GDPR Compliance Checklist: How to Become Compliant

Meeting compliance standards can pose a challenge for businesses that process user data internationally. Of all the frameworks, 90% of compliance workers agree that GDPR standards are the hardest to meet. Whether you're new to GDPR or are trying to keep up with it, meeting its requirements is non-negotiable if your business activities involve processing the personal data of data subjects in the European Union (EU).

To help you achieve and maintain compliance, we put together a GDPR compliance checklist covering the requirements to process user data. We also offer tips on becoming GDPR compliant and answer a few common framework questions.

Quick Refresher: What Is GDPR?

GDPR, or the General Data Protection Regulation, is a privacy and security law that was passed in 2016 by the EU and went into effect in 2018. The regulation governs how organizations collect, use, and secure the personal data of EU citizens or residents. 

The law exists to do four things:

• Create a baseline privacy standard for the processing of personal data related to the people in the EU member states

• Reinforce users’ right to data privacy, protection, and transparency

• Update privacy laws in light of recent technological changes

• Levy non-compliance penalties against organizations to ensure adoption

The 7 Principles of GDPR

GDPR protects consumers’ privacy—the law is modeled on seven principles considered foundational to data protection. Incorporate them into your website or product to meet GDPR’s requirements and comply with the spirit of the law.

The principles are:

1. Lawfulness, fairness, and transparency: Companies that use personal data should only take actions legally allowed under GDPR. Companies should treat data fairly; they should not use it to mislead individuals or leverage it in unexpected ways. Any organization that collects and processes personal data should have data policies that are readily available and written in plain language so they can be accessed and understood by lay individuals.

2. Purpose limitation: Data should only be collected and used for specific purposes explicitly outlined in an organization’s data policy and reasonably expected by individuals. Data should not be used for any other purposes. In some situations, data controllers may process and archive data if it is in the public interest, serves scientific or historical research, or can be used for statistical purposes. However, organizations that do so must have safeguards in place.

3. Data minimization: Organizations should limit the data they collect, gathering only what is necessary for and relevant to their purposes. They should also regularly review data collection programs to ensure they continue to adhere to this guideline and delete any unnecessary data. 

4: Accuracy: Anyone who collects data should take steps to ensure it is accurate and update it if necessary. Organizations should have clear policies and procedures regarding the correction of data. Individuals whose data is collected have the right to request correction of incorrect data; data holders should make reasonable efforts to fulfill these requests.

5: Storage limitation: Data should not be held for longer than is necessary for organizations to fulfill the purpose for which it was collected. Anyone who collects data should establish time limits regarding how long the data may be held and have processes in place to guarantee personal data is deleted once it is no longer needed. In some cases, organizations should take steps to irreversibly anonymize data once it no longer needs to personally identify individuals. 

6: Integrity and confidentiality: Organizations that collect data must ensure its security and confidentiality. Both physical and cybersecurity measures should be implemented to prevent unauthorized access of data. An organization’s measures should evolve with industry best practices. 

7: Accountability: All organizations that collect data should be able to prove their compliance with GDPR and these seven principles. They must keep records of their data program, create internal policies and practices to support responsible data stewardship, and regularly review their accountability practices. They should report data breaches when they occur. 

Together, these principles create a framework that supports data use that respects individuals’ rights and guarantees their protection against misuse of their personal information. GDPR, built around them, has language that addresses each principle and codifies it into law.

Who Does GDPR Compliance Apply To?

GDPR applies to all companies controlling and/or processing EU citizens’ or residents’ personal data. Data controllers and processors may sound alike, but they perform different tasks. More specifically: 

Those who control the data (data controllers) collect and own data and are ultimately responsible for its protection. Controllers define the purpose of the data and associated processing activities. Governments, companies, and individuals can all control data.

Those that process the data (data processors) store, retrieve, manipulate, and/or transmit data following the controllers’ instructions. Automated tools and third parties can act as processors. 

Even companies not based in the EU must comply with GDPR if they control or process data for clients or end users in its member states. 

Why Should You Comply With GDPR?

