that uses your language. Some organizations, like public bodies, are not required to appoint a representative in the EU.</p></div></div></div><div class="card tab-pane fade" role=tabpanel id=tab-3-4><div class=card-header role=tab id=heading-3-4><h5 class="mb-0"> <em class=fa></em> <a data-toggle=collapse href=#collapse-3-4 data-parent=#content-3 aria-expanded=false aria-controls=collapse-3-4> Appoint a Data Protection Officer (if necessary) </a></h5></div><div id=collapse-3-4 class="collapse fade" role=tabpanel aria-labelledby=heading-3-4><div class=card-body><p>There are three circumstances in which organizations are required to have a <a href=https://gdpr.eu/data-protection-officer/ >Data Protection Officer</a> (DPO), but it's not a bad idea to have one even if the rule doesn't apply to you. The DPO should be an expert on data protection whose job is to monitor GDPR compliance, assess data protection risks, advise on data protection impact assessments, and cooperate with regulators.</p></div></div></div></div></div></div></div><div class=tab-checklist-box><div class=small-title><h5> <i class="fa fa-eye"></i> Privacy rights</h5></div><div class=checklist-box><div class="tabnav tab-data"><ul class="nav nav-tabs"><li class=nav-item> <a href=#tab-4-1 class="nav-link active" data-toggle=tab role=tab> <em class=fa></em> It's easy for your customers to request and receive all the information you have about them. </a></li><li class=nav-item> <a href=#tab-4-2 class=nav-link data-toggle=tab role=tab> <em class=fa></em> It's easy for your customers to correct or update inaccurate or incomplete information. </a></li><li class=nav-item> <a href=#tab-4-3 class=nav-link data-toggle=tab role=tab> <em class=fa></em> It's easy for your customers to request to have their personal data deleted. </a></li><li class=nav-item> <a href=#tab-4-4 class=nav-link data-toggle=tab role=tab> <em class=fa></em> It's easy for your customers to ask you to stop processing their data. </a></li><li class=nav-item> <a href=#tab-4-5 class=nav-link data-toggle=tab role=tab> <em class=fa></em> It's easy for your customers to receive a copy of their personal data in a format that can be easily transferred to another company. </a></li><li class=nav-item> <a href=#tab-4-6 class=nav-link data-toggle=tab role=tab> <em class=fa></em> It's easy for your customers to object to you processing their data. </a></li><li class=nav-item> <a href=#tab-4-7 class=nav-link data-toggle=tab role=tab> <em class=fa></em> If you make decisions about people based on automated processes, you have a procedure to protect their rights. </a></li></ul><div class=tab-content id=content-4><div class="card tab-pane active show fade" role=tabpanel id=tab-4-1><div class=card-header role=tab id=heading-4-1><h5 class="mb-0"> <em class=fa></em> <a class=collapsed data-toggle=collapse href=#collapse-4-1 data-parent=#content-4 aria-expanded=true aria-controls=collapse-4-1> It's easy for your customers to request and receive all the information you have about them. </a></h5></div><div id=collapse-4-1 class="collapse show" role=tabpanel aria-labelledby=heading-4-1><div class=card-body><p>People have the <a href=https://gdpr.eu/article-15-right-of-access/ >right to see what personal data you have about them</a> and how you're using it. They also have a right to know how long you plan to store their information and the reason for keeping it that length of time. You have to send them the first copy of this information for free but can charge a reasonable fee for subsequent copies. Make sure you can verify the identity of the person requesting the data. You should be able to comply with such requests within a month.