GDPR compliance Checklist Step-by-Step

GDPR compliance checklist: a step by step roadmap with the main milestones to make your SME or Startup GDPR compliant.

Step 1 – Awareness

Step 1 – Awareness

Employees should be ‘in the know’ It is important that every member of an organisation understands how their role is…

Read more

What does a compliant company look like?

What does a compliant company look like?

Download documents: GDPR presentation, List confirmation, Training policy
Related posts: GDPR presentation

–  A company that is GDPR compliant regularly trains all its staff.

– Appoint the persons responsible: it is important to identify who, within your organisation, is responsible for privacy compliance and who else is involved.

 

Read more

Data Protection Officer

Data Protection Officer

Download documents: GDPR interactive law, Data Protection Authority , DPO job description
Related posts: GDPR interactive law, DPO job description

The DPO is a position that the vast majority of companies will not need as they are either too small or do not carry out enough processing or profiling.  However, any organisation is able to appoint a DPO.

Read more

Read more

STEP 2 – PREPARATION

STEP 2 – PREPARATION

Download documents: Data inventory map
Related posts: Data inventory map

To be able to act in accordance with the GDPR, you must firstly inventory the personal data processing operations within your organisation. You should know which data is used, by whom and for what purposes.

 

Read more

Security Policy Templates

Security Policy Templates

Download documents: Data Protection Policy Template, Data privacy policy template, Data privacy policy specific for site web, Privacy notice, Privacy by Design and Privacy by Default
Related postsData Protection Policy Template, Data privacy policy, Privacy by Design and Privacy by Default

Under the GDPR you must take “appropriate technical and organisational measures” to secure personal data. What is appropriate depends on the processing risk.

Read more

Stakeholders and consumer’s awareness

Stakeholders and consumer’s awareness

Download documents: Readiness letter, Readiness prove list, GDPR Data Subject Access Request Policy, Data subject Access Request (form)
Related posts: Readiness letter and prove list, GDPR Data Subject Access Request Policy

Update your registration flow to obtain lawful consent and check your processors and data processing agreements.

Furthermore data subjects are entitled to withdraw their consent at any time. This must be as simple as giving consent, and before data subjects give their consent, they must be informed of this right. Otherwise consent is invalid.

Read more

STEP 3 – IMPLEMENTATION

STEP 3 – IMPLEMENTATION

Download documents: Consumer’s right under the GDPR , Data subject consent withdrawal form, GDPR roles and responsibilities, DPIA long version template
Related posts: Consumer’s right under the GDPR , Data subject access request policy, DPIA template, GDPR roles and responsibilities

The GDPR gives particular attention to the rights of data subjects: implement tools to respect the new rights of data subjects. A DPIA is an instrument that allows you to inventory a data processing operation before such operation is carried out, so that measures can be taken to reduce those risks.

Read more

When is there a need for a DPIA?

When is there a need for a DPIA?

Download documents: DPIA guide,  DPIA short version, DPIA long version
Related posts: DPIA template

A DPIA is mandatory for (envisaged) data processing operations which, given their nature, context and objective, represent a high risk to privacy.

Read more

Data breach

Data breach

Download documents: Data breach policy, Data breach registerData breach report
Related posts: Data breach

Under the GDPR you may be obliged to report a data breach to the competent authority and/or the data subjects. A data breach refers to the access to or destruction, alteration or release of personal data to an organisation without this being intended. Data breach therefore covers not only the release (breach) of data, but also unlawful processing of data and unintentional destruction.

Read more