GDPR Compliance Checklist | Part 1 - How to Become GDPR Compliant
Keep reading if you want guidance and checklists for implementing the GDPR in your organisation.
In this article, we will guide you through the steps to transform your organisation from non-compliant to GDPR-compliant by establishing a GDPR project within your organisation and implementing the change.
You Must Comply With the GDPR
While this may seem obvious to some, it's genuinely the starting point: you must recognise that your organisation is required to comply with the GDPR and acknowledge it as a task demanding your care and attention.
Many organisations overlook two key facts: first, that GDPR regulates how they process personal data, and second, that they are indeed handling personal data. If your organisation manages customer or employee information, both of which count as personal data, you are obligated to comply with the GDPR.
The next step is to create a checklist of all the tasks necessary to achieve GDPR compliance.
Acknowledge your obligation to comply with the GDPR and commit to acting on this.
The GDPR Compliance Manager
You might already have been appointed the role and responsibility of implementing the GDPR in your organisation.
In smaller organisations, you might end up managing the GDPR implementation simply because you identified the need to comply with this regulation and were asked to follow through with it.
In larger organisations, leadership will typically have identified the need to comply with the GDPR and later appointed someone for the role.
The GDPR compliance manager will be the project leader for implementing the GDPR in the organisation and will likely also be responsible for managing its compliance after implementation.
Building a GDPR compliance manager’s expertise to oversee the project will prove invaluable for the organisation. This means that the compliance strategy can be based on tried-and-tested approaches rather than having to figure everything out from scratch.
Assign a GDPR compliance manager to implement GDPR compliance in your organisation and provide them with the necessary training resources.
Get Buy-In from Leadership
As the person responsible for making your organisation GDPR-compliant, you must secure leadership buy-in. Achieving GDPR compliance will demand resources, certainly labour hours, and likely some financial investment to make software or hardware adjustments.
With leadership's backing, driving the necessary changes for GDPR compliance will be easier, as they control budget approvals and decisions that impact the organisation's infrastructure. You will also need them to agree on guidelines and establish project boundaries to keep things on track.
The first step in getting leadership on board is ensuring you have the resources and training to manage the project effectively as the GDPR compliance manager.
Get buy-in from leadership to implement GDPR compliance in your organisation.
The Burden of Transformation
Leadership must recognise that guiding an organisation towards GDPR compliance can significantly burden the person managing the process.
The GDPR compliance manager is often given this project on top of a full workload. If that’s the case, the organisation must acknowledge that this is a significant task, not something that can be rushed or completed with ease.
To guide the transformation to GDPR compliance requires the manager to upskill in data protection regulations and best practices. The project involves complex rules, aligning IT systems, and developing a deep understanding of how the entire organisation operates. These are not complex topics, and the project could impact nearly every process and IT system within the organisation.
Managing this project puts pressure on the GDPR manager, who may face resistance from colleagues when communicating necessary changes that complicate their jobs. In such situations, clear explanations for compliance requirements are expected, yet challenging to provide. Data protection rules are inherently complex, and balancing them with the reality of day-to-day operations is difficult.
To ease this burden, the GDPR compliance manager will benefit from having a senior figure to whom they can turn for guidance on difficult decisions and overall support. This backing is important for the success of the GDPR implementation and the well-being of the person managing it. Without backing, the GDPR compliance manager will be fighting an uphill battle when advocating changes.
Make a senior figure (such as the CEO or CFO) the project owner to ensure that the GDPR compliance manager receives adequate support throughout the transformation process.
Project Group
Given the complexity of GDPR implementation, forming a project group is necessary for most organisations to facilitate the implementation process.
Including someone from IT in the project group is a good idea, as personal data is primarily processed through software and hardware, which are their domains. Their expertise will be valuable when implementing the technical security measures required for GDPR compliance throughout the organisation.
Naturally, including someone from Legal is important. Many decisions will require interpreting how GDPR applies to your organisation's practices, so having a legal expert in the group will be beneficial.
HR personnel have experience in diligently processing personal data about employees, which can benefit the project, while their business processes are also significantly impacted by the GDPR project. Including a representative from HR will help ensure the project runs more smoothly, as they can provide insights based on their previous experiences and their first-hand view of how the GDPR impacts their work.
Consider involving colleagues from other teams in finance, data analysis, customer support, or marketing, depending on your organisation. Ultimately, how you structure the project group should reflect how GDPR will affect different areas of the business and how best to meet your organisation’s needs.
