GDPR Compliance Checklist: Ensuring Your Business Stays Compliant

Disclaimer: The purpose of this blog post is to help you understand the GDPR. It should not be considered legal advice that your organization should rely on in an attempt to achieve GDPR compliance. For a complete and accurate interpretation of the law, please consult a legal advisor.

The General Data Protection Regulation (GDPR) remains one of the most stringent data privacy and protection laws in the world.

Since its introduction in 2018, GDPR has transformed how organizations handle personal data, ensuring that companies respect individual privacy and remain transparent about their data practices. For any business operating within the European Union (EU) and European Economic Area (EEA) or dealing with the personal data of EU/EEA residents, staying GDPR-compliant is mandatory.

This comprehensive GDPR compliance checklist will:

• Explain what GDPR is and who it applies to
• Cover the basic terminology
• Discuss EEA citizens’ rights under this legislation
• Outline the steps to help your organization stay GDPR compliant

What Is GDPR?

The General Data Protection Regulation (GDPR) is a data privacy law enacted by the European Union (EU) in May 2018.

It was designed to give individuals more control over their personal data and to simplify the regulatory environment for businesses across the EU by unifying data protection laws. GDPR applies to any organization that processes the personal data of EU/EEA citizens, regardless of the company’s physical location.

Key principles of GDPR include:

• Lawfulness, fairness, and transparency — Organizations must process personal data legally and transparently.
• Purpose limitation — Data can only be collected for specific, legitimate purposes.
• Data minimization — Only the necessary amount of personal data should be collected and processed.
• Accuracy — Personal data must be accurate and kept up to date.
• Storage limitation — Personal data should not be kept longer than necessary.
• Integrity and confidentiality — Data must be handled securely to prevent unauthorized access or breaches.

What Are the Penalties for Non-Compliance?

Although the majority of sources focus on the 4% annual global turnover fine (or €20 million, whichever is higher), it needs to be clear that this is only the maximum fine that will be imposed on organizations responsible for the most serious infringements. GDPR has a tiered approach to fines. Here’s the list of some of the sanctions that organizations might face:

• A written warning in cases of the first or unintentional instance of non-compliance.
• Regular audits conducted by relevant authorities.
• A €10 million (or 2% of the annual global turnover, whichever is higher) fine for not having their records in order or not notifying the data subject and relevant authorities about a data breach.
• A €20 million (or 4% of the annual global turnover, whichever is higher) fine for violating some of the essential principles of the regulation, such as collecting citizens’ private data without explicit consent.

The aftermath of such sanctions can result in a loss of customer confidence, a bad reputation, and negative press. The sanctions apply to both data controllers and data processors, which means that cloud services providers, for example, won’t be exempt from the GDPR.

GDPR affects not only companies based in the EEA but also those outside of it as long as they process the data of EU citizens. This global reach makes GDPR one of the most influential data protection regulations worldwide.

Basic GDPR Terminology to Understand

Data subject

A data subject is any individual located in the European Union (EU) or European Economic Area (EEA) whose personal data is collected, stored, or processed by an organization. GDPR protects the privacy rights of these individuals by giving them control over how their data is used.

Data controller

The data controller is an organization that determines the purpose and means of processing personal data. This could be a company, government agency, or institution that collects personal information from EEA residents, such as a bank, telecom provider, or public authority. The controller is responsible for ensuring that data is handled in compliance with GDPR requirements.

Data processor

A data processor is an organization that processes personal data on behalf of the data controller. Common examples include cloud service providers, archiving companies, and payroll services. While processors don’t control how the data is used, they must adhere to GDPR and follow the controller’s instructions for processing.

Data Protection Officer (DPO)

GDPR mandates that certain organizations appoint a Data Protection Officer if they are public authorities, conduct large-scale monitoring of individuals, or process sensitive data like criminal records.

While not all organizations are required to appoint a DPO, they must still ensure they have the staff or skills necessary to meet GDPR obligations.

Personal data

Under GDPR, personal data is defined as any information that can identify a natural person, either directly or indirectly.

