5 Step GDPR Compliance Checklist For All Businesses

Generate a Free GDPR Privacy Policy
GDPR-Checklist-for-Full-Compliance-01

Your business must comply with the General Data Protection Regulation (GDPR) if you own a website or app that collects personal information from visitors, and if your services are available to people in the European Union (EU) or European Economic Area (EEA).

Violating the GDPR, even by mistake, can lead to massive fines of up to 4% of your gross annual income and other forms of sanction.

To help you set your website or app up for full GDPR compliance and avoid costly fines, I’ve created an easy-to-follow GDPR checklist to guide you through the entire regulation.

Table of Contents
  1. GDPR Checklist
  2. More Info on the GDPR
  3. Tips for Complying With the GDPR
  4. Penalties for Not Complying
  5. How Termly Helps Your Business Comply With the GDPR
  6. Summary

GDPR Checklist

Here’s a simple GDPR checklist to help your website or app meets all data privacy requirements outlined by this regulation.

Part 1 – Start Here: GDPR Checklist for Businesses

Solution: Audit your business for GDPR requirements

Source
  • Perform a privacy audit

    • Perform a website or app scan and audit to determine each type of personal information you collect from visitors and where the data collection occurs.
Inconsistencies or inaccuracies, even by mistake, can lead to fines for non-compliance.
  • Determine your legal basis for data processing

    • The GDPR outlines 6 legal bases in Chapter 2, Article 6, so pick a valid reason for each category of personal data you collect.
    • *I outlined the steps for using consent as a legal basis below.
You’re required by law to have a legal basis for processing each type of personal data.

Chapter 2, Article 6

  • Determine if you’re a data controller or data processor

    • Data controller — Any person or entity that determines the purposes and means for the processing of personal data, either alone or jointly with others.
    • Data processor — Any person or entity that processes personal data on behalf of a data controller.
    • *Please note that your company may act as both a controller and processor in different scenarios.
Terms of the regulation are defined in Chapter 1, Article 4

Data controllers and data processors must follow slightly different guidelines, which we highlight for you further in this checklist.

TIP: Processing data means the collection, recording, organizing, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing, disseminating, or otherwise making available the information.
If Consent Is Your Legal Basis, You Must Follow These Steps

Solution: Use a Consent Management Platform that allows you to…

Source
  • Obtain informed, explicit opt-in consent

    • Use a consent banner and avoid pre-checked boxes, which are not GDPR-compliant. Put a link to your privacy policy and cookie policy on the banner and prompt them to read both agreements.
Chapter 2, Article 7
  • Make the consent request clearly distinguishable and easy to understand

    • When consent is given via a written declaration, present the request in a way that is seperate from other matters, is easily accessible, and uses clear, plain language.
Chapter 2, Article 7, Section 2
  • Provide a way for consumers to withdraw consent

    • Provide them with a consent preference center and ensure that withdrawing or opting out of consent is as easy as giving it.
Chapter 2, Article 7, Section 3
  • Maintain a consent log for your users

    • To prove your users provided explicit opt-in consent, keep a log of their consent preferences for as long as you use their personal information but no longer than necessary.
Chapter 2, Article 7, Section 1
Part 2 – What You MUST Explain to Data Subjects

Solution: Create a GDPR-Compliant privacy policy, and include…

Source
Chapter 3, Article 13, and Article 15
  • How you collect data

    • Inform consumers HOW you’re collecting their data.
    • This can include the use of internet cookies or other trackers or having them fill out digital forms, like when they create a new account.
Chapter 3, Article 15
  • Why you collect data

    • Inform consumers WHY you’re collecting each category of personal data.
    • This is the legal basis you determined for the data processing.
Chapter 3, Article 15, Part (a)
  • Who you share data with

    • Inform consumers WHO you share their personal data with.
    • This includes any third-party data processors you rely on, or any other external entities you partner with that also collects personal information from your consumers.
Chapter 3, Article 15, Part (c)
  • How long you’ll store the data for

    • State the exact timeframe or, when that’s not possible, explain your process for determining the timeframe.
    • Legally, you can only store the data for as long as necessary to perform the original purpose of the data collection, subject to any other laws that may require the data to be held for longer periods.
Chapter 3, Article 15, Part (d)
  • How to request rectification, data erasures, and objections

