GDPR Compliance Checklist: How to Become Compliant
Our twelve-step GDPR checklist can help your organization stay compliant while protecting customers from cybersecurity threats and yourself from business risk.Meeting compliance standards can pose a challenge for businesses that process user data internationally. Of all the frameworks, 90% of compliance workers agree that GDPR standards are the hardest to meet. Whether you're new to GDPR or are trying to keep up with it, meeting its requirements is non-negotiable if your business activities involve processing personal data of data subjects in the European Union (EU).
To help you achieve and maintain compliance, we put together a GDPR compliance checklist covering the requirements to process user data. We also offer tips on becoming GDPR compliant and answer a few common framework questions.
Quick Refresher: What Is GDPR?
GDPR, or the General Data Protection Regulation, is a privacy and security law passed in 2016 by the EU and went into effect in 2018. The regulation governs how organizations collect, use, and secure personal data of EU citizens or residents.
The law exists for four main reasons:
Create a baseline privacy standard for processing personal data related to the people in the EU member states
Reinforce users’ right to data privacy, protection, and transparency
Update privacy laws in light of recent technological changes
Levy non-compliance penalties against organizations to ensure adoption
Who Does GDPR Compliance Apply To?
GDPR applies to all companies controlling and/or processing EU citizens’ or residents’ personal data. Data controllers and processes may sound alike, but they perform different tasks. More specifically:
Those that control the data (data controllers) collect, own, and are ultimately responsible for its protection. Controllers define the purpose of the data and associated processing activities. Governments, companies, and individuals can all control data.
Those that process the data (data processors) store, retrieve, manipulate, and/or transmit data following the controllers’ instructions. Automated tools and third parties can act as processors.
Many companies outside the EU still have to follow GDPR guidelines. Adherence will only be optional if the organization has no operations that involve processing of personal data of clients in its member states.
12-Step GDPR Checklist
To help you avoid fines and keep doing business in the EU, we’ve made a simple GDPR compliance checklist for U.S. companies. By following these 12 steps, you can better protect your users and reduce the risk of non-compliance.
Step 1. Review Where and How You Store Data
Action items:
Perform a security check on devices and other resources where you store data, including:
Physical data storage centers
Cloud storage solutions
Company-owned computers, laptops, smartphones, tablets, and removable media
Step 2. Account For Data Processing Risks
Action items:
Make sure all processing activities account for risk factors and include:
Data protection safeguards from development to processing user data
Encryption, pseudonymization, and/or anonymization mechanisms
Policy requirements that build awareness about data protection
Regular data protection impact assessments
Instructions on how to notify authorities and data subjects after a breach
Step 3. Examine Your Legal Function
Action items:
Make sure your legal team understands GDPR guidelines
Have management include your legal team during GDPR discussions and implementations
Step 4. Consider Appointing a Data Protection Officer
Action items:
Appoint a data protection officer (DPO) or delegate its tasks to a third party, member of your legal team, or IT security expert, especially if necessary
Step 5. Appoint an EU Representative, If Applicable
Action items:
Appoint an EU representative if you do either of the following:
Process large amounts of personal data from EU citizens or residents
Process special categories of data from EU citizens or residents (e.g., criminal records, political opinions, racial or ethnic origin, etc.)