This broad definition includes two categories:

• Personal data includes details such as a person’s name, biometric data (e.g., a photo), location information (e.g., home address), phone number, financial records, and online identifiers such as IP addresses or cookies. These online identifiers can leave traces that, when combined with other information, could be used to create detailed profiles of individuals.
• Sensitive personal data includes more protected categories such as health records, genetic information, racial or ethnic background, political or religious beliefs, sexual orientation, and any data related to criminal offenses.

Pseudonymization & encryption

Pseudonymization and encryption are methods used to protect personal data by transforming it so that it cannot be linked to a specific individual without additional information.

• Pseudonymization replaces identifiable details with pseudonyms, making the data less identifiable without supplemental information.
• Encryption involves converting sensitive data into an unreadable format that can only be decoded with a decryption key. GDPR requires organizations to use encryption to protect personal data, ensuring it remains secure and unreadable to unauthorized parties.

Important Provisions Given to EEA Citizens

One of the core objectives of GDPR is to give individuals (data subjects) greater control over their personal data.

GDPR grants several rights that empower data subjects to manage how their data is collected, used, and stored. For businesses, it’s crucial to understand and respect these rights, as failure to comply can lead to significant penalties.

Below are the key data rights outlined under GDPR:

Right to access

Data subjects have the right to access the personal data that an organization holds about them. This includes being informed about how their data is processed, the purposes of processing, and whether it has been shared with third parties.

Organizations must provide a copy of the data, free of charge, within one month of the request.

Right to rectification

Individuals have the right to request the correction of any inaccurate or incomplete personal data. If the data held is outdated, incorrect, or incomplete, the organization must rectify it promptly. This ensures the accuracy and reliability of the information being processed.

Right to erasure (right to be forgotten)

Under certain conditions, data subjects can request the deletion of their personal data. This is commonly known as the “right to be forgotten.”

An individual can ask for their data to be erased if:

• The data is no longer necessary for the purpose it was collected.
• They withdraw consent, and no other legal basis for processing exists.
• The data was unlawfully processed.
• The individual objects to the processing, and there are no overriding legitimate grounds.

However, the right to erasure is not absolute. Organizations may retain data if it’s needed for legal compliance, public interest, or the defense of legal claims.

Right to restriction of processing

Data subjects have the right to request that their personal data be temporarily restricted from processing under certain conditions.

This can happen if:

• The accuracy of the data is contested, allowing time for verification.
• The processing is unlawful, but the data subject opposes erasure and instead requests restriction.
• The organization no longer needs the data, but the subject requires it for legal claims.

During the restriction period, organizations can store the data but cannot process it further unless the data subject consents or there are overriding legal grounds.

Right to data portability

The right to data portability allows individuals to obtain and reuse their personal data across different services.

They can request a copy of their data in a commonly used, machine-readable format (such as CSV) and transfer it to another service provider without interference.

This right applies when data is processed based on consent or a contract and when the processing is carried out by automated means.

Right to object

Data subjects can object to the processing of their personal data at any time for specific reasons:

• Direct marketing. Subjects have the absolute right to object to their data being used for direct marketing purposes. Once an objection is raised, organizations must stop using their data for this purpose.
• Legitimate interests or public tasks. If the data is processed based on legitimate interests or a public task, subjects can object if they believe their rights and freedoms outweigh the organization’s interests. Organizations must demonstrate compelling reasons to continue processing in such cases.

GDPR Compliance Checklist

Document all the data your organization collects and processes

One of the critical steps in GDPR compliance is maintaining comprehensive records of the personal data your organization collects, processes, and stores.

This practice, often referred to as data mapping, is essential not only for legal compliance, but also for understanding how data flows within your organization.

GDPR requires organizations to document these activities, especially for companies with 250 or more employees or those engaged in high-risk data processing. Even smaller organizations benefit from maintaining these records to demonstrate their accountability and preparedness for audits.

