10 Step Checklist: GDPR Compliance Guide for 2022 | UpGuard (2022)

The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world, yet few organizations are completely compliant with its statutes.

Complacency is dangerous territory. Non-compliant entities could be fined up to £18 million or 4% of annual global turnover (whichever is greater).

This post clearly outlines the standards set by the GDPR and provides a checklist to help organizations remain compliant.

What is the General Data Protection Regulation (GDPR)

The GDPR is a product of the European Union’s audacious data protection reform. The strict privacy standards were put into effect on May 25, 2018. This cybersecurity framework aims to protect the personal data of all people in the European Union.

The GDPR updates the 1950 European Convention on Human Rights to make it relevant for the digital age. Article 8 of the convention states that everyone has the right to respect private family life.

In the analog era that birthed the convention, the boundaries between public and private life were bold and easily identified. Today, they’re ambiguous and blurred. Without a clear and enforced standard like the GDPR, customers can never be confident that their private data, and therefore their private life, is being respected.

What is Considered Personal Data Under the EU GDPR?

According to Article 4 of the GDPR, personal data is defined as any information that relates to an identified or identifiable natural person. In other words, personal data is any data that is linked to the identity of a living person.

This doesn’t only include direct associations, such as financial information and addresses, but also indirect links such as evaluations relating to the behavior patterns of a person.

The definition of personal data is also format-agnostic, so it could include images, video, audio, numerals, and words.

Inaccurate information relating to data subjects is still considered personal data because this information is linked to an identity. If, however, the information is associated with a fictional entity, it’s not considered personal data. For example, if you refer to a fictional character residing in a fictional location, that is not considered personal data.

Who Does the GDPR Apply to?

The GDPR impacts any organization that offers goods and services to people in the EU, this includes entities that are not located in the EU. If you run a business online, you can never know for certain whether the people you transact with are located in the EU. For this reason, all online businesses should be GDPR compliant as a protective measure at the very least.

Personal data is funneled into two categories - to those that control the data and those that process the data.

Data Controllers

The GDPR defines a controller as any individual, public authority, agency, or another body that determines the purpose and means of processing personal data. Controllers decide how personal data is processed.

For example, a music school uses a digital screen to notify parents in the waiting room when each teacher is ready. The screen displays the name of each child and the room number of their music lesson.

The music school is classified as the “controller” of personal data since it decides how the notification system should process all of the data.

Data Processors

The GDPR defines any individual, public authority, agency, or another body that processes personal data on behalf of a controller. Because processors are carrying out the data processing rules set by a controller, they’re not making decisions about how personal data is handled.

(Video) GDPR Compliance 2020 Summary - 10 Steps in 10 Minutes to Avoid Fines

For example, a software company hires a marketer for an upcoming email campaign. The marketer is supplied with the names and email addresses of all leads so that personalized cold email can be sent to each one.

The software company is classified as the controller of personal data since it determines how the data should be handled. The marketer is classified as the “processor” since they’re carrying out the software company’s data processing instructions.

Even though processes are just following controller instructions, they are still expected to be GDPR compliant alongside processes because they’re handling personal data.

10 Step Checklist to be GDPR Compliant

The following checklist will help businesses assess their current GDPR compliance status and also reform poor data handling practices to become more compliant.

1. Know all of the data you are collecting

If you don’t know how personal data flows through your internal systems, you don’t know how it is controlled. Here’s a simple 7 category framework for mapping all data sources with an example of an ebook download process:


  • Ebook download form

Data collected

  • Full name.
  • Email address.
  • Business name

Reason for data collection

  • Creating sales leads

How is collected data processed?

  • Stored in the Mailchimp database.
  • Accessed by internal email marketers.

When is the data disposed of?

  • All unsubscribed leads are manually deleted from Mailchimp every 30 days.

Do you have consent to collect this data?

  • Yes, the ebook download form included a message saying that all entries are added to the email list.

Does the collected data include sensitive information?

  • Yes, full names and associated email addresses.

This filtration protocol should be applied to all internal data until you can confidently map the lifecycle of all data feeds.

Because the GDPR is focused on sensitive data protection it’s important to identify all instances of it and to classify each record by level of sensitivity.

The higher the sensitivity of data, the easier it is to identify and compromise an individual. Personally Identifiable Information (PII) is considered very sensitive and should be defended with the highest level of cybersecurity.

Are IP addresses classified as personal data?

IP addresses are classified as personal data if they can be linked to the identity of a person. For example, if a user’s IP address is collected alongside their email address, that would be considered personal data because the identity of the person is linked to their email address.

All personal data of people in the EU is strictly subject to GDPR compliance. If you're not sure if the IP addresses you collect are classified as personal data, refer to the supervisory authority in your EU state.