</p></div></div></div><div class="card tab-pane fade" role=tabpanel id=tab-4-2><div class=card-header role=tab id=heading-4-2><h5 class="mb-0"> <em class=fa></em> <a data-toggle=collapse href=#collapse-4-2 data-parent=#content-4 aria-expanded=false aria-controls=collapse-4-2> It's easy for your customers to correct or update inaccurate or incomplete information. </a></h5></div><div id=collapse-4-2 class="collapse fade" role=tabpanel aria-labelledby=heading-4-2><div class=card-body><p>Do your best to keep data up to date by putting a data quality process in place, and make it easy for your customers to view (<a href=https://gdpr.eu/article-15-right-of-access/ >Article 15</a>) and update their personal information for accuracy and completeness. Make sure you can verify the identity of the person requesting the data. You should be able to comply with requests under <a href=https://gdpr.eu/article-16-right-to-rectification/ >Article 16</a> within a month.</p></div></div></div><div class="card tab-pane fade" role=tabpanel id=tab-4-3><div class=card-header role=tab id=heading-4-3><h5 class="mb-0"> <em class=fa></em> <a data-toggle=collapse href=#collapse-4-3 data-parent=#content-4 aria-expanded=false aria-controls=collapse-4-3> It's easy for your customers to request to have their personal data deleted. </a></h5></div><div id=collapse-4-3 class="collapse fade" role=tabpanel aria-labelledby=heading-4-3><div class=card-body><p>People generally have the <a href=https://gdpr.eu/right-to-be-forgotten/ >right to ask you to delete</a> all the personal data you have about them, and you have to honor their request within about a month. There are a five grounds on which you can deny the request, such as the exercise of freedom of speech or compliance with a legal obligation. You must also try to verify the identity of the person making the request.</p></div></div></div><div class="card tab-pane fade" role=tabpanel id=tab-4-4><div class=card-header role=tab id=heading-4-4><h5 class="mb-0"> <em class=fa></em> <a data-toggle=collapse href=#collapse-4-4 data-parent=#content-4 aria-expanded=false aria-controls=collapse-4-4> It's easy for your customers to ask you to stop processing their data. </a></h5></div><div id=collapse-4-4 class="collapse fade" role=tabpanel aria-labelledby=heading-4-4><div class=card-body><p>Your data subjects can request to <a href=https://gdpr.eu/article-18-right-to-restriction-of-processing/ >restrict or stop processing of their data</a> if certain grounds apply, mainly if there's some dispute about the lawfulness of the processing or the accuracy of the data. You are required to honor their request within about a month. While processing is restricted, you're still allowed to keep storing their data. You must notify the data subject before you begin processing their data again.</p></div></div></div><div class="card tab-pane fade" role=tabpanel id=tab-4-5><div class=card-header role=tab id=heading-4-5><h5 class="mb-0"> <em class=fa></em> <a data-toggle=collapse href=#collapse-4-5 data-parent=#content-4 aria-expanded=false aria-controls=collapse-4-5> It's easy for your customers to receive a copy of their personal data in a format that can be easily transferred to another company. </a></h5></div><div id=collapse-4-5 class="collapse fade" role=tabpanel aria-labelledby=heading-4-5><div class=card-body><p>This means that you should be able to <a href=https://gdpr.eu/article-20-right-to-data-portability/ >send their personal data</a> in a commonly readable format (e.g. a spreadsheet) either to them or to a third party they designate. This may seem unfair from a business standpoint in that you may have to turn over your customers' data to a competitor. But from privacy standpoint, the idea is that people own their data, not you.</p></div></div></div><div class="card tab-pane fade" role=tabpanel id=tab-4-6><div class=card-header role=tab id=heading-4-6><h5 class="mb-0"> <em class=fa></em> <a data-toggle=collapse href=#collapse-4-6 data-parent=#content-4 aria-expanded=false aria-controls=collapse-4-6> It's easy for your customers to object to you processing their data. </a></h5></div><div id=collapse-4-6 class="collapse fade" role=tabpanel aria-labelledby=heading-4-6><div class=card-body><p>If you're processing their data for the purposes of direct marketing, you have to <a href=https://gdpr.eu/article-21-right-to-object/ >stop processing it immediately</a> for that purpose. Otherwise, you may be able to challenge their objection if you can demonstrate "compelling legitimate grounds."