    • Inform users how they can act on their right to correct or erase data you collect about them and how they can restrict or object to the processing of their personal data, like using a DSAR form.
Chapter 3, Article 15, Part (e)
  • Explain your consumers’ right to lodge complaints

    • Clearly express in your privacy policy that consumers can lodge a complaint about your practices with a supervisory authority.
Chapter 3, Article 15, Part (f)
  • Explain when the data isn’t collected from the individual

    • State where the source of the data is collected from, i.e., social media pages, public posts, or from external sources.
Chapter 3, Article 15, Part (g)
  • Explain if you use automated decision-making

    • Provide the logic involved, significance of, and envisaged consequences of why you use automated decision-making in those instances, including profiling.
Chapter 3, Article 15, Part (h)
Part 3 – Accountability and Third-Party Contracts 

Solution: Use a Data Processing Agreement (DPA) that requires the data processor to…

Source
  • Only process the data on documented instructions from the controller unless otherwise required by Member State law.
Chapter 4, Article 28, Section 3, Part (a)
  • Ensure that staff accessing your data are committed to confidentiality, or are statutorily obligated to commit to confidentiality.
Chapter 4, Article 28, Section 3, Part (b)
  • Take all security measures outlined in Article 32 of the text.
Chapter 4, Article 28, Section 3, Part (c)
  • Only engage other processors with your written authorization, and under the same contractual obligations.
Chapter 4, Article 28, Section 3, Part (d)
  • Assist you, the controller, by taking technical measures to fulfill and respond to requests from data subjects to act on their rights.
Chapter 4, Article 28, Section 3, Part (e)
  • Assist you (the controller) in your compliance with security processing guidelines outlined in Article 32 and prior consultation requirements written in Article 36.
Chapter 4, Article 28, Section 3, Part (f)
  • Delete or return all personal data to you (the controller) after the contract term ends.
Chapter 4, Article 28, Section 3, Part (g)
  • Make available all information necessary to demonstrate GDPR compliance as outlined in steps 1 through 6 available to you (the controller) including audits or inspections conducted by you or an auditor of your choosing.
Chapter 4, Article 28, Section 3, Part (h)
If YOU are a data processor, ensure the data controller creates a compliant DPA for you to sign.
Part 4 – Data Security and Storage Requirements

Solution: Implement technical and organizational security measures.

Source
  • Considering the risk level of the data, the controller and processor must implement appropriate technical and organizational measures to ensure personal data is securely stored, like:

    • Pseudonymization and encryption of data*
    • Ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services*
    • Provide the ability to restore the availability and access to data promptly in the event of an incident*
    • A process of testing, assessing, and evaluating the effectiveness of the technical and organizational measures*
    • *These are the suggested security measures from the text of the GDPR.
Chapter 4, Article 32
  • Perform a Data Protection Impact Assessment (DPIA) as outlined in Article 35 and seek advice from an appointed Data Protection Officer (DPO)

    • If the DPIA determines processing the data is a high risk, consult a supervisory authority as outlined in Article 36 before the processing.
Chapter 4, Article 35 and Article 36
Part 5 – International Data Transfers

Solution: Implement appropriate data transfer safeguards

Source
  • If you, as the controller or processor, transfer data to a third country or international organization:

    • Ensure they have appropriate safeguards (including contractual protections) in place and will make available effective legal remedies and ways for data subjects to enforce their rights.
Chapter 5, Article 46

The rest of this guide goes into more depth about different requirements of the GDPR and how Termly’s solutions can help you easily and affordably achieve full compliance.

More Info on the GDPR

Below, check out some answers to frequent questions I hear the most about the GDPR and its global impact.

What Is the GDPR in Simple Terms?

The GDPR is a European Union or EU regulation that also covers the European Economic Area (EEA). It outlines data protection guidelines, consumer rights, and business requirements for collecting and using personal information.

This legislation gives users more control over how and when their data gets collected by websites or apps operating online.

It came into force on May 25th, 2018, and is built around the following seven privacy principles:

  1. Lawfulness, fairness, and transparency
  2. Purpose limitations
  3. Data minimization
  4. Accuracy
  5. Storage limitations
  6. Integrity and confidentiality
  7. Accountability

What Is the Scope of the GDPR?