2. Appoint a Data Protection Officer (DPO)

Article 37 of the GDPR states that both controllers and processes need to appoint a Data Protection Officer (DPO) to oversee the data protection strategy. Note that even processes are expected to have a data protection strategy even though they’re just following data handling instructions set by processors.

According to the GDPR, an organization must appoint a DPO if any of the following conditions are met:

  • If data is processed by a public authority
  • If collected data undergoes systematic monitoring
  • If collected data is processed at a large scale

Unfortunately, the GDPR doesn’t define how large “large scale” is. Because of this ambiguity, many organizations are opting to appoint DPOs just to be safe.

Organizations should appoint DPOs where their data processing operations are centralized, even if it’s located outside the EU. If an organization is located in the EU, a DPO should be stationed in the member state of the company’s headquarters.

Ideally, the DPO should speak the same languages as the GDPR regulators in that state. This will help organizations understand, and therefore comply with, the GDPR nuances of that state.

(Video) Marketing Compliance Checklist for 2022 | #Marketing #GDPR #Advertising

Article 39 of the GDPR says that a DPO should be capable of completing the following duties:

  • Confidently advising both controllers and processes of best GDPR compliance practices
  • Monitoring data handling to ensure GDPR compliance
  • Provide accurate advice about data protection impact assessments
  • Act as the primary point of contact for all data processing inquiries
  • Act as the primary point of contact between the company and GDPR regulators
  • Have a clear understanding of all the potential risks associated with different processing operations

To effectively carry out these responsibilities, a DPO should possess expert knowledge of GDPR laws and best practices.

To support the efforts of DPOs, organizations should adopt an attack surface monitoring solution to identify vulnerabilities that could be exposing processed data.

3. Create a GDPR diary

A GDPR diary, or a Data Register, is a comprehensive record of how an organization is practicing GDPR compliance. This would need to be created after identifying all of your data sources (point 1 in this list).

A GDPR diary should map the flow of data through your organization, the more details that can be included the better. In the event of an audit, the GDPR diary will serve as proof of compliance.

If your organization suffers a data breach in the process of instituting a compliance framework, the GDPR diary can be used as proof of progress towards improved data security.

A third-party attack surface monitoring solution helps organizations identify and remediate all data breach vulnerabilities in their vendor network.

The early implementation of such a solution demonstrates an organization's dedication to protect customer data.

4. Evaluate your data collection requirements

To be GDPR compliant, you should only be collecting data that you absolutely need. Accumulating sensitive data without a compelling reason will signal alarm bells for the supervisory authority monitoring your compliance.

All data requirements should be scrutinized through a Privacy Impact Assessment IPIA) and a Data Protection Impact Assessment (DPIA). These impact assessments are mandatory when the data collected is highly sensitive.

The classification of “sensitivity” is at times subjective. To avoid confusion, here are some instances that would require the completion of a DPIA.

  • When your organization is utilizing new technology
  • If you’re tracking the location of individuals
  • If you’re tracking the behaviour of individuals
  • If your data is associated with children
  • If you’re using data for automated decisions that could have legal consequences
  • If you’re monitoring publicly accessible areas
  • If you’re processing personal data such as:
  • Religious views
  • Ethnic origins and identities
  • Political opinions
  • Memberships
  • Genetic data
  • Biometric data
  • Philosophical beliefs
  • Health records
  • Sexual orientations

Data Protection Impact Assessment (DPIA) template

The Information Commissioner's Office for the UK has created a DPIA template that can be used as a guide for data protection assessments.

This template provides a deeper context into the activities that require a DPIA to help you decide whether your particular processing activity requires an assessment.

5. Instantly report data breaches

Immediate data breach notification is a mandatory GDPR requirement. According to article 33 of the GDPR, both controllers and processors need to report data breaches within 72 hours.

The hierarchical reporting structure is as follows:

(Video) Is Your Website GDPR Ready? Follow this 7-step Checklist

Processors need to report data breaches to controllers, and controllers need to report to a supervisory authority.

A supervisory authority, also known as a Data Protection Association or DPA, is responsible for monitoring and enforcing GDPR compliance. They are also the primary contact for all GDPR inquiries for an organization.

Supervisor authorities are usually located in the EU state an organization is based. The GDPR empowers DPAs to impose non-compliance fines on both controllers and processors.

6. Be transparent about data collection motives

Your customers need to be aware of all the data you’re collecting about them. Clandestine data collection will only lead to a hefty non-compliance fine.

Data collection acknowledgment needs to be clearly displayed at every data collection point - before any data is collected.

Here are some common website locations that display data collection notifications:

Website forms

Website forms should clearly state how all collected data will be used. Avoid complex phrasing or the use of jargon, your messaging should be clear and concise.

Pre-ticked consent boxes are not permitted. Individuals need to always be aware that they’re consenting to data collection.