Establish a project group to support GDPR implementation - unless your organisation is small.
GDPR Project Planning
Like any complex project, your GDPR implementation needs a solid plan. A clear plan will make the process more manageable, whether your organisation is small or large.
To create this plan, you will need a strong understanding of the GDPR to determine what must be implemented and how to make it work.
It's a good idea to structure the plan, treating it as a project where different compliance tasks have dependencies. These dependencies between tasks will influence how the project unfolds and which steps need to be prioritised.
By reading this article, you will get guidance on organising your GDPR project plan.
Develop a project plan for implementing the GDPR.
GDPR Documentation
Your GDPR compliance must be documented, as this is a requirement of the GDPR.
The documentation requirement stems from the need always to be able to demonstrate that your organisation complies with the data protection principles outlined in Article 5 of the GDPR. Article 30 of the GDPR also requires significant documentation of all your processing activities.
Therefore, it is not enough to simply claim that your organisation handles personal data securely; you must also be able to provide documentation to back it up.
You document this by detailing all aspects of your GDPR compliance, from the Records of Processing Activities to the accompanying risk assessments, and how security measures have been implemented to mitigate those risks.
This applies to every part of your GDPR compliance so that all processes, systems, and related activities can be proven to meet GDPR requirements.
Document how your organisation complies with all aspects of the GDPR.
GDPR Management System
Managing your GDPR compliance documentation can be quite a challenge. You need detailed documentation, but it also has to be actionable to help you stay compliant day-to-day.
GDPR compliance will require many actions to be performed by your organisation, and you need a good way to manage this efficiently. You could use tools like Excel, Word documents, shared folders, and email to coordinate efforts with your team. However, another option is to use GDPR compliance software specifically designed to support your organisation in meeting all GDPR requirements.
Establish a management system for your GDPR compliance.
Data Mapping
The GDPR concerns the processing of personal data, and therefore, you need to know how the organisation handles personal data. We do this by mapping the ways the organisation handles personal data, also called ‘data mapping’:
- Which people handle personal data?
- Which business processes use personal data?
- Which technologies are used for processing personal data?
How to do Data Mapping?
You will need to identify all personal data processed throughout the organisation, which means finding ways to uncover it in every corner of the business. Therefore, a systematic methodology is needed to ensure that all personal data processing is included in this mapping exercise.
A good way to do this is to prepare sessions with each team leader in your organisation.
Data Mapping with Team Leaders
Team leaders have a clear view of what happens in their teams. By organising discovery sessions, you can map out all processes and systems where personal data is processed throughout their teams and the entire organisation.
Instead of discovery sessions, you could also request that they complete a questionnaire. Though, it is unlikely to yield the same quality results because team leaders may not fully understand the GDPR, the definition of personal data, or the importance of this task to the organisation. They might prioritise more urgent matters over filling out your forms and may not fully understand the specific details you're looking for.
In contrast, a discovery session allows you to guide a 1-1 conversation and focus on the areas that matter most.
Furthermore, having these sessions with the team leaders allows you to emphasise the importance of their involvement in GDPR compliance. This will help foster collaboration and ensure that key stakeholders are on board from the start, which will support a smoother and more integrated implementation process.
Identify all team leaders in your organisation and schedule them for a discovery session or ask them to complete a questionnaire.
Preparing for Discovery Sessions
On a practical level, start by sending meeting invitations to all relevant team leaders for the discovery sessions, and expect them to last 1-2 hours per session.
To ensure the sessions run smoothly, it's a good idea to provide some context about your project in advance. This helps set expectations and gives team leaders a clearer understanding of what the conversation will involve.
Additionally, include some simple, easy-to-read educational material, such as a definition of ‘personal data’, ‘information assets’, and ‘processing activities’. By giving them this context, you prepare the participants for the conversation and reduce potential confusion around these terms during the sessions.
Prepare material and invite all team leaders to a discovery session to map their processing of personal data.
Getting Started with Data Mapping
In the discovery sessions, we suggest that you start by first mapping all the systems of your organisation, as this might be more relatable to the team leaders than 'processes'.
When you have explored and mapped all the systems where personal data is processed, you should next focus on the processes where personal data is processed.
You need to map both systems and processes because several processes can be using the same system, while several systems can be used for the same process.
Data mapping must cover all aspects of personal data processing.
Mapping Information Assets
In the discovery sessions with team leaders, start by identifying all the information assets within each team, such as IT systems, folders containing personal data, computers, mobile phones, critical spreadsheets with personal information, etc.