GDPR compliance is a smart move for any company with global ambitions. Even if you’re not currently serving customers in EU member states, you may someday wish to. Reworking your data collection and processing policies and practices at that point will be a major undertaking. Build the seven principles into your efforts now to save yourself from a major overhaul in the future.

Companies that do business in the EU and don’t comply with the GDPR can face heavy fines. Even those that don’t have to comply stand to benefit from working within the law. A survey conducted by the International Association of Privacy Professionals (IAPP) found nearly 68% of consumers worldwide said they were either somewhat or very concerned about their online privacy. By following GDPR, you’re telling these consumers you hear their concerns and are dedicated to addressing them.

Strong data protections also help protect your company against data breaches. Hacks are costly in terms of the time and money they take to rectify and the loss of consumer trust they engender. The principles outlined in GDPR help protect consumer data and your company’s confidential data against unauthorized access. 

15-Step GDPR Checklist

To help you reap the benefits of strong and effective privacy controls, we’ve made a simple GDPR compliance checklist for U.S. companies. Follow these 15 steps to set up and maintain GDPR compliance at your company. 

Step 1. Review Where and How You Store Data

The first step toward lawful, limited, and accountable data practices is understanding how your company stores and processes personal data. Both your physical and technical data storage processes matter.

Because both security and transparency are a key part of GDPR, you’ll need to evaluate your data practices for compliance with both requirements. 

Check the security controls on devices and other locations where you store data, including:

• Physical data storage centers

• Cloud storage solutions

• Company-owned computers, laptops, smartphones, tablets, and removable media

Companies starting to evaluate their data practices may find “shadow IT” (tools or storage that shouldn’t be authorized to handle personal data). Data redundancies or legacy platforms may also host unsecured user data. 

Once you’ve found everywhere your data currently lives, it’s time to improve your data storage practices, likely through consolidating data in a secure and controlled location. Chart your data flows and create a record-keeping process. Once your data management is on the page, you can look for risk factors and areas to improve. 

Action items:

• Perform a security check on devices, servers, and tools that store data.

Step 2. Conduct a Privacy Impact Assessment (PIA) and a Data Protection Impact Assessment (DPIA) 

Collecting and using data in accordance with GDPR requires you to put individuals’ privacy first. Privacy impact assessments (PIAs) and data protection impact assessments (DPIAs) help you get clarity regarding potential privacy risks.

A PIA examines the privacy risks your projects, systems, initiatives, strategies, company policies, and business relationships pose. PIAs work to avert risks to your user base’s rights and freedoms.

A DPIA looks over the potential impact of your processes on users’ privacy. It gauges the likelihood of breaches occurring and how much damage they will do. Finally, it determines whether your current measures can prevent those risks. The official GDPR DPIA template will walk you through the necessary considerations.

After you’ve completed your risk assessments, you’ll have a clear idea of what actions you need to take to secure the data you collect. 

Action items:

• Conduct a PIA.

• Conduct a DPIA.

• Create a roadmap for rectifying any vulnerabilities your assessments uncovered.

Step 3. Examine Your Legal Function

Include your legal team in your compliance efforts since GDPR is a law, and failure to comply has legal repercussions. While IT will likely own the technical side of compliance and HR will keep all internal data collection in compliance, your legal team should work with both to ensure their practices meet GDPR requirements. 

Plan to invest in legal education to help your lawyers understand what’s required and get a handle on the technical concepts included in the law. The European Data Protection Board (EDPB) offers excellent GDPR guidance clarifying the law. You may also want to conduct internal training that brings together the expertise required by IT, HR, and legal. 

Action items:

• Make sure your legal team understands GDPR guidelines.

• Have management include your legal team during GDPR discussions and implementations.

Step 4. Consider Appointing a Data Protection Officer (DPO)

Your data protection officer (DPO) is the ultimate authority on your organization’s GDPR compliance. If you haven’t already appointed one, it might be time. 

Your DPO owns your GDPR compliance; they’re in charge of ensuring your data collection and processing efforts follow the law’s data protection rules. A DPO should:

• Ensure data controllers are aware of the rules binding them.

• Keep individuals informed regarding their rights when it comes to data protection and privacy.

• Help the organization interpret and apply GDPR regulations.

• Keep records of the organization’s data storage and processing work.

