Skip to content
Share
Explore
GDPR | eIDAS Requirements and Roadmap
GDPR Checklist
These are all high-level items that are required or recommended to roll out in the E.U. or areas where GDPR is prevalent.
Last edited 182 days ago by Jamie Heindl
Principles:
Resources:
Checklist:
Useful Resource:
Checklist:
Item
Notes
Required
Expected
Suggested
Needs Review
Implemented
1
Legal and Regulatory Compliance
2
Record of Processing Activities (ROPA) documentation (Data Mapping and other processes for website, product and resource centers, etc.)
Should include all activities from the time the data is acquired through deletion. Includes what categories of data are processed, legal basis, how, why, where data is transferred and retention policies.
3
Data Protection Impact Assessment (DPIA)
4
Data Retention Policy
5
International Data Transfer (Standard Contractual Clauses, Binding Corporate Rules, etc.)
6
Security Audit Protocols Plan
7
Data Breach Response Plan
8
Develop and Implement Cybersecurity Policy
is the authority on this. This is very important considering the remote work environment.
9
Employee Training and Awareness Documentation and Plan
10
Establish confidentiality and access privilege protocols (need to know) access rights to housed data.
11
Data Privacy and Security (Website and Product)
13
Cookie Declaration
14
Explicit Consent for data collection on web and product
15
Data Portability Process
17
Organizational and Staffing
18
Appoint a Data Protection Officer
Contingent on several factors - I believe if we intend on doing things as basic as marketing retargeting or tracking product behaviors we will fall into the "required" category. This needs to be vetted by someone who understand the finer details of this requirement.
19
Legal Advisor (Regional)
This person could also be the DPO
20
Requirements for local staffing?
21
22
Technology and Infrastructure
23
Consent Management and Cookie Banner
Website and Product
24
Method to notify and require acceptance of changes to policies, cookies, etc.
Website and Product
25
Data Center Locations
26
TLS Certificate (or SSL but TLS likely preferred)
27
Right to be Forgotten Implementation
29
User Data Encryption in transit and at rest
See Art. 32 GDPR Security of Processing
30
Establish ongoing testing schedules for security, processes, services and systems.
31
Simple Electronic Signature
32
Advanced Electronic Signature (AdES)
(See Detailed Requirements Here)
uniquely linked to and capable of identifying the signatory;
created in a way that allows the signatory to retain control;
linked to the document in a way that any subsequent change of the data is detectable.
The most commonly used technology able to provide these features is the use of a public-key infrastructure (PKI), which involves the use of certificates and cryptographic keys
33
Qualified Electronic Signature (QES)
(See Detailed Requirements Here)
created by a qualified signature creation device;
and is based on a qualified certificate for electronic signatures.
34
35
Contractual and Partner Management
36
Data Processing Agreements (as applicable) (PSPDFKit, FreshDesk/Sales, Sendgrid, etc.)
37
38
Risk Management and Insurance
39
Data Brach Protocols
40
Security Audit Protocols
41
42
Marketing and Customer Relations
43
Data Subject Request Handling
Product and Web
44
45
Financial Planning and Management
46
Establish Bank Accounts
47
48
There are no rows in this table
Want to print your doc?
This is not the way.
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.