GDPR

Checklist

GDPR Compliance Checklist

 GDPR Compliance Checklist
WORKSHEET

Overview
The General Data Protection Regulation (GDPR) is the strongest global privacy law in effect today created by the European Union (EU)
to ensure businesses properly handle personal data. The GDPR defines guidelines that limit how much of an individual’s personal data
can be used and grants eight data subject rights to give individuals autonomy over their data and how it’s used. The following checklist
includes recommended actions to help businesses working towards GDPR compliance. Use this checklist to identify compliance gaps in
your program.

STEP 1: Create an Actionable Plan with a Readiness Assessment (GDPR Articles 5 & 24)
Evaluate your organization’s current privacy program.
Identify areas that already comply with the GDPR and areas that don’t.

Conduct an assessment to identify risks and possible data privacy issues as relates to data subjects and their business.
These action items help to not only help to develop a plan for compliance but also help to make sure that your company
prevents high-risk processing activities in the future.

Note: The GDPR sets out seven key principles to keep in mind when you’re conducting your readiness assessment and
creating an action plan
Lawfulness, fairness, and transparency – There should be a lawful basis for each processing activity. The data processing is
not in a way that is unexpected, and the data subject is informed of the processing.
Purpose limitation – Be clear about your purposes for processing and record and specify them in the privacy notice to
individuals. Limit the processing to those identified purposes.
Data minimization – Only process personal data to the extent necessary.
Accuracy – Ensure the personal data that you processed is accurate and up to date. Correct or erase inaccurate personal data
as soon as possible.
Storage limitation – Only keep personal data if you need it.

Integrity and confidentiality (security) – Have appropriate security measures in place to protect the personal data from
unauthorized or unlawful processing and accidental loss, destruction, or damage.
Accountability – Take responsibility for what you do with personal data and have appropriate measures and records in place
to demonstrate your compliance with the data processing principles.
STEP 2: Establish a Processing Register (GDPR Articles 6, 30 & 32)

Do a data mapping exercise to clarify what personal data your organization holds and where.
Create a questionnaire and distribute this to the department you have identified as processing personal data. Sample questions to
be included in the questionnaire:
• Why do you use personal data?
• Who do you hold information about?
• What information do you hold about them?
• Who do you share it with?
• How long do you hold it for?
• How do you keep it safe?
Meet with key business functions, such as IT, legal and compliance staff. This will help to better understand how your organization
uses data.

Locate and review policies, procedures and contracts related to actual data processing activities. Consider reviewing the following:
• Privacy policies
• Data protection policies
• Data retention policies
• Data security policies
• System use procedure
• Controller-processor contracts
• Data sharing contracts

Document your findings

Tip: Create a data map and update it regularly. A data map will help you have a holistic view of your data ecosystem. When
you have a holistic view of your ecosystem, it’s easier to accurately identify processing and storage steps. Overall, this gives
you more insight into how personal data flows both internally and externally across your organization.
STEP 3: Operationalize Data Protection Impact Assessments (DPIA) and Privacy by Design
and by Default (PbD) (GDPR Articles 25, 35 & 36)

Conduct a Data Protection Impact Assessment (DPIA) when you have high-risk processing operations. Operationalized properly, the
DPIA can be an effective approach to meeting the data protection by design and by default requirement.

DPIA:
Describe the nature, scope, context and purposes of processing.

Ask data processors to help understand and document their processing activities and identify any associated risks.

Consider consulting data subjects and relevant stakeholders for their concerns regarding the data processing and seek
opinions from the data protection officer.

Ensure the processing is necessary for and proportionate to the purposes and describe how data protection principles will be
complied with.

Objectively assess the likelihood and severity of risks to data subjects’ rights and freedoms.

Identify measures to eliminate or reduce high risks.

Document the decisions made based on the DPIA.

Implement measures identified.

Consult the supervisory authority prior to processing if there is any high risk that cannot be mitigated

Keep the DPIAs under review and revisit them when necessary.

Tip: Implement a lightweight screening questionnaire to analyze your risk and then determine if a full DPIA is needed. Some
workflow steps will require purpose-built tools to comply with the GDPR.
STEP 4: Build a Framework for Consent Management (GDPR Article 7)
The GDPR sets a high standard for processing data based on consent. Consent must be specific, clear and in plain language. It can’t be
buried in legal notices, and needs to be in its own section (e.g. Consent standards can’t be grouped in with multiple notices.) Additionally,
you should be able to prove that your consent was gained in transparent and individually impactful ways throughout the process.

Ensure consent is the most appropriate lawful basis for processing.