This overview is important for planning the security measures to protect your organisation's personal data and ensure compliance with GDPR. Since personal data is primarily processed through IT systems, managing these effectively will be a central focal point for GDPR compliance.
We will explore this topic in greater detail later in the article.
Identify and document all information assets where personal data is processed.
Mapping Processing Activities
With the information assets identified at the start, the discovery sessions should now focus on identifying and naming all processes within the teams that involve personal data.
Make sure to identify all these processing activities before describing each in detail, as this will support an orderly process.
Next, describe the identified processing activities in detail to gain a thorough understanding of each one and how personal data is managed. These descriptions will be useful for maintaining GDPR compliance over the coming years, so make them as comprehensive as possible. This will also make it easier for colleagues to join in and assist with the process.
Identify and document all processing activities.
Local Ownership
Once you have mapped the processing activities and information assets and described these in detail, you should ask team leaders to identify who is responsible for each of these processes and assets within their teams.
Your project becomes operational by assigning ownership of these processes and information assets to your colleagues. This will allow you to obtain necessary information directly from the colleagues responsible for specific activities and delegate tasks to them.
This approach has important implications for your GDPR implementation:
- It delegates responsibility to internal experts who are best placed to manage compliance.
- It naturally integrates your colleagues' knowledge into the project.
- It lays the groundwork for embedding GDPR into the organisation’s regular processes.
For example, the payroll lead, who understands the finer details of how employee data is processed, can ensure that the system complies with GDPR both during and after the implementation of the GDPR.
At this stage, team leaders' involvement can be limited to signing off on their team's contributions to the GDPR implementation project. For specifics, you can now approach the identified colleague directly.
Assign ownership of all processing activities and information assets to specific colleagues within your organisation.
Your Records of Processing Activities
At this point, you will have mapped your organisation's processing activities and information assets and have established whom you can go to for expertise for each of these processes within your organisation.
For each processing activity you have mapped, you now need to describe how personal data is handled, following the requirements outlined in Article 30 of the GDPR.
Article 30 of the GDPR requires your organisation to document all its processing of personal data in what is called a Records of Processing Activities (RoPA). From performing this task follows several requirements, which we have described in another article on Records of Processing Activities.
In addition to meeting the requirements for the Records of Processing Activities, it is advisable to link your information assets to your processing activities in your management system, such as a spreadsheet. This approach will give you a complete overview of how your organisation's IT systems, hardware, external vendors, etc., are used for each of the organisation’s processes.
For example, since the processing of personal data typically takes place through IT systems, you should link these processes to the relevant systems. This connection enables you to make adjustments and implement security measures as needed in the future.
Complete the Records of Processing Activities for your organisation.
Gap Analysis
In practice, you may not be able to fully address all matters on your first attempt to complete the Records of Processing Activities according to its requirements.
This is entirely normal.
Instead, create a task list to document any gaps as you encounter them. This allows you to revisit and fully address these issues later with comprehensive answers.
Completing the Records of Processing Activities is an iterative process involving back-and-forth between you (the GDPR compliance manager) and the process owners you identified across the organisation and, if needed, your project group.
This process can be frustrating in practice, but it's part of the work and will ultimately benefit your GDPR compliance. GDPR requires that your colleagues also understand what the company needs to do to become compliant, so this back-and-forth process will help your organisation integrate an understanding of what is required for GDPR compliance.
Moreover, as your organisation evolves and changes, the Records of Processing Activities must always reflect current affairs. This means you will need to continuously update it to align with new developments. Maintaining a strong relationship and collaboration with your colleagues facilitates this, as you will rely on them to inform you of any changes within their areas of responsibility, so the Records of Processing Activities can stay updated.
Identify gaps in your Records of Processing Activities and your current practices, and address them systematically.
Conduct Risk Assessments
Once you have documented your processing activities via the Records of Processing Activities and your information assets have been mapped, it's time to carry out risk assessments for each processing activity and information asset.
These assessments help you understand if personal data processing is at risk and whether these risks could potentially harm the individuals whose data your organisation handles.
This is a substantial task.
To get an in-depth insight into the risks, you should involve your colleagues who oversee these processes and assets in their daily work. Finally, you should have them take ownership of these assessments.
However, the effort is worth it.
GDPR compliance requires you to implement ‘appropriate’ security measures, and your risk assessments will guide you in determining what those measures should be for each of these processes and assets.