10 Step Checklist: GDPR Compliance Guide for 2022 | UpGuard (1)

Cookie collection notices

The GDPR classifies cookies that identify users as personal data collectors, as a result, they need to be regulated. Organizations can still use cookie data provided that they meet the following GDPR requirements:

  • Users must give clear consent to the use of cookies BEFORE any are used.
  • Organizations must clearly specify how cookie data will be used.
  • All user consents must be documented and stored.
  • Website access should not be impeded if cookie use consent is not provided.
  • Users should have the ability to seamlessly withdraw cookie use consent..

Here’s an example of a cookie notice that specifies how cookie data will be used. This notice allows users to be in complete control of the specific cookie data they are willing to relinquish.

10 Step Checklist: GDPR Compliance Guide for 2022 | UpGuard (2)

7. Verify the age of all users consenting to data processing

The GDPR only permits personal data processing for persons at least 16 years of age. To lawfully collect personal data from individuals younger than that, consent must be given by the holder of parental responsibility for the child.

If there's a chance that EU citizens under the age of 16 will be engaging with your website, you must incorporate an age verification process to verify the age of users before collecting any data.

If personal data processing of underaged users is required, a separate parental consent process is required.

(Video) GDPR Compliance Checklist and AML Regulations - 1 to 1 With Cristina Vannini Goodchild

8. Include a double opt-in for all new email list sign-ups

To confidently acknowledge that all of your subscribers have consented to sign up to your email list, you should include a double opt-in process for all new sign-ups.

When double opt-in is enabled, a person is not added to an email list until they confirm their consent twice. The first consent happens when the signup form is completed, and the second consent occurs when a user clicks the confirmation link in the email that’s automatically sent to them after filling out the form.

The GDPR does not explicitly state that a double opt-in process is mandatory but it is highly recommended. By implementing a double opt-in for all new email sign-ups, you’re further verifying that users are consenting to relinquish their data, which demonstrates your dedication to the data protection standards set by the GDPR.

9. Keep your Privacy Policy updated

Your Privacy Policy must be readily accessible on your website and always up-to-date. Whenever an update is made, all of your customers need to be notified of any changes in an email.

A Privacy Policy should clearly outline all of the data that is collected and how it will be used. Legal advice is recommended to create an accurate data Privacy Policy that is GDPR compliant.

For example, take a look at the Privacy Policy on the GDPR website

10. Regularly assess all third-party risks

The GDPR expects organizations to be continuously aware of all security risks and to have remediation efforts in place for each of them.

To effectively meet these requirements, organizations should implement a security scoring and risk assessment solution - ideally GDPR specific risk assessments.

VendorRisk by UpGuard represents the security risk of each vendor with a security score. This empowers organizations to instantly identify and remediate all of the security vulnerabilities of each vendor.

VendorRisk also includes a comprehensive library of risk assessments, including a GDPR standard security questionnaire, to ensure all third-parties remain compliant.

The key to a secure ecosystem is to consistently monitor for vulnerabilities and immediately remediate them. If your organization doesn’t have the necessary expertise or resources for such a dedicated effort, world-class CyberResearch analysts can manage the complete scope of your vendor security on your behalf.

UpGuard Helps Businesses Remain GDPR Compliant

UpGuard helps businesses maintain GDPRcompliance by identifying and addressing specific security vulnerabilities impacting the regulation.

UpGuard also empowers businesses to track third-party compliance against popular regulations by mapping risk assessment responses to security controls. This identifies any compliance gaps placing third-party at a heightened risk of regulatory fines and data breaches.

Click here to try UpGuard for free for 7 days.


10 Step Checklist: GDPR Compliance Guide for 2022 | UpGuard? ›

10 Step Checklist to be GDPR Compliant
  • Know all of the data you are collecting. ...
  • Appoint a Data Protection Officer (DPO) ...
  • Create a GDPR diary. ...
  • Evaluate your data collection requirements. ...
  • Instantly report data breaches. ...
  • Be transparent about data collection motives. ...
  • Verify the age of all users consenting to data processing.
Jul 19, 2022

What are the checklists for GDPR compliance? ›

GDPR compliance checklist
  • Hire a data protection officer (DPO) ...
  • Data privacy design & assessment. ...
  • Data governance. ...
  • Get consent for data collection, retention & erasure. ...
  • Compliance, auditing & record keeping. ...
  • Data breach obligations.
Mar 14, 2019

What are the 12 steps of GDPR? ›

ICO's 12 Steps for GDPR Compliance
  • Promote Awareness. ...
  • Appoint a DPO. ...
  • Carry out an Audit. ...
  • Keep records. ...
  • Review and Amend. ...
  • Update Privacy Notices. ...
  • Make withdrawing consent easy too. ...
  • Review data protection policies.
Aug 5, 2020

What is a data protection checklist? ›

The checklist includes: appointing someone senior to oversee the process, reviewing existing information and cyber security, mapping your data, reviewing contracts with clients, suppliers (anyone who processes your data) and employees, drafting data protection policies and procedures, and training staff.

