GDPR checklist for data controllers

Are you ready for the GDPR? Our GDPR checklist can help you secure your organization, protect your customers’ data, and avoid costly fines for non-compliance.

To understand the GDPR checklist, it is also useful to know some of the terminology and the basic structure of the law. You can find this information on our What is GDPR? page. Please keep in mind that nothing on this page constitutes legal advice. We recommend you speak with an attorney specialized in GDPR compliance who can apply the law to your specific circumstances.

Conduct an information audit to determine what information you process and who has access to it. Have a legal justification for your data processing activities. Provide clear information about your data processing and legal justification in your privacy policy.

Organizations that have at least 250 employees or conduct higher-risk data processing are required to keep an up-to-date and detailed list of their processing activities and be prepared to show that list to regulators upon request. The best way to demonstrate GDPR compliance is using a data protection impact assessment Organizations with fewer than 250 employees should also conduct an assessment because it will make complying with the GDPR's other requirements easier. In your list, you should include: the purposes of the processing, what kind of data you process, who has access to it in your organization, any third parties (and where they are located) that have access, what you're doing to protect the data (e.g. encryption), and when you plan to erase it (if possible).

Processing of data is illegal under the GDPR unless you can justify it according to one of six conditions listed in Article 6. There are other provisions related to children and special categories of personal data in Articles 7-11. Review these provisions, choose a lawful basis for processing, and document your rationale. Note that if you choose "consent" as your lawful basis, there are extra obligations, including giving data subjects the ongoing opportunity to revoke consent. If "legitimate interests" is your lawful basis, you must be able to demonstrate you have conducted a privacy impact assessment.

You need to tell people that you're collecting their data and why ( Article 12). You should explain how the data is processed, who has access to it, and how you're keeping it safe. This information should be included in your privacy policy and provided to data subjects at the time you collect their data. It must be presented "in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child."