Risk assessments determine what's 'appropriate' in terms of security measures and serve as a tool for your organisation to tailor its measures to the identified level of risk. This approach to risk management leads to a more cost-effective implementation, as you don't need to protect everything equally.
It's not uncommon for companies to underestimate the importance of making thorough risk assessments.
Without solid risk assessments, you are more likely to achieve a kind of pseudo-compliance, which will have a negative impact on data protection. Pseudo-compliance will increase the risk of data breaches and lead to a greater likelihood of fines from data protection authorities, who also assess the quality of your risk assessments, especially in the case of a data breach.
Systematically assess and document risks for all processing activities and information assets.
Data Processing Agreements
As part of GDPR implementation, you must secure valid Data Processing Agreements with all your organisation's data processors. While processors often provide these agreements, it's your responsibility to ensure they comply with GDPR requirements. You must also do your due diligence to make sure that data processors handle personal data securely and comply with regulations.
Your risk assessments should inform your assessment of whether the data processing by these partners is sufficiently secure.
Data Processing Agreements must be established with all data processors.
International Transfers
You may find that some of your partners or data processors store personal data outside the EU, for instance, in countries like the USA, India, or China.
Transferring personal data to countries outside the EU is considered an international transfer, and it's a critical part of your GDPR compliance that you need to manage carefully.
You must ensure that personal data remains protected when it crosses borders. Some countries have less stringent data protection regulations or spy on data flows, which could compromise the protection of your customers' personal data when transferred to these countries.
Importantly, you must also have a legal basis under the GDPR for making these transfers, which you can find in Chapter 5 of the GDPR.
Although international transfers may not be part of your daily operations, many businesses rely on data processors in countries like the USA, where many software providers are based, with their headquarters and data centres.
Make sure to include these international transfers in your mapping of processes and IT systems so you clearly understand when and how your data is transferred internationally. Finally, ensure your organisation has the necessary security measures to comply with GDPR.
Identify international transfers of personal data, ensure you have a legal basis for these transfers, and implement appropriate security measures to protect the data.
Security Measures
Your processing of personal data must be aligned with the risks you identified in your risk assessments. This means your security measures should directly correspond to the risks identified in your risk assessments of your processes and your assets, with the objective of reducing them.
These measures can be both technical and organisational. Technical measures might include firewalls, while organisational measures could involve security awareness training for your employees.
Implement security measures to reduce the risks to an acceptable level.
Privacy by Design and Privacy by Default
All personal data processing within your organisation must be secure, and the principles of Privacy by Design and Privacy by Default should be embedded into every process, IT system, and security measure. Each must be designed to protect personal data throughout its entire lifecycle, protecting it from collection to deletion.
Have you ever used software which allows you to toggle on privacy-enhancing features? Under the principle of Privacy by Default, these settings must be enabled by default, without requiring any action from the user!
The principles of Privacy by Design/Default must be used in all activities.
Review the Organisation's Overall Security
In addition to assessing each of your organisational processes, assets, and the actions of employee, it is necessary to assess the overall security of your organisation.
What broader measures can your organisation implement to enhance data protection across the entire organisation? For example, installing a burglar alarm on the premises would be such a measure because it enhances the security of all assets handled on the premises.
What broader measures can your organisation implement to enhance data protection across the entire organisation?
Develop an Information Security Policy
An information security policy should outline the security measures established by the organisation, how data is processed securely, and what employees need to do to maintain GDPR compliance in their daily activities.
The policy should cover everything from access controls and data encryption to incident response plans. It should also be regularly updated to reflect any new risks or changes in the organisation's processes or technology.
Because this policy impacts how your organisation operates and the resources required for GDPR compliance, top management should approve and support it. Their buy-in is important for its relevance to the organisation.
By having a clear, well-communicated policy for all colleagues, you ensure that everyone has access to the overall guidelines for how to protect data within the organisation.
Create an information security policy, have the CEO approve it and make it available to all colleagues.
The Human Element
While GDPR compliance involves managing processes and technology, your employees ultimately keep the organisation running. A large part of your compliance efforts depends on making sure your colleagues handle personal data correctly and follow your organisation's procedures.
In practice, this involves training staff to process personal data in line with company policies. They should also be made aware of GDPR rules and general security practices to make sure they handle data securely at all times, e.g. via security awareness training. A data breach must happen only once to have severe consequences for your customers, colleagues, and your organisation's operations.
Regularly train and educate staff on GDPR requirements and security best practices.
Guidelines for Employees
Develop clear guidelines and procedures that serve as a reference for employees when handling personal data in their daily tasks. Each process listed in your Records of Processing Activities should have a detailed description that includes practical instructions on managing personal data.