Here are the key elements to document:

• Types of personal data collected — Begin by identifying all the categories of personal data your organization collects. This includes names, email addresses, financial information, IP addresses, register social media data, and any other information that could identify an individual. Also, include sensitive data such as health records, racial or ethnic details, and biometric data, if applicable.
• Purpose of data collection — For each type of data, clearly document why it is being collected. GDPR emphasizes purpose limitation, meaning data must only be collected for specific, legitimate purposes. For instance, data could be gathered for processing payments, managing customer relationships, or fulfilling legal requirements.
• Legal basis for processing — GDPR mandates that all personal data processing must have a legal basis. Your documentation should state which legal grounds apply for each processing activity. This could include obtaining consent, fulfilling a contract, complying with a legal obligation, or pursuing a legitimate interest.
• Data sources — Record where the personal data comes from. It may be collected directly from the individual (e.g., via web forms or customer registration) or indirectly through third parties (e.g., data brokers, marketing firms, or partner companies). Knowing the source of data is essential for ensuring its accuracy and legality.
• Third-party data sharing — If your organization shares data with third-party processors (e.g., cloud storage providers, email marketing platforms), it’s essential to document who those third parties are, the type of data shared, and the purpose for sharing. Ensure that data processing agreements are in place with all third-party processors to ensure they comply with GDPR.
• Retention periods — GDPR requires organizations to define how long personal data will be stored. Document the retention periods for each type of data, ensuring it aligns with the purpose for which it was collected. Once the data is no longer needed, it should be securely deleted or anonymized.
• Security measures in place — Outline the technical and organizational measures your organization uses to protect personal data. This can include encryption, access controls, and data minimization techniques. Properly documenting these safeguards is important for demonstrating regulatory compliance, especially in the event of a data breach.

Appoint a Data Protection Officer (DPO) if necessary

Under GDPR, organizations that engage in large-scale monitoring of individuals or process large volumes of sensitive personal data must appoint a Data Protection Officer (DPO).

The DPO’s responsibility is to ensure your company follows GDPR requirements and advises management on data protection issues. If your business doesn’t require a DPO, you should still assign someone within your organization to oversee GDPR compliance.

Responsibilities of a DPO include:

• Monitoring GDPR compliance within the organization
• Providing advice on data protection impact assessments (DPIAs)
• Acting as a point of contact for data subjects and supervisory authorities
• Maintaining records of data processing activities

Review and update data processing policies

Your data processing policies should clearly outline how personal data is handled in compliance with GDPR. This includes ensuring that your organization processes data lawfully, transparently, and for a specific purpose.

Data should only be kept as long as necessary and deleted securely once it is no longer needed.

Factors to consider when updating your data processing policies:

• Lawful basis for processing — Establish a legal basis for processing personal data, such as consent, contract necessity, or legitimate interest.
• Purpose limitation — Data must be collected for specified, legitimate purposes and not used beyond those purposes.
• Data minimization — Only collect the data necessary for the specified purpose.

Create a GDPR register

A crucial part of GDPR compliance is maintaining a GDPR Register (often referred to as a Record of Processing Activities or ROPA). This register acts as a detailed log of all personal data processing activities within your organization, demonstrating accountability and transparency as required by the GDPR.

The GDPR Register serves multiple purposes, including documenting your compliance efforts, supporting GDPR audits, and helping identify potential areas of risk. It’s essential for organizations with 250 or more employees or those involved in high-risk data processing activities, but it is recommended for businesses of all sizes to maintain one.

Obtain and Document Consent Properly

Consent under GDPR must be freely given, specific, informed, and unambiguous. This means businesses can’t rely on pre-ticked boxes or vague consent forms. You should ensure that subjects are fully aware of what they’re consenting to and that they can easily withdraw their consent at any time.

Here are some best practices for GDPR-compliant consent:

• Use clear and straightforward language
• Keep consent requests separate from other terms and conditions
• Offer easy options for subjects to withdraw consent at any time
• Include a double opt-in for email subscriptions and marketing communications

Implement the right security measures

GDPR requires organizations to implement adequate security measures to protect personal data. This includes both technical measures (e.g., encryption, firewalls) and organizational policies (e.g., employee training). Regularly testing your security systems is also part of maintaining GDPR compliance.

Make sure to:

• Use encryption for data both at rest and in transit
• Implement strong access control systems (e.g., multi-factor authentication and user roles)
• Ensure regular updates and patch management for all software
• Conduct regular security audits and vulnerability assessments

Perform data protection impact assessments (DPIA)

Whenever you introduce a new data processing activity that could pose a high risk to individuals’ privacy, conducting a Data Protection Impact Assessment (DPIA) is required.