The GDPR has a global scope because it applies to any entity that collects personal information and has visitors from the EU or EEA.

Other data privacy laws, like the amended California Consumer Privacy Act (CCPA) and the Virginia Consumer Data Protection Act (CDPA) have monetary thresholds in place or apply to businesses that collect specific amounts of data. But this is not the case with the GDPR.

Your business can be located anywhere in the world, but if you have visitors from the EU or EEA and collect their data, you must provide them with a way to follow through on their privacy rights or risk receiving fines for non-compliance.

There are 27 EU Member States:

  • Austria
  • Belgium
  • Bulgaria
  • Croatia
  • Republic of Cyprus
  • Czech Republic
  • Denmark
  • Estonia
  • Finland
  • France
  • Germany
  • Greece
  • Hungary
  • Ireland
  • Italy
  • Latvia
  • Lithuania
  • Luxembourg
  • Malta
  • Netherlands
  • Poland
  • Portugal
  • Romania
  • Slovakia
  • Slovenia
  • Spain
  • Sweden

The additional countries under the EEA that the GDPR also protects include:

  • Iceland
  • Liechtenstein
  • Norway

What Qualifies as Personal Data Under the GDPR?

Because you must inform consumers about what personal information (PI) you’re collecting, it’s important you know exactly how the GDPR defines personal information.

The GDPR describes personal data in Chapter 1, Article 4 as:

…any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person…

Any information that can identify an individual, either on its own or when combined with other collected data, is considered PI under this regulation, including:

  • Names
  • Addresses
  • Phone number
  • Email addresses
  • IP addresses
  • Location
  • Biometric data
  • Political, religious, or philosophical beliefs
  • Sexual orientation
  • Trade union membership
  • Race or ethnic origin
  • Medical data

The regulation purposefully uses a broad definition so it can adapt and account for any technological advancements or changes.

Data Processors and Data Controllers According to the GDPR

The GDPR describes different obligations depending on if your business qualifies as a data controller or data processor. It’s possible to act as both.

A controller, defined in Chapter 1, Article 4, means any entity that, alone or with others, determines the purposes for and how personal information is processed. So if your business collects data and uses it for marketing and research, you qualify as the controller.

Any of the following entities can be a data controller:

  • Natural or legal person
  • Public authority
  • Agency
  • Any other body

A processor, on the other hand, means the body that actually processes the information and is also defined in Article 4. It can include any of the same entities listed above.

Processing under the regulation means collecting, recording, organizing, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing, disseminating, or making available user personal data.

If you perform any of those actions on behalf of an entity, you qualify as their data processor.

International Data Transfers and the GDPR

The GDPR provides guidelines and restrictions for transferring data outside of the EU to third-party countries.

Some countries are considered “adequate”, and transferring to those locations is legal without prior authorization, including:

  • Andorra
  • Argentina
  • Canada
  • Faroe Islands
  • Guernsey
  • Israel
  • Isle of Man
  • Japan
  • Jersey
  • New Zealand
  • South Korea
  • Switzerland
  • The UK
  • Uruguay

When transferring to a country not considered “adequate”, you must ensure that the processor follows all GDPR requirements as written in Chapter 5 Articles 44 – 50 of the regulation, or risk receiving fines for noncompliance.

This may require you to put additional clauses in your contracts with third parties.

Tips for Complying With the GDPR

To comply with the GDPR, we recommend the following tips for your website or app:

Penalties for Not Complying

There are major consequences to not following the GDPR, and they can impact your business even if the violation is an accident.

Penalties outlined in Article 83 include fines of up to €10 million (around $12 million) or up to 2% of your annual global turnover of the previous year, whichever is higher if you:

  • Fail to meet contractual obligations between data controllers and processors
  • Infringe upon the certification obligations for ensuring the security of the personal data collected and shared between data controllers and processors
  • Fail to meet the guidelines of the independent, non-biased monitoring body for issuing and renewing certification

See a screenshot highlighting this portion of the regulation below.

