The GDPR Compliance Checklist

Achieving GDPR Compliance shouldn't feel like a struggle. This is a basic checklist you can use to harden your GDPR compliancy.

if your organisation is determining the purpose of the storage or processing of personal information, it is considered a controller . If your organisation stores or processes personal data on behalf of another organisation, it is considered a processor . It is possible for your organisation to have both roles. Use the filter below to view only the relevant checklist items for your organisation.

This list is far from a legal exhaustive document, it merely tries to help you overcome the struggle.



Feel free to contribute directly on GitHub!

Select your role: Data Controller: I determine why data is processed

Data Processor: I store or process data for someone else

Data Subject: My data is being stored or processed

Data Your company has a list of all types of personal information it holds, the source of that information, who you share it with, what you do with it and how long you will keep it Data Processor Data Controller This is a list of the actual types (columns) of information being held (eg Name, social security nr, address,..). For each type, a source should be documented, the parties this information is shared with, the purpose of the information and the duration for which the company will keep this information.



Reference: GDPR Article 30 – Records of processing activities GDPR Data Map Template

Your company has a list of places where it keeps personal information and the ways data flows between them Data Processor Data Controller This could be a list of databases (eg Mysql), but it could also include offline datastores (paper).



Reference: GDPR Article 30 – Records of processing activities

Your company has a publicly accessible privacy policy that outlines all processes related to personal data. Data Processor Data Controller You should include information about all processes related to the handling of personal information. This document should include (or have links to) the types of personal information the company holds, and where it holds them.



Reference: GDPR Article 30 – Records of processing activities

Your privacy policy should include a lawful basis to explain why the company needs to process personal information Data Controller It should contain a reason for data processing, eg the fulfillment of a contract.



Reference: GDPR Article 6 – Lawfulness of processing



Follow-up You regularly review policies for changes, effectiveness, changes in handling of data and changes to the state of affairs of other countries your data flows to. Data Controller You should follow up on best practies and changes to the policies in your local environment. Sign up at the bottom of this page to receive major updates to this list.



Reference: GDPR Article 25 – Data protection by design and by default GDPR Tracker - Track hosting centers, DPAs & infrastructure partners from cloud services & subprocessors



User Rights Right to receive transparent information, communication and modalities for the exercise of your rights. Data Subject The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to you in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by you, the information may be provided orally, provided that your identity is proven by other means.



Reference: GDPR Article 12

Right to receive specific information when your personal data are collected from you directly. Data Subject This information is : 1) The identity and the contact details of the controller and, where applicable, of the controller’s representative. 2) The contact details of the data protection officer, where applicable. 3) The purposes of the processing for which the personal data are intended as well as the legal basis for the processing. 4) Where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party. 5) The recipients or categories of recipients of the personal data, if any. 6) Where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.



Reference: GDPR Article 13

Right to receive specific information when your personal data are not collected from you directly. Data Subject This information is : 1) The identity and the contact details of the controller and, where applicable, of the controller’s representative. 2) The contact details of the data protection officer, where applicable. 3) The purposes of the processing for which the personal data are intended as well as the legal basis for the processing. 4) The categories of personal data concerned. 5) The recipients or categories of recipients of the personal data, if any. 6)Where applicable, that the controller intends to transfer personal data to a recipient in a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available.



Reference: GDPR Article 14

Right of access: You have the right to obtain from the controller confirmation as to whether or not your personal data are being processed, and, where that is the case, access to your personal data. Data Subject You also have to right to access the following information: 1) The purposes of the processing. 2) The categories of personal data concerned. 3) The recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations. 4) Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period. 5) The existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing. 6) The right to lodge a complaint with a supervisory authority. 7) Where the personal data are not collected from the data subject, any available information as to their source. 8) The existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.



Reference: GDPR Article 15

Right to rectification: You have the right to obtain from the controller without undue delay the rectification of inaccurate personal data. Data Subject Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.



Reference: GDPR Article 16

Right to erasure: You have the right to obtain from the controller the erasure of your personal data without undue delay. Data Subject The controller shall have the obligation to erase your personal data without undue delay where one of the following grounds applies: 1) The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed. 2) The data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing. 3) The data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2). 4) The personal data have been unlawfully processed. 5) The personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject. 6) The personal data have been collected in relation to the offer of information society services referred to in Article 8(1).



Reference: GDPR Article 17

Right to restriction of processing: You have the right to obtain from the controller restriction of processing. Data Subject This right applies in the following situations: 1) The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data. 2) The processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead. 3) The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims. 4) The data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.



Reference: GDPR Article 18

Right to be notified regarding rectification or erasure of your personal data or restriction of processing: The controller shall communicate any rectification or erasure of your personal data or restriction of processing. Data Subject This right is carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform you about those recipients if you requests it.



Reference: GDPR Article 19

Right to portability: You have the right to receive your personal data, which you have provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which your personal data have been provided. Data Subject This processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and the processing is carried out by automated means.



Reference: GDPR Article 20

Right to object: You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. Data Subject The controller shall no longer process your personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.



Reference: GDPR Article 21

Right not to be subject to a decision based solely on automated processing: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you. Data Subject This does not applies if the decision: 1) is necessary for entering into, or performance of, a contract between the data subject and a data controller. 2) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests. 3) is based on the data subject’s explicit consent.



Reference: GDPR Article 22



Stay up to date with major changes in the list. Sign up for updates