Skip to content
Lawfulness, fairness and transparency. Purpose limitation. Data minimizationAccuracyStorage limitationsIntegrity and ConfidentialityAccountability.
GDPR Checklist
These are all high-level items that are required or recommended to roll out in the E.U. or areas where GDPR is prevalent.
Last edited 716 days ago by Jamie Heindl.
Principles:
Resources:
Checklist:
Useful Resource:
Checklist:
Item
Notes
Required
Expected
Suggested
Needs Review
Implemented
Legal and Regulatory Compliance
Record of Processing Activities (ROPA) documentation (Data Mapping and other processes for website, product and resource centers, etc.)
Should include all activities from the time the data is acquired through deletion. Includes what categories of data are processed, legal basis, how, why, where data is transferred and retention policies.
Data Protection Impact Assessment (DPIA)
Data Retention Policy
International Data Transfer (Standard Contractual Clauses, Binding Corporate Rules, etc.)
Security Audit Protocols Plan
Data Breach Response Plan
Develop and Implement Cybersecurity Policy
is the authority on this. This is very important considering the remote work environment.
Employee Training and Awareness Documentation and Plan
Establish confidentiality and access privilege protocols (need to know) access rights to housed data.
Data Privacy and Security (Website and Product)
Cookie Declaration
Explicit Consent for data collection on web and product
Data Portability Process
Organizational and Staffing
Appoint a Data Protection Officer
Contingent on several factors - I believe if we intend on doing things as basic as marketing retargeting or tracking product behaviors we will fall into the "required" category. This needs to be vetted by someone who understand the finer details of this requirement.
Legal Advisor (Regional)
This person could also be the DPO
Requirements for local staffing?
Technology and Infrastructure
Consent Management and Cookie Banner
Website and Product
Method to notify and require acceptance of changes to policies, cookies, etc.
Website and Product
Data Center Locations
TLS Certificate (or SSL but TLS likely preferred)
Right to be Forgotten Implementation
User Data Encryption in transit and at rest
See Art. 32 GDPR Security of Processing
Establish ongoing testing schedules for security, processes, services and systems.
Simple Electronic Signature
Advanced Electronic Signature (AdES)
(See Detailed Requirements Here)
uniquely linked to and capable of identifying the signatory;
created in a way that allows the signatory to retain control;
linked to the document in a way that any subsequent change of the data is detectable.
The most commonly used technology able to provide these features is the use of a public-key infrastructure (PKI), which involves the use of certificates and cryptographic keys
Qualified Electronic Signature (QES)
(See Detailed Requirements Here)
created by a qualified signature creation device;
and is based on a qualified certificate for electronic signatures.
Contractual and Partner Management
Data Processing Agreements (as applicable) (PSPDFKit, FreshDesk/Sales, Sendgrid, etc.)
Risk Management and Insurance
Data Brach Protocols
Security Audit Protocols
Marketing and Customer Relations
Data Subject Request Handling
Product and Web
Financial Planning and Management
Establish Bank Accounts
There are no rows in this table
Want to print your doc?
This is not the way.
This is not the way.
Try clicking the ··· in the right corner or using a keyboard shortcut (
CtrlP
) instead.