Article-83-Penalties-fines

But if you commit any of the following infringements, you risk fines of up to €12 million (around $22 million) or up to 4% of your annual global turnover of the previous year, whichever is higher:

  • Fail to meet the basic principles for processing data, including conditions for consent
  • Infringe upon the rights of data subjects
  • Fail to meet international data transfer requirements
  • Don’t comply with obligations outlined by specific Member State laws
  • Don’t comply with an order or temporary limitation on data processing as directed by a compliant supervisory authority

Below, see another screenshot of Article 83 outlining these higher fines.

Article-83-Penalties-higher-fines

You may also be directed to cease processing personal data, or face other instructions from the relevant supervisory authority.

On top of these punishments, you also risk facing public scrutiny and losing the trust of your consumers. Internet users today know that companies who receive GDPR fines weren’t appropriately protecting or collecting their personal information.

How Termly Helps Your Business Comply With the GDPR

You can use a combination of Termly products to help your business easily and affordably comply with the GDPR.

Policy Generators and Templates

When filled out accordingly, our Privacy Policy Generator or privacy policy template can help you meet all business obligations regarding the consumer privacy rights outlined in Chapter 3, Articles 12 – 23 of the GDPR.

Privacy Policy Generator

According to this regulation, it’s your responsibility as the data controller to take appropriate measures to inform users about your data collection practices. Our tools allow you to create a privacy policy that fulfills these requirements — we highlighted relevant sections of the regulation below.

Articles-12-23-Privacy-Policy-Generator

With our Privacy Policy Generator, you simply answer straightforward questions about your business, and it automatically creates the document for you.

The entire process is quick and there’s a save feature if you want to pause and come back to finish it later on. Our customer support team is also around if you ever have questions.

See an example of the GDPR portion of our Privacy Policy Generator in the screenshot below.

Termly-GDPR-portion-Privacy-Policy-Generator

Privacy Policy Template

Using our free template is still easy but takes more effort as you manually fill in blank sections with details about your business and must ensure the information is accurate and complete. This requires a little more legal knowledge.

See what our GDPR-compatible privacy policy template looks like below.

Termly-GDPR-compatible-privacy-policy-template

Whatever you choose, both tools help with compliance. Our legal team and data privacy experts work on all of our policy generators and templates to ensure they meet privacy laws like the GDPR, the amended CCPA, and more.

Consent Management Platform

You can easily configure our Consent Management Platform (CMP) to meet all legal consent requirements and guidelines outlined by Articles 6 and 7 of the GDPR.

According to the text, obtaining active, explicit user consent is one of the legal bases for collecting and using personal information, as highlighted below.

Articles-6-and-7 -Consent-Management-Platform

You can use our GDPR-compliant consent banner to provide your users with a privacy policy and cookie policy — keeping them adequately informed — and to request legal opt-in consent.

Below, see a screenshot of the GDPR-related settings in our CMP tools.

Termly-GDPR-related settings-CMP-tools

Since cookies and other trackers qualify as personal information under this regulation, our Cookie Scanner checks your site, categorizes the cookies, and generates a compliant and accurate cookie policy that updates whenever another scan occurs.

Your users can update their consent preferences easily and at any time within a preference center, and we’ll store logs of their consent choices following Article 7 of the regulation.

Data Subject Access Request (DSAR or SAR) Forms

We provide compliant Data Subject Access Request forms, or DSAR or SAR forms, to help you meet the GDPR obligations surrounding users’ rights to access personal information collected about them outlined in Article 15.

To access to the DSAR form, use our Consent Management Platform. Or, sign up as a Pro+ member and gain access to this along with the rest of our comprehensive suite of solutions.

Summary

To set your website or app up for full GDPR compliance, you’ll need a:

  • Privacy policy
  • Cookie policy
  • EULA (for software)
  • Consent banner
  • Consent management platform
  • DSAR forms
  • DPA

You can make these documents on your own, or simplify the process by checking out Termly’s suite of GDPR-compliant website solutions.

James Ó Nuanáin, CIPP/E, CIPM, CIPT
More about the author

Written by James Ó Nuanáin, CIPP/E, CIPM, CIPT

James is an Information Privacy Professional with over seven years of experience assisting large organizations comply with their obligations under the GPDR and other local privacy regulations. He is passionate about data privacy and the intersection between law and technology. More about the author

Related Articles

Explore more resources