• Handle any questions or complaints the organization receives regarding its data.

• Liaise with data protection authorities when necessary.

• Perform other duties as necessary to keep the organization in compliance.

Companies may appoint a DPO from their staff or hire an external agent to serve as a DPO. If you don’t have expertise on GDPR in-house, hiring an external individual might be the best bet. The same goes for if your would-be internal appointees have jobs or duties that might cause a conflict of interest with their DPO duties.

Hiring an external DPO insulates this individual from internal politics, which can make it easier for them to perform an often difficult job. This setup may also make it easier to win cooperation from managers across different teams and departments. External DPOs also take on some of the liability for GDPR violations. 

On the other hand, an internal DPO may be easier to get ahold of because they work only for your company. They will also have a greater understanding of your company’s processes, which may allow them to make better recommendations. 

The GDPR doesn’t require every company to have a DPO; it’s necessary where:

• The data processor is a public authority or public body; and

• The company’s core activities involve processing sensitive data at scale.

However, appointing one person to own your GDPR efforts often brings better results because there’s no confusion when it comes to authority or accountability.

Action items:

• Appoint a data protection officer (DPO) or delegate the required tasks to a third party, member of your legal team, or IT security expert.

Step 5. Appoint an EU Representative, If Applicable

Data processors and controllers outside the EU often need to appoint a representative. Specifically, you need a representative if any of your business activities involve either processing large amounts of personal data from EU citizens or residents and/or processing special categories of data from EU citizens or residents, such as criminal records, political opinions, racial or ethnic origin, etc.

The GDPR does lay out a few exceptions. You don’t need an EU representative if your organization:

• Rarely handles EU data.

• Does not process sensitive user data.

• Does not process legal data about criminal offenses and convictions.

• Does not process data in a way that jeopardizes the privacy rights and freedom of EU citizens.

• Is considered a public body or authority.

• Is based in the EU.

Organizations without offices in the EU but that serve EU residents must have a representative if they do not meet the above exceptions. 

Your EU representative must be:

• In an EU or EEA (European Economic Area) country.

• In the same country as some of the individuals whose data you are processing.

• Authorized in writing to act on your behalf regarding GDPR compliance and to deal with authorities and individuals whose data you’ve collected. 

• Your representative regarding GDPR obligations.

• Known to any EU individuals whose personal data you are processing, and to supervisory authorities, through your privacy notice or other public postings.

Like your DPO, this position can be internal or external; for many companies that don’t have offices in the EU, the latter is a much easier choice.

Action items:

• Appoint an EU representative if you do either of the following:

• Process large amounts of personal data from EU citizens or residents.

• Process special categories of data from EU citizens or residents (e.g., criminal convictions, political opinions, racial or ethnic origin, etc.).

Step 6. Create a Public-Facing Privacy Policy

Create a privacy policy governing how visitors use your website. Users should be able to access this policy on any webpage to see how you collect, use, and disclose their data. This policy should also outline the user's rights and your obligations to them. Remember to use clear, concise language.

Your policy should include:

• Contact details for your business, its representative, and DPO.

• Your organization's purpose for processing user data.

• Legal interests of your organization and its third parties.

• Any recipients of your user data.

• How data transfer occurs and the safeguards you've put in place.

• The retention period for user data and why it lasts as long or as short as it does.

• Your data subjects' rights.

• How users can withdraw consent for data processing.

• How users can lodge complaints with a supervisory authority.

• The potential consequences of users not offering their data.

• Details about AI decision-making systems that base choices on user data.

After you’ve written the initial policy, bring in your legal team to ensure it meets GDPR requirements. If this is an update to your existing policy, inform your users that your privacy policy has changed via email, on-site notifications, and a note at the top of your privacy policy. 

Action items:

• Write a privacy policy.

• Have your legal team confirm it meets GDPR requirements.

• Publish your privacy policy on your organization’s website.

• Include a link to the policy throughout your website, especially on pages where data collection occurs.

Step 7. Refine Your Terms of Service

Your terms of service (TOS) govern how users can interact with your platform. They include GDPR-relevant information, like how your platform complies with data privacy laws and regulations. 