Step 6. Establish Your Public-Facing Privacy Policy
Action items:
Publish a privacy policy on your organization’s website that:
Explains how you collect, share, store, and use personal data
Breaks down the types of data collected and/or processed
Includes provisions on data subjects’ rights
Communicates changes, if any
Have your legal team confirm this policy meets GDPR requirements
Include a link to the policy throughout your website, especially on pages where data collection occurs
Step 7. Refine Your Terms of Service
Action items:
Evaluate your product’s terms of service and be sure to:
List all the rules users must follow when using your platform/services
Communicate your obligations and set customer expectations
Note copyrighted materials, IPs, and what customers can do with them
Explain your dispute resolution process
Include payment disclaimers and liability statements
Refer to governing laws shaping your user policies
Step 8. Develop a Customer-facing Data Processing Agreement
Action items:
Create a customer-facing data processing agreement and:
Outline your responsibilities as either a data controller, data processor, or both, over the customer’s data
Explain how your organization use these data for business purposes
Make the agreement publicly available
Involve your Legal Counsel in the creation of this document
Step 9. Develop a Vendor-Facing Data Processing Agreement
Action items:
If a third-party vendor collects and processes user data on your behalf, consider a vendor-facing DPA that:
Addresses how user data are to be protected during the engagement
Have provisions including expected cybersecurity measures to reduce the likelihood of data breaches
Received endorsement from your legal team, ensuring it coversGDPR’s standards
Step 10. Maintain Records of Processing Activities (ROPA)
Action items:
Keep a ROPA that includes:
An overview of your data processing practices
Name and contact details of your Data Protection Officer (DPO)
The reason you process this data
The types of data you control or process
Other countries and organizations you transfer data to
Time limits before you erase various types of data
An overview of your security measures protecting data
Step 11. Create Ways for Customers to Exercise Their Privacy Rights
Action items:
Set up mechanisms for direct communication:
Provide a publicly-available email address that customers can reach out to
Establish your processes for quickly responding to customers
Create a means to adjust or delete user data at any time
Make your approach to user privacy clear:
Outline how automation and marketing tools leverage user data
Write web forms explaining how user data flows through your organization
Provide cookie collection notices
Step 12. Maintain Continuous Compliance
Action items:
Select an automated compliance platform that lets you:
Proactively create response plans for incidents involving data breaches
Continuously test and monitor the effectiveness of your security processes and procedures
Store documentation on data subject requests, data processing activities, privacy impact assessments, and consent records
How to Become GDPR Compliant: 11 Tips
After reading the checklist, you may still have a few questions about GDPR standards. Learn more about how to become GDPR compliant by looking over these 11 steps, where we’ll go into more detail about the requirements you have to meet.
Evaluate Your Data Management Practices
Start by evaluating how your company processes and stores personal data. Charting how data flows and keeping records holds your organization accountable. Once your data management is on the page, you can look for risk factors and areas to improve.
Different roles play their part in data management. Remember to consider your data flow from different personas, such as:
Marketing and sales prospects
Website visitors
Customers
Employees
Job applicants
Designate a Data Protection Officer (DPO), if Needed
If you haven’t already, appoint a DPO to advise and help enforce GDPR standards. Your DPO is the ultimate authority on keeping your organization GDPR compliant. They can also serve as a point of contact between the company and data protection authorities. Your ideal DPO should have an IT and legal background.
Appoint an EU Representative If Needed
Data processors and controllers outside the EU often need to appoint a representative. Specifically, you need a representative if any of your business activities involve either processing large amounts of personal data from EU citizens or residents and/or processing special categories of data from EU citizens or residents, such as criminal records, political opinions, racial or ethnic origin, etc.
The GDPR does lay out a few exceptions. You don’t need an EU representative if your organization:
Rarely handles EU data
Does not process sensitive user data
Does not process legal data about criminal offenses and convictions
Does not process data in a way that jeopardizes the privacy rights and freedom of EU citizens
Is considered a public body or authority
Is based in the EU
Conduct a Privacy Impact Assessment (PIA) and a Data Protection Impact Assessment (DPIA)
Businesses that collect sensitive data have to carry out privacy impact assessments and data protection impact assessments. These tests examine processing operations and how they protect user data.
A PIA examines the privacy risks your projects, systems, initiatives, strategies, company policies, and business relationships pose. PIAs work to avert risks to your user base’s rights and freedoms.
A DPIA looks over the potential impact of your processes on users’ privacy. It gauges the likelihood of breaches occurring and how much damage they will do. Finally, it determines whether your current measures can prevent those risks.
For more information, refer to the official GDPR DPIA template.
Create a Public-Facing Privacy Policy
You need to create a privacy policy governing how visitors use your website. Users should be able to access this policy on any webpage to see how you collect, use, and disclose their data. This policy should also outline the user's rights and your obligations to them. Remember to use clear, concise language.
Your policy should include:
Contact details for your business, its representative, and DPO
Your organization's purpose for processing user data
Legal interests of your organization and its third parties
Any recipients of your user data
How data transfer occurs and the safeguards you've put in place
The retention period for user data and why it lasts as long or as short as it does
Your data subjects' rights
How users can withdraw consent for data processing
How users can lodge complaints with a supervisory authority
The potential consequences of users not offering their data
Details about AI decision-making systems that base choices on user data
Create Your Product Terms of Service and Customer-Facing Data Processing Agreement (DPA)
Terms of service and data processing agreements create transparency between businesses and their customers. Together, they explain a user’s rights and how businesses leverage their data. More specifically:
Product terms of service are forms listing rules users must follow while using your platform. They can also include dispute resolution information, governing laws, and copyright claims.
Customer-facing DPAs are agreements between data controllers and processors. DPAs outline how processors will use a controller’s data for business purposes. Sharing your DPA helps customers understand how you use their data.
If you need help writing your DPA, you can review the official template here.