This should also apply to IT systems, hardware, and other data processing tools.
Develop guidelines and procedures for processing personal data.
Guidelines for Data Subject Rights
Anyone whose personal data your organisation processes has rights under GDPR, and it's your responsibility to make sure these rights are upheld. For example, a customer might request access to the personal data your company holds about them. The person receiving such a request must know how to handle it to comply with the GDPR.
All employees who interact with customers, colleagues, or other individuals should receive clear guidance on how to comply with these rights in practice.
Develop guidelines for employees on handling data subjects' rights.
Communication with Data Subjects
A central obligation of the GDPR is that individuals have the right to be informed proactively and transparently about how your organisation processes their personal data.
This is why companies have a privacy policy, typically shared on their website, where this information is clearly presented. You can link to this policy in emails or provide it to customers and others upon request. Centralising your communication in this privacy policy ensures everyone can access the relevant information easily.
However, you must provide this information before processing any personal data. For example, if you are asking people on the street to sign up for your charity, you need to inform them at that exact moment about how their personal data will be processed. In such cases, having a flyer on hand that explains the data processing can be a simple and transparent way to fulfil this requirement.
Make sure this information is provided correctly to the data subjects for each of the personal data processing activities listed in your Records of Processing Activities.
Develop a privacy policy and make it public via your website.
Communication with Employees
You also need to inform your employees how their personal data is being processed because you process information regarding payroll, medical leave, etc.
This communication can be done internally via the intranet or similar.
Keep in mind that data collection starts at the recruitment phase, so it’s important to inform job applicants about how their data will be processed right from the start. Again, a clear privacy policy on your website, explaining how you handle their personal information, is a simple way to provide this transparency.
Develop a privacy policy or similar document specifically for your employees.
Data Breaches
Data breaches happen, and your organisation must be able to identify any breaches of personal data occurring within the organisation. Ignorance is not a valid excuse under GDPR, as it will be seen as negligence. This means you should implement security controls that enable your organisation to detect such breaches proactively.
Furthermore, it is required that all personal data breaches be recorded in a log, where each breach is categorised and assessed, regardless of its severity. Suppose a breach is deemed to significantly impact the individuals whose personal data is included in the breach. In that case, it must be reported to the data protection authority, and those affected must also be informed.
These rules ensure your organisation maintains constant awareness of data breaches and is equipped to act quickly when they occur.
Implement security controls to proactively detect data breaches and develop a log for recording identified data breaches.
Data Protection Officer (DPO)
Public organisations and companies that process large amounts of personal data or handle sensitive data extensively are required to appoint a Data Protection Officer (DPO).
Most regular businesses are not obligated to have a DPO, but they can still choose to appoint an internal or external DPO if it is relevant. Doing so can support the organisation's GDPR compliance by bringing more expertise and professionalism.
Assess whether your organisation must establish the role of a Data Protection Officer.
Data Protection Impact Assessment (DPIA)
A Data Protection Impact Assessment (DPIA) is a specific type of risk assessment required when an organisation plans to process personal data in a way that could pose a high risk to individuals.
The DPIA helps identify and mitigate these risks to individuals, ensuring that the processing meets GDPR requirements. However, most companies will not need to conduct DPIAs, as they typically do not engage in high-risk data processing activities.
Do not mistake the risk assessment with the Data Protection Impact Assessment, as they differ. There are no formal requirements for conducting risk assessments as there are for conducting Data Protection Impact Assessments, and you can read about these here.
If a regular risk assessment indicates a high level of risk, this will suggest that you might need to conduct a Data Protection Impact Assessment.
Evaluate the need to do DPIAs based on your general risk assessments.
Summary
This article has focused on implementing GDPR compliance, which is daunting for most organisations.
It is important to treat GDPR compliance as a project and follow a clear step-by-step plan. The checklist provided in this article offers a solid guide for approaching such a project implementing GDPR compliance.
However, the article has not covered the topic of maintaining GDPR compliance — which requires an ongoing operational focus from your organisation.
Under GDPR, you must remain compliant at all times and be able to document this compliance whenever necessary.
Info
.legal A/S
hello@dotlegal.com
+45 7027 0127
VAT-no: DK40888888
Support
support@dotlegal.com
+45 7027 0127
Need help?
Let me help you get started
+45 7027 0127 and I'll get you started
.legal is not a law firm and is therefore not under the supervision of the Bar Council.