Make the consent request prominent and separate from general terms and conditions.

Ask people to positively opt in and avoid using pre-ticked or other types of default consent.

Specify the purpose and use of the personal data.

Identify all data controllers who will rely on the consent.

Tell people they can refuse to consent without detriment and withdraw their consent after it is given.

STEP 5: Meet EU Privacy Cookie Compliance Requirements (GDPR Articles 7 & 21, ePrivacy Directive/
Draft ePrivacy Regulation)
Outline what the cookies you’re using are for, and why they’re being used.

Obtain clear and concise consent to cookie use must be given by the user, and you must have record of the consent.

Here are a few more cookie requirements as defined by the ePrivacy Directive:

Inform users about the different cookie functions used on the website in question.

Inform the identity of the organizations that deploy the cookies and the organizations that use the data collected through the
cookies.

You must identify users of the above two points, even if the data being acquired is anonymous. If the data being acquired is
personal data, make sure that it complies with the relevant GDPR standards.
STEP 6: Understand an Individual’s Personal Data Rights (GDPR Articles 7, 12-20 & 21)
The GDPR defines 8 data subject rights related to things like data portability, access, erasure or “right to be forgotten”, rectification,
etc. The GDPR established record keeping standards around things like response time, extension requests, identity validation, secure
response relay, etc.

Tip: Build a data subject rights (DSAR) request portal: It’s helpful to have an automated tool in place to manage the intake
and prioritization of DSAR requests.

STEP 7: Understand Controller and Processor Responsibilities (GDPR Articles 7, 28 (1)-(3), 24 (1), 29, 46 (1))
The controller is responsible for actions or breaches by the processor. Use diligence when performing processor data transfers and
executing on requirements defined in contracts – you should use the same level of care that you would with when completing internal
processing steps. This will help in the event of a breach and allow you to quickly understand the breach’s impact and next steps.

STEP 8: Prepare for the Unexpected (GDPR Articles 33 & 34)

Create a list of steps for your team to follow that are in compliance with the post-breach requirements defined by the GDPR.

Make sure all your steps are executable within the 72-hour notification requirement window defined by the GDPR.

Create a plan in the event that individuals need to be notified. This will be required when a breach poses high risk to the individual,
or their rights are in jeopardy.

STEP 9: Review Cross Border Data Transfer Mechanisms (GDPR Articles 44-47, 49)
Identify international flows of personal data to controllers or processors located in third countries outside of the EEA.

Check if there is an adequacy decision in the third country.

If there is no adequacy decision in the third country, check if the controller or processor has adopted appropriate safeguards, such
as the SCC.

If there is no adequacy decision or appropriate safeguards in place, check whether the data transfer falls under one of the
exceptions (e.g., consent, performance of a contract, etc.).

Document the data transfer.

Tip: Standard Contractual Clauses (SCC) are most commonly used when an adequacy decision isn’t available.
STEP 10: Appoint a Data Protection Officer (DPO) (GDPR Articles 37-39)
Although appointing a Data Protection Officer (DPO) is not always required, It is a good practice and can increase confidence in
data protection. The DPO will be responsible for managing things like internal and external GDPR compliance, providing advice on
assessments like DPIAs, implementing training and awareness initiatives for staff members, etc.

Appoint a DPO when required or able.

STEP 11: Train Your Staff for GDPR Compliance (GDPR Articles 39 & 47)
Trained employees make for a safe company. While you can appoint a Data Protection Officer (DPO) to manage an organization’s
compliance with the GDPR, you shouldn’t stop here. It’s important that employees at all levels of the organization understand the
importance of personal data regulation and individual data protection rights, so implementing regular training is a great step to take.

Implement regular GDPR compliance training for employees.

Tip: You should regularly provide your staff with trainings and run awareness initiatives. Make sure to keep all of your
training completions on record in the event that proof of them is needed.

FIND OUT MORE AT ONETRUST.COM

ATLANTA | LONDON | BANGALORE | MELBOURNE | DENVER | SEATTLE | SAN FRANCISCO
NEW YORK | SÃO PAULO | MUNICH | PARIS | HONG KONG | BANGKOK
OneTrust is the #1 fastest-growing company on Inc. 500 and the category-defining enterprise
platform to operationalize trust. More than 10,000 customers, including half of the
Fortune Global 500, use OneTrust to make trust a competitive differentiator, implementing
central agile workflows across privacy, security, data governance, GRC, third-party risk,
ethics and compliance, and ESG programs. Learn more: OneTrust.com and LinkedIn.
Copyright © 2021 OneTrust LLC. All rights reserved. Proprietary & Confidential.