GDPR Compliance Checklist: How to Become Compliant

Meeting compliance standards can pose a challenge for businesses that process user data internationally. Of all the frameworks, 90% of compliance workers agree that GDPR standards are the hardest to meet. Whether you're new to GDPR or are trying to keep up with it, meeting its requirements is non-negotiable if your business  activities involve processing personal data of data subjects in the European Union (EU).

To help you achieve and maintain compliance, we put together a GDPR compliance checklist covering the requirements to process user data. We also offer tips on becoming GDPR compliant and answer a few common framework questions.

Quick Refresher: What Is GDPR?

GDPR, or the General Data Protection Regulation, is a privacy and security law passed in 2016 by the EU and went into effect in 2018. The regulation governs how organizations collect, use, and secure personal data of EU citizens or residents.

The law exists for four main reasons:

1. Create a baseline privacy standard for processing personal data related to the people in the EU member states

2. Reinforce users’ right to data privacy, protection, and transparency

3. Update privacy laws in light of recent technological changes

4. Levy non-compliance penalties against organizations to ensure adoption

Who Does GDPR Compliance Apply To?

GDPR applies to all companies controlling and/or processing EU citizens’ or residents’ personal data. Data controllers and processes may sound alike, but they perform different tasks. More specifically:

• Those that control the data (data controllers) collect, own, and are ultimately responsible for its protection. Controllers define the purpose of the data and associated processing activities. Governments, companies, and individuals can all control data.

• Those that process the data (data processors) store, retrieve, manipulate, and/or transmit data following the controllers’ instructions. Automated tools and third parties can act as processors. 

Many companies outside the EU still have to follow GDPR guidelines. Adherence will only be optional if the organization has no operations that involve processing of personal data of clients in its member states. 

12-Step GDPR Checklist

To help you avoid fines and keep doing business in the EU, we’ve made a simple GDPR compliance checklist for U.S. companies. By following these 12 steps, you can better protect your users and reduce the risk of non-compliance. 

Step 1. Review Where and How You Store Data

Action items: 

Perform a security check on devices and other resources where you store data, including:

• Physical data storage centers

• Cloud storage solutions

• Company-owned computers, laptops, smartphones, tablets, and removable media

Step 2. Account For Data Processing Risks

Action items: 

Make sure all processing activities account for risk factors and include:

• Data protection safeguards from development to processing user data

• Encryption, pseudonymization, and/or anonymization mechanisms

• Policy requirements that build awareness about data protection

• Regular data protection impact assessments

• Instructions on how to notify authorities and data subjects after a breach

Step 3. Examine Your Legal Function

Action items: 

• Make sure your legal team understands GDPR guidelines

• Have management include your legal team during GDPR discussions and implementations

Step 4. Consider Appointing a Data Protection Officer

Action items: 

• Appoint a data protection officer (DPO) or delegate its tasks to a third party, member of your legal team, or IT security expert, especially if necessary

Step 5. Appoint an EU Representative, If Applicable

Action items: 

• Appoint an EU representative if you do either of the following:

  • Process large amounts of personal data from EU citizens or residents

  • Process special categories of data from EU citizens or residents (e.g., criminal records, political opinions, racial or ethnic origin, etc.)

Step 6. Establish Your Public-Facing Privacy Policy

Action items: 

• Publish a privacy policy on your organization’s website that:

  • Explains how you collect, share, store, and use personal data

  • Breaks down the types of data collected and/or processed

  • Includes provisions on data subjects’ rights

  • Communicates changes, if any

• Have your legal team confirm this policy meets GDPR requirements

• Include a link to the policy throughout your website, especially on pages where data collection occurs

Step 7. Refine Your Terms of Service

Action items: 

• Evaluate your product’s terms of service and be sure to:

  • List all the rules users must follow when using your platform/services

  • Communicate your obligations and set customer expectations

  • Note copyrighted materials, IPs, and what customers can do with them

  • Explain your dispute resolution process

  • Include payment disclaimers and liability statements

  • Refer to governing laws shaping your user policies

Step 8. Develop a Customer-facing Data Processing Agreement

Action items: 

• Create a customer-facing data processing agreement and:

  • Outline your responsibilities as either a data controller, data processor, or both, over the customer’s data

  • Explain how your organization use these data for business purposes

  • Make the agreement publicly available

  • Involve your Legal Counsel in the creation of this document

Step 9. Develop a Vendor-Facing Data Processing Agreement

Action items:

• If a third-party vendor collects and processes user data on your behalf, consider a vendor-facing DPA that:

  • Addresses how user data are to be protected during the engagement 

  • Have provisions including expected cybersecurity measures to reduce the likelihood of data breaches

  • Received endorsement from your legal team, ensuring it coversGDPR’s standards

Step 10. Maintain Records of Processing Activities (ROPA)