</p></div></div></div><div class="card tab-pane fade" role=tabpanel id=tab-4-7><div class=card-header role=tab id=heading-4-7><h5 class="mb-0"> <em class=fa></em> <a data-toggle=collapse href=#collapse-4-7 data-parent=#content-4 aria-expanded=false aria-controls=collapse-4-7> If you make decisions about people based on automated processes, you have a procedure to protect their rights. </a></h5></div><div id=collapse-4-7 class="collapse fade" role=tabpanel aria-labelledby=heading-4-7><div class=card-body><p>Some types of organizations use <a href=https://gdpr.eu/article-22-automated-individual-decision-making/ >automated processes</a> to help them make decisions about people that have legal or "similarly significant" effects. If you think that applies to you, you'll need to set up a procedure to ensure you are protecting their rights, freedoms, and legitimate interests. You need to make it easy for people to request human intervention, to weigh in on decisions, and to challenge decisions you've already made.</p></div></div></div></div></div></div></div></div></div><div class="section-row gdpr-checklist-section"><div class=container><div class=row><div class=col-md-4><div class=checklist-img><figure><img src=https://gdpr.eu/wp-content/uploads/2018/06/checklist.png alt=checklist></figure></div></div><div class=col-md-8><h3>Success!</h3><div class=checklist-details><p>Congratulations! If you've dutifully worked to the bottom of the GDPR checklist then you've significantly limited your exposure to regulatory penalties.</p><p>Finally, we want to remind you once more that this checklist is not in any way legal advice. There are dozens of provisions in the GDPR that apply only in rare instances, which would be counterproductive to cover here. You should check with a lawyer to make sure your organization fully complies with the GDPR.</p></div></div></div></div></div></div></div></div><footer id=footer><div class=container><div class=post-author-details-box><div class=post-author-details><h6>About GDPR.EU</h6><p> </p><p>GDPR.EU is a website operated by Proton Technologies AG, which is co-funded by Project REP-791727-1 of the Horizon 2020 Framework Programme of the European Union. This is not an official EU Commission or Government resource. The europa.eu webpage concerning GDPR can be found <a href=https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en target=_blank>here</a>. Nothing found in this portal constitutes legal advice.</p></div></div><div class=footer-top><div class=row><div class=col-sm-3> <br><h5>Getting Started</h5><br><div class=menu-deep-footer-column-1-container><ul class=fmenu><li id=menu-item-9315 class="menu-item menu-item-type-post_type menu-item-object-post menu-item-9315"><a href=https://gdpr.eu/what-is-gdpr/ >What is GDPR?</a></li><li id=menu-item-9316 class="menu-item menu-item-type-post_type menu-item-object-post menu-item-9316"><a href=https://gdpr.eu/fines/ >What are the GDPR Fines?</a></li><li id=menu-item-9317 class="menu-item menu-item-type-post_type menu-item-object-page current-menu-item page_item page-item-140 current_page_item menu-item-9317"><a href=https://gdpr.eu/checklist/ aria-current=page>GDPR Compliance Checklist</a></li></ul></div></div><div class=col-sm-3> <br><h5>Templates</h5><br><div class=menu-deep-footer-column-2-container><ul class=fmenu><li id=menu-item-9318 class="menu-item menu-item-type-post_type menu-item-object-post menu-item-9318"><a href=https://gdpr.eu/data-processing-agreement/ >Data Processing Agreement</a></li><li id=menu-item-9319 