What are the 7 principles of GDPR? ›

The UK GDPR sets out seven key principles:
  • Lawfulness, fairness and transparency.
  • Purpose limitation.
  • Data minimisation.
  • Accuracy.
  • Storage limitation.
  • Integrity and confidentiality (security)
  • Accountability.

How do you monitor GDPR compliance? ›

One of the easiest ways to demonstrate GDPR compliance is to conduct a regular data protection impact assessment (DPIA). A DPIA helps you: Identify the possible impact of your processing activities on data subjects. Assess whether your company is complying with the GDPR.

WHO recommended the 12 tips ensuring GDPR compliance? ›

A document is released by the Information Commissioner's Office recommending 12 steps which should be taken to comply with GDPR compliance.

What is protected by GDPR? ›

What is GDPR? The GDPR is a legal standard that protects the personal data of European Union (EU) citizens and affects any organization that stores or processes their personal data, even if it does not have a business presence in the EU.

What is global data protection regulation? ›

The General Data Protection Regulation (GDPR) is legislation that updated and unified data privacy laws across the European Union (EU). GDPR was approved by the European Parliament on April 14, 2016 and went into effect on May 25, 2018. GDPR replaces the EU Data Protection Directive of 1995.

How do you comply with GDPR at work? ›

Five ways to stay GDPR compliant when working from home
  1. Only use approved technology. The best thing to keep information secure is to stick with approved devices to access work-related documents and emails. ...
  2. Training. ...
  3. Take care with print outs. ...
  4. Avoid downloads. ...
  5. Communicate securely.
Jan 14, 2021

What are my responsibilities under GDPR? ›

It is your responsibility to inform us of any changes to your personal data, or personal data that you pass to us to process on your behalf, so that we can ensure your personal data is kept up to date.

How do you ensure compliance with data protection? ›

GDPR tips: How to comply with the General Data Protection...
  1. Understanding GDPR. ...
  2. Identify and document the data you hold. ...
  3. Review current data governance practices. ...
  4. Check consent procedures. ...
  5. Assign data protection leads. ...
  6. Establish procedures for reporting breaches.
Dec 7, 2018

How do you conduct a GDPR review? ›

12 Steps to Prepare for GDPR Compliance
  1. Step 1: Raise awareness. ...
  2. Step 2: Keep a record of data processing flows. ...
  3. Step 3: Review current privacy notices. ...
  4. Step 4: Check your rights for individuals. ...
  5. Step 5: Review and update procedures for submitting requests. ...
  6. Step 6: Identify, record, and explain the legitimate basis.

What are three measures employees should take to support organizational compliance with the GDPR? ›

3 GDPR Compliance Steps Explained
  • Prepare for Employees to Obtain Copies of Data. EU employees have the right under the GDPR to know what data companies have about them and make copies of the data. ...
  • Be transparent. Transparency means more than just notices on websites about GDPR for the public. ...
  • Be accountable.
May 15, 2018

What is GDPR assessment? ›

In the scope of the General Data Protection Regulation (GDPR) and other data laws a data protection impact assessment or DPIA helps organizations to assess what will/might be the impact of (new) personal data processing activities from the perspective of data protection, privacy and most of all the risks regarding the ...

Is there a GDPR compliance certificate? ›

GDPR certification is a new feature of GDPR law that allows people or entities to receive certification from approved certification bodies to show both the EU and consumers that they are in compliance with GDPR. Certification is scalable and can be different for organizations of differing sizes and types.


1. GDPR compliance in Email Marketing [Step-by-step Checklist] | Email Marketing Course (14/63)
2. Best GDPR Apps for Shopify 2022
( Shopify Masterclass )
3. What are the 7 principles of GDPR?
(Privacy Kitchen)
4. GDPR compliance in Fed4FIRE+
5. Actionable Steps to Achieve GDPR Compliance
(VISTA InfoSec)
6. #data #gdpr #privacy Free GDPR Compliance Overview -- Becoming GDPR Compliant
(Yasmine Lupin)

You might also like

Latest Posts

Article information

Author: Rubie Ullrich

Last Updated: 08/16/2022

Views: 5900

Rating: 4.1 / 5 (72 voted)

Reviews: 87% of readers found this page helpful

Author information

Name: Rubie Ullrich

Birthday: 1998-02-02

Address: 743 Stoltenberg Center, Genovevaville, NJ 59925-3119

Phone: +2202978377583

Job: Administration Engineer

Hobby: Surfing, Sailing, Listening to music, Web surfing, Kitesurfing, Geocaching, Backpacking

Introduction: My name is Rubie Ullrich, I am a enthusiastic, perfect, tender, vivacious, talented, famous, delightful person who loves writing and wants to share my knowledge and understanding with you.