Action items: 

• Keep a ROPA that includes: 

  • An overview of your data processing practices

  • Name and contact details of your Data Protection Officer (DPO)

  • The reason you process this data

  • The types of data you control or process

  • Other countries and organizations you transfer data to

  • Time limits before you erase various types of data

  • An overview of your security measures protecting data

Step 11. Create Ways for Customers to Exercise Their Privacy Rights

Action items:

• Set up mechanisms for direct communication:

  • Provide a publicly-available email address that customers can reach out to

  • Establish your processes for quickly responding to customers 

  • Create a means to adjust or delete user data at any time

• Make your approach to user privacy clear:

  • Outline how automation and marketing tools leverage user data

  • Write web forms explaining how user data flows through your organization

  • Provide cookie collection notices

Step 12. Maintain Continuous Compliance

Action items: 

• Select an automated compliance platform that lets you:

  • Proactively create response plans for incidents involving data breaches 

  • Continuously test and monitor the effectiveness of your security processes and procedures

  • Store documentation on data subject requests, data processing activities, privacy impact assessments, and consent records

How to Become GDPR Compliant: 11 Tips

After reading the checklist, you may still have a few questions about GDPR standards. Learn more about how to become GDPR compliant by looking over these 11 steps, where we’ll go into more detail about the requirements you have to meet. 

Evaluate Your Data Management Practices 

Start by evaluating how your company processes and stores personal data. Charting how data flows and keeping records holds your organization accountable. Once your data management is on the page, you can look for risk factors and areas to improve. 

Different roles play their part in data management. Remember to consider your data flow from different personas, such as:

• Marketing and sales prospects

• Website visitors

• Customers

• Employees

• Job applicants

Designate a Data Protection Officer (DPO), if Needed

If you haven’t already, appoint a DPO to advise and help enforce GDPR standards. Your DPO is the ultimate authority on keeping your organization GDPR compliant. They can also serve as a point of contact between the company and data protection authorities. Your ideal DPO should have an IT and legal background. 

Appoint an EU Representative If Needed

Data processors and controllers outside the EU often need to appoint a representative. Specifically, you need a representative if any of your business activities involve either processing large amounts of personal data from EU citizens or residents and/or processing special categories of data from EU citizens or residents, such as criminal records, political opinions, racial or ethnic origin, etc.

The GDPR does lay out a few exceptions. You don’t need an EU representative if your organization:

• Rarely handles EU data

• Does not process sensitive user data

• Does not process legal data about criminal offenses and convictions

• Does not process data in a way that jeopardizes the privacy rights and freedom of EU citizens

• Is considered a public body or authority

• Is based in the EU

Conduct a Privacy Impact Assessment (PIA) and a Data Protection Impact Assessment (DPIA) 

Businesses that collect sensitive data have to carry out privacy impact assessments and data protection impact assessments. These tests examine processing operations and how they protect user data. 

• A PIA examines the privacy risks your projects, systems, initiatives, strategies, company policies, and business relationships pose. PIAs work to avert risks to your user base’s rights and freedoms.

• A DPIA looks over the potential impact of your processes on users’ privacy. It gauges the likelihood of breaches occurring and how much damage they will do. Finally, it determines whether your current measures can prevent those risks. 

For more information, refer to the official GDPR DPIA template. 

Create a Public-Facing Privacy Policy

You need to create a privacy policy governing how visitors use your website. Users should be able to access this policy on any webpage to see how you collect, use, and disclose their data. This policy should also outline the user's rights and your obligations to them. Remember to use clear, concise language.

Your policy should include:

• Contact details for your business, its representative, and DPO

• Your organization's purpose for processing user data

• Legal interests of your organization and its third parties

• Any recipients of your user data

• How data transfer occurs and the safeguards you've put in place

• The retention period for user data and why it lasts as long or as short as it does

• Your data subjects' rights

• How users can withdraw consent for data processing

• How users can lodge complaints with a supervisory authority

• The potential consequences of users not offering their data

• Details about AI decision-making systems that base choices on user data

Create Your Product Terms of Service and Customer-Facing Data Processing Agreement (DPA)

Terms of service and data processing agreements create transparency between businesses and their customers. Together, they explain a user’s rights and how businesses leverage their data. More specifically:

• Product terms of service are forms listing rules users must follow while using your platform. They can also include dispute resolution information, governing laws, and copyright claims. 

• Customer-facing DPAs are agreements between data controllers and processors. DPAs outline how processors will use a controller’s data for business purposes. Sharing your DPA helps customers understand how you use their data.

If you need help writing your DPA, you can review the official template here.

