GDPR Checklist for Businesses

This GDPR checklist for businesses is built on the basis of official ICO guidelines and recommendations. 

Using this checklist will help you structure your business to adhere to the GDPR.

It is important to note, however, that an independent consultant should be sought to assist your compliance and you shouldn't rely solely on this checklist.

For many large companies, you won’t have to run this checklist only once, but many times. Different teams or wings of the company will need to analyze their activities for non-compliant structures or processes. 

All data entered into the form fields throughout the checklist will be saved in the template overview tab so that the appointed Data Protection Officer can monitor the responses and information from each team.

This is designed to help large companies create a system of oversight quickly and easily.

Watch the video below for an introduction to GDPR or read our accompanying article: How to Be GDPR Compliant: A Guide for SaaS and Beyond.

Use this section to record the details of who is completing the checklist and why. 

You can edit this section to include form fields specific to your business.

It is important to make sure other members of your team or organization are aware of GDPR and its potential ramifications. 

Stressing the importance of these changes to data regulations will help to encourage compliance throughout the team or organization. 

You could call a meeting to present the risks of GDPR and the steps needed to ensure compliance or you could use the email widget below to notify people within the team or organization that the process of adhering to the GDPR is beginning. 

Use the form field below to document the steps you took to provide awareness throughout the company.

It is important to make sure all activities related to data are well documented. 

To begin, document:

• What personal data you hold
• Where that data came from
• Who that data is shared with
• Why that data remains held

Documenting this information places you in line with the GDPR's accountability principle.

Use the form fields below to briefly summarize each of these concerns. 

The GDPR requires certain changes to privacy notices and these should be reviewed alongside your existing practices. 

The privacy notices codes of practice can be found here: Privacy Notices, Transparency and Control.  

When you collect data you normally inform the subject who you are and how you intend to use the data. This is common practice. 

Under the GDPR you will need to add a few more elements:

• Explain your lawful basis for processing the data
• Explain your data retention periods
• Explain the individual's rights in regards to the complaints process to the ICO. 

The GDPR states that this information must be delivered in a concise fashion with clear and easy to understand language. 

Use the form field below to note the specific changes you need to, and intend, to make. 

The GPDR confers a series of rights and freedoms to individuals in respect to their data. 

It is your responsibility to make sure your company's actions allow for the fulfillment of these rights.

The following rights should be respected:

• The right to be informed;
• The right of access;
• The right to rectification;
• The right to erasure;
• The right to restrict processing;
• The right to data portability;
• The right to object; and
• The right not to be subject to automated decision-making including
  profiling.

Devise a series of example cases and work through each scenario to understand exactly how the company will respond to these requests. 

If you do not already have procedures which protect these rights, it is important to create those procedures.

Use the form field below to link to where these documented processes can be found. You can use Process Street to document your procedures.

The GDPR provides individuals greater rights in regards to accessing their data. 

Your company must provide appropriate means to access that data. This could be simply responding to access requests as and when they arrive, or you may consider creating a system whereby customers can access their own records. 

How you choose to implement this depends on the specific conditions within your company.

The ICO provides the following guidelines:

• In most cases you will not be able to charge for complying with a
  request.
• You will have a month to comply, rather than the current 40 days.
• You can refuse or charge for requests that are manifestly unfounded
  or excessive.
• If you refuse a request, you must tell the individual why and that
  they have the right to complain to the supervisory authority and to
  a judicial remedy. You must do this without undue delay and at the
  latest, within one month.

The ICO provides 6 key lawful justifications for processing activity:

• 6(1)(a) – Consent of the data subject
• 6(1)(b) – Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
• 6(1)(c) – Processing is necessary for compliance with a legal obligation
• 6(1)(d) – Processing is necessary to protect the vital interests of a data subject or another person
• 6(1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
• 6(1)(f ) – Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject

Whenever you are processing data, your documentation for that process should make clear upon what justification it is based. 

Use the form field below to identify your different processing activities and which lawful justification applies to each. 

Consent plays a big role in the GDPR and its outline should be understood by all members of the team. 