Create a Vendor-Facing DPA
You need to create a data-processing addendum for third-party vendors that store employees’ or customers’ personal information. These DPAs ensure vendors comply with your shared data protection obligations. DPAs apply whether your vendor provides order fulfillment, CRM, or payroll services.
You can decide what to include in your DPA by asking:
Where does your third party store user data?
Do you and the vendor have adequate risk-prevention processes in place?
Does the vendor rely on technology that reliably protects user data?
Do your legal team and DPO think the DPA meets GDPR standards?
Ensure Data Subjects are Informed and Able to Exercise Their Privacy Rights
Review your security policies and processes to ensure customers can use their right to data privacy. These rights can include the chance to access and change their stored information, prevent marketing and AI decision-making, or delete data you stored about them.
You can protect their rights with a few tools:
Website forms: Website forms should state how you will use collected data.
Cookie collection notices: These notices should include the GDPR cookie requirements.
Header and footer text: You can include reminders about user privacy rights at the top and bottom of webpages, especially where personal data are being collected.
Protect Children's Data
The GDPR only allows personal data processing for users who are 16 or older. To lawfully collect personal data from individuals younger than that, their parents must consent to it. Consider adding an age verification system before collecting customer information.
Monitor and Report Data Breaches
GDPR guidelines keep businesses vigilant against breaches and other security threats. When breaches occur, companies need to respond quickly and report data losses. This process involves four steps:
Set up procedures to detect, investigate, and respond to incidents involving data breaches. Conduct a GDPR assessment to determine the types of data you're holding and set up notifications in case of a breach.
If a breach presents a risk to users’ rights and freedoms, inform them as soon as possible, unless affected personal data is unintelligible or encrypted.
Controllers need to report breaches to their supervisory authority within 72 hours. Failure to report the breach within 72 hours will require a justifiable reason, otherwise it may result in legal penalties and fines.
Processors are required to immediately notify the controllers about incidents involving personal data breach.
Implement a "Privacy by Design" Mindset
Privacy by design is a security approach pushing for data protection through technology design. In other words, it refers to a method of data protection built into the foundation of your tools and processes. Some organizations call it “privacy by default” to reflect this wider scope. You can implement privacy by design by:
Carrying out data protection impact assessments regularly
De-identifying data using pseudonymization or anonymization
Deleting data no longer used or needed
Placing your data centers in high-security locations
Encrypting systems and passwords your employees use
Conducting security scans on networks, systems, and devices to identify potential weaknesses
GDPR Compliance FAQ
If you still have questions about attaining GDPR compliance and/or addressing GDPR requirements, we’ve answered a few common questions below.
What Are the GDPR Data Protection Principles?
GDPR upholds seven data protection principles that companies must adhere to, including:
Lawfulness, fairness, and transparency: Follow contractual rules, value user consent, don’t misuse data, and never withhold information from data subjects.
Purpose limitation: Only process collected data based on legitimate and explicitly specified purposes.
Data minimization: Only collect the minimum amount of data needed for business purposes.
Accuracy: Conduct audits and set up measures to correct, update, or erase incomplete and false data.
Storage limitation: Retain data for no more than a justifiable amount of time.
Integrity and confidentiality: Protect data from unauthorized parties and avoid data losses, damage, and destruction.
Accountability: Keep records and establish measures to prove data processes are compliant.
What Are the Penalties for GDPR Non-Compliance?
GDPR non-compliant organizations can face sanctions and fines. The EU sets financial penalties in proportion to the extent of data misuse. In extreme cases, fines can reach €20 million, or 4% of the firm’s worldwide annual revenue from the last fiscal year, whichever amount is higher.
GDPR sanctions may include:
Bans on data processing in the EU
Public reprimands
Financial penalties based on the extent of non-compliance
Does the GDPR Require Encryption?
Organizations often use encryption to meet GDPR standards, but other options exist. The GDPR requires that organizations use "appropriate technical and organizational measures" to protect user data.
While encryption is a practical, affordable choice, you could also use the combination of:
Firewalls
User access controls
Multi-factor authentication
Security awareness training
Pseudonymization techniques
How Drata Can Help You Achieve and Maintain GDPR Compliance
While GDPR sets a high bar for data protection, meeting its standards doesn't have to be difficult. By following our GDPR compliance checklist, you can avoid penalties and offer customers the highest level of protection.
If you have trouble staying GDPR compliant, Drata can help. Our tool automates compliance processes and keeps you audit-ready. By continuously monitoring your cybersecurity, we can help protect your users' data and reduce your business's risk. Additionally, our team of GDPR experts can reduce the time and complexity involved with achieving compliance.