Thorough terms of service are better for your company if you end up in a legal dispute. In accordance with the transparency principle underlying the GDPR, they’re also better for users. Your TOS helps audiences clearly understand the rules they must follow and the obligations your company has to them.

A good TOS document: 

• Lists all the rules users must follow when using your platform/services.

• Communicates your obligations and sets customers’ expectations.

• Notes copyrighted materials, IPs, and what customers can do with them.

• Explains your dispute resolution process.

• Includes payment disclaimers and liability statements.

• Refers to governing laws shaping your user policies.

Your TOS may change over time as your product or platform evolves, as new laws come into effect, or as you encounter new use cases. Communicate any such changes to your users before they go into effect.

Action items:

• Evaluate your product’s terms of service for transparency and clarity.

Step 8. Develop a Customer-Facing Data Processing Agreement

Inform users and customers what you do with their data to support the GDPR’s transparency principle. Your customer-facing data processing agreement (DPA) gives an overview of how your company uses customer data. While the DPA itself is an agreement between you and your data processors, making it public allows customers to understand exactly how you’re using their data.

Your DPA should outline your responsibilities as either a data controller, data processor, or both over the customer’s data and explain how your organization uses this data for business purposes. It should also outline what the data processor can and cannot do with the data. Since this is a legal document, your company’s lawyers should be involved in drafting it.

You should have a DPA for every third-party vendor who works with your company to process data. The EU has provided an official template here.

Action items:

• Create and publish a customer-facing data processing agreement.

Step 9. Develop a Vendor-Facing Data Processing Addendum

You’ll also need a data-processing addendum for third-party vendors that collect or process employees’ or customers’ personal information. This is the official agreement between your company and theirs and may not be publicly available. 

DPAs ensure vendors comply with your shared data protection obligations. They address how user data should be protected during the engagement and have provisions including expected cybersecurity measures to reduce the likelihood of data breaches. They apply whether your vendor provides order fulfillment, CRM, or payroll services. Once again, this document should be reviewed (if not drafted) by your legal team.

You can decide what to include in your DPA by asking:

• Where does your third-party vendor store user data?

• Do you and the vendor have adequate risk-prevention processes in place?

• Does the vendor rely on technology that reliably protects user data?

• Do your legal team and DPO think the DPA meets GDPR standards?

To comply with GDPR standards, your DPA should be fairly detailed regarding what your vendors can and cannot do with your users’ data, and how they must secure it. You may also need sections to cover the vendor’s use of sub-contractors, if relevant. 

Action items:

• Develop DPAs for any third-party vendors that collect and/or process user data on your behalf.

Step 10. Maintain Records of Processing Activities (ROPA)

To prove your compliance with GDPR, most companies need to keep records of processing activities (ROPA). Your records must include: 

• An overview of your data processing practices.

• Name and contact details of your Data Protection Officer (DPO).

• The types of data you control or process.

• The reason you process this data.

• Other countries and organizations you transfer data to.

• Time limits before you erase various types of data.

• An overview of your data security measures. 

Processors must also maintain ROPAs covering all activities they carry out for controllers. A processor ROPA must include:

• The name and contact details of the processor and each controller the processor works for.

• The name and contact details of the processor’s and controllers’ personal representative and DPO.

• The type of data processing done.

• Other countries and organizations the data is transferred to.

• An overview of their data security measures.

Each party’s ROPA must be written and made available to authorities upon request. 

ROPAs are not required for organizations that employ fewer than 250 people unless their data processing:

• May put individuals’ rights and freedoms at risk; or

• Is regular and frequent; or

• Includes special categories such as racial or ethnic origin, political opinions, religious beliefs, etc.

Though some companies do not process data in those special categories or other fields that could put individuals’ rights at risk, their data processing happens frequently enough that a ROPA is required. These records must be updated regularly as your practices change.

Action items:

• Create a ROPA.

• Implement a process for regularly reviewing your ROPA for accuracy and updating it when necessary. 

Step 11. Create Ways for Customers to Exercise Their Privacy Rights

Review your security policies and processes to ensure customers can use their rights to data privacy. These rights can include the chance to access and change their stored information, prevent marketing and AI decision-making, or delete data you stored about them. 