class="menu-item menu-item-type-post_type menu-item-object-post menu-item-9319"><a href=https://gdpr.eu/right-to-erasure-request-form/ >Right to Erasure Request Form</a></li><li id=menu-item-9320 class="menu-item menu-item-type-post_type menu-item-object-post menu-item-9320"><a href=https://gdpr.eu/privacy-notice/ >Writing a GDPR-compliant privacy notice</a></li></ul></div></div><div class=col-sm-3> <br><h5>Technical Review</h5><br><div class=menu-deep-footer-column-3-container><ul class=fmenu><li id=menu-item-9321 class="menu-item menu-item-type-post_type menu-item-object-post menu-item-9321"><a href=https://gdpr.eu/data-protection-officer/ >Data Protection Office Guide</a></li><li id=menu-item-9322 class="menu-item menu-item-type-post_type menu-item-object-post menu-item-9322"><a href=https://gdpr.eu/email-encryption/ >GDPR and Email</a></li><li id=menu-item-9323 class="menu-item menu-item-type-post_type menu-item-object-post menu-item-9323"><a href=https://gdpr.eu/companies-outside-of-europe/ >Does GDPR apply outside of the EU</a></li></ul></div></div><div class=col-sm-3> <br><h5>About Us</h5><br><p>GDPR.eu is co-funded by the <a href=https://ec.europa.eu/programmes/horizon2020/en/ >Horizon 2020</a> Framework Programme of the European Union <strong>and operated by Proton AG</strong>.</p></div></div></div><div class=formz><p> </p><p><strong>GDPR Forms and Templates</strong></p><p> <a href=/data-processing-agreement/ ><i class="far fa-file-alt"></i> <strong>Data Processing Agreement</strong> <i class="fa fa-chevron-right"></i></a> <a href=/right-to-erasure-request-form/ ><i class="far fa-file-alt"></i> <strong>Right to Erasure Request Form</strong> <i class="fa fa-chevron-right"></i></a> <a href=/privacy-notice/ ><i class="far fa-file-alt"></i> <strong>Privacy Policy</strong> <i class="fa fa-chevron-right"></i></a></p></div><p> </p><p class=copyright>© 2025 Proton AG. All Rights Reserved.</p><p class=text-center> <br> <a href=https://gdpr.eu/terms-and-conditions/ >Terms and Conditions</a>     <a href=https://gdpr.eu/privacy-policy/ >Privacy Policy</a></p></div></footer></div><div id=compliance_a style=display:none;> <a href=# class="close fa fa-times"></a> <img src=https://gdpr.eu/wp-content/themes/gdpr/images/gdpr_graphic.svg alt="GDPR Graphic"><p>GDPR compliance is easier with <strong>encrypted email</strong></p> <span><a target=_blank href="https://proton.me/business/gdpr?ref=gdpreu">Learn more <i class="fa fa-chevron-right"></i></a></span></div> <script>var cnArgs = {"ajaxurl":"https:\/\/gdpr.eu\/wp-admin\/admin-ajax.php","hideEffect":"fade","onScroll":"no","onScrollOffset":"100","cookieName":"cookie_notice_accepted","cookieValue":"true","cookieTime":"2592000","cookiePath":"\/","cookieDomain":"","redirection":"1","cache":"1","refuse":"yes","revoke_cookies":"0","revoke_cookies_opt":"automatic","secure":"1"};</script> <script src="https://gdpr.eu/wp-content/cache/minify/6fdea.js"></script> <script>Main.boot( [] );</script> <script src=https://cdn.jsdelivr.net/npm/js-cookie@2/src/js.cookie.min.js></script> <div id=cookie-notice role=banner class="cn-bottom bootstrap" style="color: #fff; background-color: #000;" aria-label="Cookie Notice"><div class=cookie-notice-container><span id=cn-notice-text>We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.</span><a href=# id=cn-accept-cookie data-cookie-set=accept class="cn-set-cookie cn-button bootstrap button">Ok</a><a href=# id=cn-refuse-cookie data-cookie-set=refuse class="cn-set-cookie cn-button bootstrap button">No</a><a href=https://gdpr.eu/privacy-policy/ target=_blank id=cn-more-info class="cn-more-info cn-button bootstrap button">Privacy policy</a></div><div class=cookie-notice-revoke-container><a href=# class="cn-revoke-cookie cn-button bootstrap button">Revoke cookies</a></div></div> <script defer src=https://gdpr.eu/wp-content/cache/autoptimize/js/autoptimize_5dd90da4735596921829dacc461fe36f.js></script></body></html>