Create a Vendor-Facing DPA

You need to create a data-processing addendum for third-party vendors that store employees’ or customers’ personal information. These DPAs ensure vendors comply with your shared data protection obligations. DPAs apply whether your vendor provides order fulfillment, CRM, or payroll services. 

You can decide what to include in your DPA by asking:

• Where does your third party store user data?

• Do you and the vendor have adequate risk-prevention processes in place?

• Does the vendor rely on technology that reliably protects user data?

• Do your legal team and DPO think the DPA meets GDPR standards?

Ensure Data Subjects are Informed and Able to Exercise Their Privacy Rights

Review your security policies and processes to ensure customers can use their right to data privacy. These rights can include the chance to access and change their stored information, prevent marketing and AI decision-making, or delete data you stored about them.

You can protect their rights with a few tools:

• Website forms: Website forms should state how you will use collected data.

• Cookie collection notices: These notices should include the GDPR cookie requirements.

• Header and footer text: You can include reminders about user privacy rights at the top and bottom of webpages, especially where personal data are being collected. 

Protect Children's Data

The GDPR only allows personal data processing for users who are 16 or older. To lawfully collect personal data from individuals younger than that, their parents must consent to it. Consider adding an age verification system before collecting customer information. 

Monitor and Report Data Breaches 

GDPR guidelines keep businesses vigilant against breaches and other security threats. When breaches occur, companies need to respond quickly and report data losses. This process involves four steps: 

1. Set up procedures to detect, investigate, and respond to incidents involving data breaches. Conduct a GDPR assessment to determine the types of data you're holding and set up notifications in case of a breach.

2. If a breach presents a risk to users’ rights and freedoms, inform them as soon as possible, unless affected personal data is unintelligible or encrypted. 

3. Controllers need to report breaches to their supervisory authority within 72 hours. Failure to report the breach within 72 hours will require a justifiable reason, otherwise it may result in legal penalties and fines.

4. Processors are required to immediately notify the controllers about incidents involving personal data breach. 

Implement a "Privacy by Design" Mindset 

Privacy by design is a security approach pushing for data protection through technology design. In other words, it refers to a method of data protection built into the foundation of your tools and processes. Some organizations call it “privacy by default” to reflect this wider scope. You can implement privacy by design by:

• Carrying out data protection impact assessments regularly

• De-identifying data using pseudonymization or anonymization 

• Deleting data no longer used or needed

• Placing your data centers in high-security locations

• Encrypting systems and passwords your employees use

• Conducting security scans on networks, systems, and devices to identify potential weaknesses

GDPR Compliance FAQ

If you still have questions about attaining GDPR compliance and/or addressing GDPR requirements, we’ve answered a few common questions below.

What Are the GDPR Data Protection Principles?

GDPR upholds seven data protection principles that companies must adhere to, including: 

• Lawfulness, fairness, and transparency: Follow contractual rules, value user consent, don’t misuse data, and never withhold information from data subjects.

• Purpose limitation: Only process collected data based on legitimate and explicitly specified purposes.

• Data minimization: Only collect the minimum amount of data needed for business purposes.

• Accuracy: Conduct audits and set up measures to correct, update, or erase incomplete and false data.

• Storage limitation: Retain data for no more than a justifiable amount of time. 

• Integrity and confidentiality: Protect data from unauthorized parties and avoid data losses, damage, and destruction. 

• Accountability: Keep records and establish measures to prove data processes are compliant.

What Are the Penalties for GDPR Non-Compliance?

GDPR non-compliant organizations can face sanctions and fines. The EU sets financial penalties in proportion to the extent of data misuse. In extreme cases, fines can reach €20 million, or 4% of the firm’s worldwide annual revenue from the last fiscal year, whichever amount is higher.

GDPR sanctions may include:

• Bans on data processing in the EU

• Public reprimands

• Financial penalties based on the extent of non-compliance

Does the GDPR Require Encryption? 

Organizations often use encryption to meet GDPR standards, but other options exist. The GDPR requires that organizations use "appropriate technical and organizational measures" to protect user data.

While encryption is a practical, affordable choice, you could also use the combination of:

• Firewalls

• User access controls

• Multi-factor authentication

• Security awareness training

• Pseudonymization techniques

How Drata Can Help You Achieve and Maintain GDPR Compliance 

While GDPR sets a high bar for data protection, meeting its standards doesn't have to be difficult. By following our GDPR compliance checklist, you can avoid penalties and offer customers the highest level of protection. 

If you have trouble staying GDPR compliant, Drata can help. Our tool automates compliance processes and keeps you audit-ready. By continuously monitoring your cybersecurity, we can help protect your users' data and reduce your business's risk. Additionally, our team of GDPR experts can reduce the time and complexity involved with achieving compliance.

Schedule a demo with our team and learn how to be GDPR compliant today.