The Data Protection Officer and other key decision makers in regards to data security and access should read the ICO's consultation paper: GDPR Consent Guidance.

Below are three checklists from the ICO to guide you through your consent management.

Asking for consent

Recording consent

Managing consent

Within the GDPR, consent is of great importance. However, not all individuals online have the capacity to give consent. 

You need to assess your policies to see whether you need to put systems in place to protect children who are unable to consent to the gathering or processing of their data. 

The ICO gives the following guidance:

If your organization offers online services (‘information society services’) to children and relies on consent to collect information about them, then you may need a parent or guardian’s consent in order to process their personal data lawfully. The GDPR sets the age when a child can give their own consent to this processing at 16 (although this may be lowered to a minimum of 13 in the UK). If a child is younger then you will need to get consent from a person holding ‘parental responsibility’.

You must take steps to ensure children can understand your requests for consent and that consent of a person holding parental responsibility has been granted. 

Use the form field below to document the changes you believe your organization will need to make.

You need to make sure your procedures cover the detection, reporting, and investigating of data breaches and the risks to personal data. 

In the case of a breach, the company must inform the relevant regulatory body within 72 hours of finding out about it. Best practice is to inform the regulatory body as soon as is possible.

The same applies to the individuals you hold data on. The company must contact any individuals to make them aware that their data has been breached if this is seen to pose a danger to their rights or freedoms. 

There are a few exceptions:

• If the data has been encrypted to the point of being unintelligible.
• If the data controller has taken the necessary steps to make sure the breach doesn’t put rights or freedoms at risk.
• If it would involve a disproportionate amount of effort to inform each individual. In this scenario a public announcement would suffice.

Use the form field below to link to your relevant procedures. You can use Process Street to document, manage, and run these processes.

There are a series of standard assessments you should carry out to make sure you are delivering privacy by design. 

The GDPR refers to Privacy Impact Assessments (PIAs) as Data Protection Impact Assessments (DPIAs) and makes these DPIAs mandatory in certain circumstances. 

The ICO Gives the following guidance:

A DPIA is required in situations where data processing is likely to result in
high risk to individuals, for example:

• where a new technology is being deployed;
• where a profiling operation is likely to significantly affect
  individuals; or
• where there is processing on a large scale of the special categories
  of data.

It is recommended that you read the ICO guidance document on PIAs and the guidance from the Article 29 Working Party.

Use the form field below to upload your Data Protection Impact Assessment.

If you haven't already appointed a Data Protection Officer, now is the time to do so. 

If you are running this checklist for the first time for your whole organization then you likely do not have a Data Protection Officer at this point in time. 

If you are running this checklist as a smaller team within a larger organization, this checklist is likely feeding data back to your Data Protection Officer already. 

The ICO tells us we need to formally appoint a Data Protection Officer if certain conditions apply:

• a public authority (except for courts acting in their judicial capacity);
• an organisation that carries out the regular and systematic monitoring of individuals on a large scale; or
• an organisation that carries out the large scale processing of special categories of data, such as health records, or information about criminal convictions.

Guidance from the Article 29 Working Party can be found here: Article 29 Working Party Overview.

The specific report on Data Protection Officers can be found as a PDF hosted below.

Use the form fields below, if applicable, to name your new Data Protection Officer and why they were selected.

If your organization operates in more than one EU member state, it is important to identify which organization will act as your lead data protection supervisory authority.

The ICO gives the following guidance:

The lead authority is the supervisory authority in the state where your main establishment is. Your main establishment is the location where your central administration in the EU is or else the location where decisions about the purposes and means of processing are taken and implemented.

This is only relevant where you carry out cross-border processing – ie you have establishments in more than one EU member state or you have a single establishment in the EU that carries out processing which substantially affects individuals in other EU states.

For more information, you can review the two documents uploaded below created by the Article 29 Working Party:

Use the form fields below to record the important information.

• Preparing for the General Data Protection Regulation (GDPR): 12 Steps to Take Now - ICO
• Article 29 Working Party - European Commission 

• ISO 9000 Structure Template
• PCI Compliance Checklist