There are two main points you need to cover to give customers full control. First, clearly communicate your approach to privacy. We already talked about the importance of a privacy policy; many sites also signal data collection when it happens via:

• Website forms: State how you will use collected data when it is requested.

• Cookie collection notices: Include the GDPR cookie requirements and allow users to opt out of cookies.

Second, you must give users a way to directly communicate with your company regarding privacy issues. A publicly-available email address is usually the best way to promote communication. Create internal processes for quickly responding to customers, and create a means to adjust or delete user data at any time, to close the loop on each request in a timely manner.

Action items:

• Inform users when their data is being collected and give them a chance to opt in or out.

• Set up mechanisms for direct communication.

Step 12. Protect Children's Data

The GDPR only allows personal data processing for users who are 16 or older. Member states may designate different cutoffs down to age 13. To lawfully collect personal data from younger individuals, their parents must consent to it. 

Consider adding an age verification system before collecting customer information. Age verification methods include:

• Self-declaration

• Credit card verification

• Biometric verification

• Online activity pattern analysis

• Offline verification

• Social verification/“vouching”

• Digital ID tools

All of these are valid options under GDPR. Additionally, because the data minimization principles apply to your age verification efforts, you’ll need to be sure you’re not gathering excess data. The age verification landscape is shifting rapidly as governments and platforms seek appropriate methods that do not infringe upon users’ rights.

Sites that have users under the age of 16 may either decline to collect data on those users or obtain parental consent. While written consent is recommended, the GDPR does not require any specific form of consent so long as it is an opt-in choice.

Action items:

• Implement an age verification system if necessary.

• Set up a process for obtaining parental consent for minors.  

Step 13. Monitor and Report Data Breaches 

GDPR guidelines keep businesses vigilant against breaches and other security threats. When breaches occur, companies need to respond quickly and report data losses. 

A strong risk management program starts with procedures to detect, investigate, and respond to incidents involving data breaches. If you don’t have an incident response plan, create one. 

In case of a breach, you have a responsibility to inform the public. Controllers must report breaches to their supervisory authority within 72 hours. Failure to report the breach within 72 hours will require a justifiable reason, otherwise it may result in legal penalties and fines. Processors are required to immediately notify controllers about incidents involving personal data. 

Additionally, the GDPR requires you to inform affected individuals as soon as possible if it presents a high risk to users’ rights and freedoms. The only exception is if the compromised data is unintelligible or encrypted. 

Action items:

• Create an incident response plan.

Step 14. Implement a "Privacy by Design" Mindset 

Privacy by design is a security approach pushing for data protection through technology design. In other words, it refers to a method of data protection built into the foundation of your tools and processes. Some organizations call it “privacy by default” to reflect this wider scope. 

You can implement privacy by design by:

• Carrying out data protection impact assessments regularly.

• De-identifying data using pseudonymization or anonymization. 

• Deleting data no longer used or needed.

• Placing your data centers in high-security locations.

• Encrypting systems and passwords your employees use.

• Conducting security scans on networks, systems, and devices to identify potential weaknesses.

These efforts, together, cover many of the principles that inform the GDPR. They will make it easier for your company to comply with the law’s directives and improve your security posture.

Action items: 

• Evaluate whether your current practices follow “privacy by design” guidelines.

Step 15. Maintain Continuous Compliance

GDPR compliance requires your company to maintain the standards and practices you’ve set up during this exercise. One of the best ways to do so is with an automated compliance platform that lets you:

• Proactively create response plans for incidents involving data breaches. 

• Continuously test and monitor the effectiveness of your security processes and procedures.

• Store documentation on data subject requests, data processing activities, privacy impact assessments, and consent records.

There’s also a human side to compliance. Your DPO should regularly evaluate your GDPR compliance as part of their job. HR and IT may need to periodically train new members and offer refresher courses for old ones. Legal teams should stay up-to-date on how the law is interpreted in the courts. 

Working together, your team and tools can ensure your company stays GDPR compliant.

Action items: 

• Implement an automated compliance platform like Drata.

GDPR Compliance FAQ

If you still have questions about attaining GDPR compliance and/or addressing GDPR requirements, we’ve answered a few common questions below.

