GDPR7 min read

GDPR Compliance Checklist: Step-by-Step Guide

This comprehensive checklist helps you systematically achieve GDPR compliance. Use it as a roadmap for your compliance journey and as an ongoing reference to maintain compliance.

Key Takeaways

Point Summary
5 phases Assessment → Legal Foundations → Rights & Processes → Technical Security → Ongoing Maintenance
Start with data audit Map all personal data: what, where, why, how long, who has access
Key documents Privacy policy, cookie policy, DPAs with vendors, ROPA, breach response plan
Technical requirements Data security, encryption, access controls, breach detection
Ongoing DSAR handling, privacy training, vendor reviews, policy updates

Quick Answer: GDPR compliance involves: (1) audit your data, (2) establish legal bases, (3) set up rights handling processes, (4) implement technical security, (5) maintain ongoing compliance. Start with a data map and privacy policy.

Phase 1: Assessment and Planning

1.1 Determine Applicability

  • Confirm GDPR applies to your organization
  • Identify if you're a controller, processor, or both
  • Determine which EU/EEA countries you operate in
  • Identify your lead supervisory authority (if operating in multiple countries)

1.2 Conduct Data Audit

Data Audit Checklist:

Inventory:

  • List all systems processing personal data
  • Identify all data categories collected
  • Document data sources (direct/indirect)
  • Map data flows between systems

Analysis:

  • Identify special category data
  • Flag high-risk processing activities
  • Assess current security measures
  • Review existing policies and procedures

1.3 Gap Analysis

  • Compare current practices against GDPR requirements
  • Prioritize gaps by risk level
  • Estimate resources needed for remediation
  • Create remediation timeline

Phase 2: Governance and Accountability

2.1 Leadership and Responsibility

  • Assign privacy responsibility to specific role/person
  • Obtain executive sponsorship
  • Establish privacy budget
  • Determine if DPO is required
  • Appoint DPO if required (or voluntary)
  • Ensure DPO independence and resources

2.2 Documentation

Document Status Owner Review Date
ROPA (Record of Processing)
Privacy Policy
Cookie Policy
Data Retention Policy
Information Security Policy
Incident Response Plan
DSAR Procedures

2.3 Record of Processing Activities (ROPA)

  • Document all processing activities
  • Include all required GDPR fields
  • Identify legal basis for each activity
  • Document retention periods
  • List recipients and transfers
  • Establish update process

Phase 3: Legal Basis and Consent

3.1 Legal Basis Documentation

For each processing activity:

  • Identify appropriate legal basis
  • Document justification
  • For legitimate interests: complete LIA
  • For consent: implement valid consent mechanism
  • Update privacy policy with legal bases

3.2 Consent Management

Consent Implementation Checklist:

Collection:

  • Design compliant consent forms
  • Separate consent for different purposes
  • No pre-ticked boxes
  • Clear, plain language
  • Link to privacy policy

Recording:

  • Log consent timestamp
  • Record consent text/version
  • Link to user identifier
  • Secure storage

Withdrawal:

  • Easy withdrawal mechanism
  • Process withdrawals promptly
  • Update all systems
  • Confirm to user

3.3 Marketing Consent

  • Audit existing marketing lists
  • Implement double opt-in for new signups
  • Add unsubscribe to all marketing emails
  • Re-consent lists where needed
  • Clean lists of non-consented contacts

Phase 4: Transparency

4.1 Privacy Policy

  • Contains all GDPR-required information
  • Written in clear, plain language
  • Published and easily accessible
  • Covers all processing activities
  • Current and dated
  • Available before data collection

4.2 Just-in-Time Notices

  • Registration forms include mini-notices
  • Contact forms explain data use
  • Checkout process is transparent
  • Mobile app has appropriate notices

4.3 Cookie Compliance

  • Cookie audit completed
  • Cookie policy published
  • Cookie banner implemented
  • Consent before non-essential cookies
  • Accept and reject equally prominent
  • Granular consent options
  • Easy preference changes
  • Technical blocking working

Phase 5: Data Subject Rights

5.1 Rights Handling Procedures

Right Procedure Documented Process Tested Timeline Met
Access (DSAR) One month
Rectification One month
Erasure One month
Restriction One month
Portability One month
Object Immediate for marketing

5.2 DSAR Process

DSAR Readiness Checklist:

Intake:

  • Request channel established
  • Acknowledgment template ready
  • Identity verification process

Processing:

  • Data discovery process documented
  • All systems searchable
  • Response template created
  • Review process established

Delivery:

  • Secure delivery method
  • Response format defined
  • Tracking system in place

Timeline:

  • One-month deadline tracked
  • Extension criteria defined (two further months for complex requests)
  • Escalation process established

5.3 Self-Service Options

  • Users can view their data in-app
  • Users can update their information
  • Users can download their data
  • Users can delete their account
  • Marketing preferences accessible

Phase 6: Data Security

6.1 Technical Measures

Measure Implemented Tested Documented
Encryption at rest
Encryption in transit
Access controls
Multi-factor authentication
Secure backups
Intrusion detection
Vulnerability scanning
Secure development practices

6.2 Organizational Measures

  • Information security policy documented
  • Access management process established
  • Employee background checks (where appropriate)
  • Security awareness training implemented
  • Incident response plan created
  • Business continuity plan in place

6.3 Regular Security Activities

  • Quarterly access reviews scheduled
  • Annual penetration testing planned
  • Regular vulnerability assessments
  • Security training refresh schedule
  • Security policy reviews scheduled

Phase 7: Vendor Management

7.1 Vendor Inventory

  • List all vendors processing personal data
  • Identify processors vs. controllers
  • Document data shared with each
  • Assess vendor security posture

7.2 Data Processing Agreements

Vendor DPA Status SCC Required Last Review

7.3 Ongoing Vendor Management

  • Sub-processor notification process
  • Annual vendor reviews scheduled
  • Vendor security questionnaire template
  • Offboarding/data deletion procedures

Phase 8: International Transfers

8.1 Transfer Assessment

  • Identify all international data transfers
  • Determine destination country adequacy status
  • Implement appropriate safeguards (SCCs, etc.)
  • Complete Transfer Impact Assessments
  • Document in ROPA and privacy policy

8.2 Transfer Mechanisms

Transfer Destination Mechanism TIA Complete

Phase 9: Breach Preparedness

9.1 Incident Response

  • Incident response plan documented
  • Response team identified
  • Escalation procedures clear
  • Communication templates ready
  • DPA notification process established

9.2 Breach Response Capability

Breach Readiness Checklist:

Detection:

  • Monitoring systems in place
  • Reporting channels clear
  • 24/7 detection capability

Response:

  • Response team trained
  • Containment procedures documented
  • Forensic capability available
  • Legal counsel accessible

Notification:

  • 72-hour timeline achievable
  • DPA contact information current
  • Notification templates ready
  • Individual notification process

Documentation:

  • Breach log maintained
  • Investigation procedures
  • Lessons learned process

Phase 10: Training and Awareness

10.1 Training Program

Training Audience Frequency Last Completed
GDPR Overview All staff Annual
Data Handling Data handlers Annual
Security Awareness All staff Quarterly
Incident Response Response team Annual
Privacy by Design Developers Annual

10.2 Awareness Activities

  • Privacy policy accessible to all staff
  • Regular privacy communications
  • Privacy contact point known
  • Reporting procedures clear

Phase 11: Ongoing Compliance

11.1 Regular Reviews

Activity Frequency Last Complete Next Due
ROPA update Quarterly
Privacy policy review Annual
DPA review Annual
Security assessment Annual
Training refresh Annual
Vendor review Annual

11.2 Change Management

  • Privacy impact in change process
  • New processing requires review
  • New vendors require DPA
  • New features assessed for privacy

11.3 Documentation Maintenance

  • All documentation dated
  • Version control in place
  • Historical versions retained
  • Regular accuracy reviews

Compliance Dashboard

Track your overall compliance status:

Area Status Priority Target Date
Governance 🟡 In Progress High
Legal Basis 🔴 Not Started High
Transparency 🟡 In Progress High
Rights 🔴 Not Started Medium
Security 🟢 Complete High
Vendors 🔴 Not Started Medium
Transfers 🟡 In Progress Medium
Breach Prep 🔴 Not Started High
Training 🟡 In Progress Medium

How Bastion Helps

GDPR compliance is an ongoing commitment rather than a one-time project. Working with experienced partners helps organizations achieve compliance efficiently and maintain it over time.

Challenge How We Help
Assessment Comprehensive gap analysis to understand your current state
Documentation Proven templates and streamlined processes for required documentation
Implementation Expert guidance to ensure controls are implemented correctly
Training Staff awareness programs tailored to different roles
Ongoing Compliance Continuous monitoring and periodic reviews to maintain compliance

Our managed services approach brings additional expertise to handle the heavy lifting, helping ensure things are done right the first time and avoiding the costly iterations that often come from addressing compliance without experienced guidance.

Ready to discuss your GDPR compliance approach? Talk to our team →

← PreviousGDPR Cookie Compliance: Beyond the BannerNext →GDPR Penalties: Understanding the Risks
Back to GDPR guides