DPIAs help identify and mitigate risks associated with the handling of personal data.

Situations in which a DPIA is required include:

• Large-scale processing of sensitive personal data
• Systematic monitoring of public areas (e.g., CCTV)
• Use of new technologies that might impact privacy

DPIAs should outline the nature of the processing, assess potential risks, and detail the measures your company plans to take to mitigate these risks.

Establish breach notification procedures

Under GDPR, you must notify the relevant supervisory authority of any data breach that risks individuals’ rights and freedoms within 72 hours of becoming aware of it. This notification must include important details about the breach, such as the type of personal data involved, the number of individuals impacted, and the likely consequences for those individuals.

In case the breach poses a high risk to the subjects affected, you must also notify them directly so that they can take protective actions if necessary.

Additionally, you should describe the measures taken or plans to implement to address the breach and prevent further harm. These measures might include security improvements, mitigation plans, or steps to minimize risks to the affected subjects.

Train employees on GDPR compliance

Your employees play a critical role in ensuring GDPR compliance. All staff members who handle personal data should be trained on GDPR requirements and best practices for data protection. Regular training and updates will help prevent accidental breaches and reinforce the importance of compliance.

Key training topics include:

• Understanding GDPR and its implications
• Identifying and responding to personal data breaches
• Safeguarding personal data in day-to-day operations
• Handling data subject requests

How Data Archiving Can Help with GDPR Compliance

To meet GDPR requirements, your organization will need to know exactly where private data is stored.

In the majority of companies, such data is scattered across servers and employee mailboxes. Consequently, the first technological step to compliance is to reexamine your current infrastructure. Remember that email, social media and instant messaging exchanges are especially prone to GDPR violations since they are used for sharing personal information and remain the main targets of cyber criminals.

By automating data retention and deletion, archiving ensures personal data is stored only as long as needed and securely deleted when no longer necessary, helping organizations avoid GDPR violations.

Archiving systems also enable quick responses to data subject access requests (SARs) through ediscovery and enhance security through encryption and access controls, reducing the risk of data breaches.

Combined with a well-executed data governance strategy, archiving supports compliance by securing communications, maintaining audit-ready records, and protecting personal data effectively.

Jatheon’s solutions are fully compliant with GDPR. To learn more about how our advanced archiving and data management tools can help your organization meet GDPR requirements, schedule a demo.

Summary of the Main Points

• GDPR is a comprehensive data privacy law that applies to any organization handling the personal data of EU/EEA residents, regardless of location.
• Organizations must process personal data legally, for specific purposes, and ensure accuracy, data minimization, and security.
• GDPR grants rights like access, rectification, erasure, and data portability to individuals.
• To stay compliant, organizations must document data collection, processing, legal bases, and security measures in a GDPR Register.
• Proper consent practices and robust security measures, such as encryption and regular audits, are critical for compliance.
• Archiving helps manage online communications, automate data retention, and securely handle data access requests, reducing GDPR risks.

FAQ

Who does the GDPR apply to?

GDPR applies to any organization that processes the personal data of EEA residents, regardless of where the company is located. This includes businesses offering goods or services to the EEA or monitoring the behavior of EEA citizens.

What is a GDPR audit?

A GDPR audit is a comprehensive assessment of an organization’s data protection practices, focusing on ensuring that personal data is handled in compliance with GDPR requirements.

What security measures are required by GDPR?

GDPR requires businesses to implement technical and organizational measures, such as encryption, firewalls, access controls, and employee training, to ensure personal data is secure.

How long can I keep personal data according to GDPR?

Under GDPR, you can keep personal data only for as long as necessary to fulfill the purpose for which it was collected. Once that purpose is achieved, the data must be securely deleted or anonymized. Retention periods should be clearly defined based on the data’s intended use.

About the Author

Bojana Krstic

Bojana Krstic is the Head of Content and SEO at Jatheon and an experienced writer on topics like data archiving, ediscovery, and compliance. When AFK, you’ll find her hiking, discovering new music, or road-tripping.