What are the GDPR Data Protection Principles?

GDPR upholds seven data protection principles that companies must adhere to: 

• Lawfulness, fairness, and transparency: Follow contractual rules, value user consent, don’t misuse data, and never withhold information from data subjects.

• Purpose limitation: Only process collected data based on legitimate and explicitly specified purposes.

• Data minimization: Only collect the minimum amount of data needed for business purposes.

• Accuracy: Conduct audits and set up measures to correct, update, or erase incomplete and false data.

• Storage limitation: Retain data for no more than a justifiable amount of time. 

• Integrity and confidentiality: Protect data from unauthorized parties and avoid data losses, damage, and destruction. 

• Accountability: Keep records and establish measures to prove data processes are compliant.

What are the Penalties for GDPR Non-Compliance?

GDPR non-compliant organizations can face sanctions and fines. The EU sets financial penalties in proportion to the extent of data misuse. In extreme cases, fines can reach €20 million, or 4% of the firm’s worldwide annual revenue from the last fiscal year, whichever amount is higher. 

GDPR sanctions may include:

• Bans on data processing in the EU

• Public reprimands

• Financial penalties based on the extent of non-compliance

Does the GDPR Require Encryption? 

Organizations often use encryption to meet GDPR standards, but other options exist. The GDPR requires that organizations use "appropriate technical and organizational measures" to protect user data. 

While encryption is a practical, affordable choice, you could also use a combination of:

• Firewalls

• User access controls

• Multi-factor authentication

• Security awareness training

• Pseudonymization techniques

Does GDPR Apply to Businesses Outside the EU?

Yes, the GDPR applies to businesses located outside the EU if they control or process any data belonging to an EU citizen or resident. In practice, most digital companies that operate in the EU must follow GDPR.

What Rights do Individuals Have Under GDPR?

The GDPR guarantees individuals eight rights:

• The right to be informed regarding how their data is collected and used

• The right to access copies of their data stored by organizations

• The right to rectification of inaccurate data and completion of partial data

• The right to erasure of personal data that was previously collected

• The right to restrict processing of their personal data

• The right to data portability so they can receive and reuse their personal data across different services

• The right to object to having their data processed

• The right to avoid automated decision-making and profiling except where authorized by law, required for operation, or given explicit consent by the user

Does My Organization Need a Data Protection Officer (DPO)?

Many organizations do not need a DPO to comply with GDPR. Public bodies, like government departments, always need a DPO. So do companies whose “core activities” involve processing sensitive data or processing data on a large scale. In other words, if processing data is “central to achieving the company’s goals,” you’re required to appoint a DPO. Otherwise, you are exempt from this requirement. 

What Should I Include in a GDPR-Compliant Privacy Policy?

A GDPR-compliant privacy policy should inform users of:

• The name and contact information (address, email, phone number) of your data controller.

• The name(s) and contact information of your DPO and EU representative, if applicable.

• How, when, and why personal data is collected.

• What types of personal data are collected.

• How, when, and why personal data is processed.

• Your lawful basis for processing personal data.

• Your data storage practices and retention period.

• Who you share personal data with and your legal basis for doing so.

• If you transfer data to international parties and how and why you do so.

• How individuals can exercise the eight rights guaranteed to them.

• How you’ll inform users about updates to your privacy policy.

The GDPR requires privacy policies to be written using “clear and plain language,” so avoid legalese and other jargon. When specific terminology must be used, provide a definition for each term.

Finally, your privacy policy must be easy for anyone to access. Most companies link to it in their website footer and/or via FAQs. You may also display a link alongside any forms or other data collection tools.

How Drata Can Help You Achieve and Maintain GDPR Compliance 

While GDPR sets a high bar for data protection, meeting its standards doesn't have to be difficult. By following our GDPR compliance checklist, you can avoid penalties and offer customers the highest level of protection. 

If you have trouble staying GDPR compliant, Drata can help. Our tool automates compliance processes and keeps you audit-ready. By continuously monitoring your cybersecurity, we can help protect your users' data and reduce your business's risk. Additionally, our team of GDPR experts can reduce the time and complexity involved in achieving compliance.