12-Step GDPR Compliance Checklist

Applications used in daily life collect large amounts of data through embedded trackers. This data could potentially be used in a cyber attack, leading to a violation of data privacy. According to Salesforce, 60% of their customers felt they had no control over how their personal data is used. 

The European Union established the General Data Protection Regulation (GDPR) on May 25, 2018, to modernize data privacy and security laws for EU citizens. Both cloud-hosted companies (processors) and their customers (data controllers) are mandated to comply with GDPR to improve their customer’s and organization’s security. 
If you, a growing cloud-hosted company, are wondering if the GDPR applies to you, we have compiled a GDPR compliance checklist to help you understand what you need to do.

Who does GDPR apply to?

GDPR applies to any organization that collects and processes data and information of citizens in the European Union. This is regardless of whether the company is situation in the region or not. 

Chapter 4 (Article 24-43) of the GDPR regulation defines customers as the data controllers. It states that they have the right to determine how their data is to be handled. The same chapter describes the organizations as processors and states that they have to abide by these rights and further regulations provided by GDPR.

Why Should You Comply With the GDPR?

The GDPR is a rigorous set of rules instituted by the European Commission that protects the data privacy and security of EU citizens. It gives them greater control over their personal data and limits how companies can use and store the data.

Cloud-hosted companies that process personal data from EU citizens are “in scope” of the GDPR. Even companies located outside the EU must be compliant if they have EU customers. GDPR also oversees the transfer of personal data outside the EU. 

Violation of the GDPR attracts heavy penalties ranging between €10 million and €20 million or 4% of your cloud-hosted company’s annual global turnover. You’re liable to be investigated by EU regulators and face potential lawsuits.

Penalties aside, in light of increasing public concerns around the use and storage of personal data, you don’t want to tarnish your company’s reputation. By complying with GDPR, you project your cloud-hosted company as trustworthy and professional. You also reduce the chances of data breaches by putting in place systems and processes for secure data processing.

If you’ve just discovered that you need to comply with the GDPR and aren’t sure how to go about it, don’t worry. We have an exhaustive GDPR requirements checklist to guide you through the process of becoming compliant.

Check out this video on what you can be fined for under GDPR:

GDPR Compliance Checklist (12 Steps to Follow)

The GDPR conveys that data processors should follow lawful basis and transparency while handling data, ensure data security practices, assign accountability and governance, and uphold the privacy rights of individuals. 

A GDPR checklist should keep in mind such practices and define processes and controls that serve as clear guidelines for any organization that collects data. Adherence to it will allow businesses to understand their compliance status and what they can do to improve on it. 

If you’re looking for an actionable GDPR audit checklist, we suggest you download your free copy below. Alternatively,  you can read on to understand how you can prepare and align your company with GDPR requirements. 

Here is a 12-step GDPR checklist for 2025:

1. Raise awareness

Compliance with GDPR is not limited to top management or the DPO. 

You need to take a holistic approach to compliance work by involving all your employees. Raise awareness about data protection and security to inculcate a sense of responsibility.

• Start by identifying areas that could cause non-compliance with GDPR such as your company’s risk register. 
• Provide physical security to devices that employees carry and the office.
• Control employee access to data to restrict the number of exit points.

Inquire whether your third-party suppliers and subcontractors are GDPR-compliant. If they’re not, you are not compliant either. Either request them to work towards becoming compliant or change your business partners.

You should also have data processing agreements (and not just verbal or written confirmation) with third-party suppliers to be fully compliant. 

2. Keep a record of data processing flows

You have to know how your customers’ data flows in and out of your cloud-hosted company. By creating such records for every piece of data, you can align with GDPR’s accountability principle that requires companies to be able to show the steps they’re following to comply with the data protection principles.

Record the following pieces of information:

• What are the departments in your company?
• What type of personal data is recorded in each department?
• How does each department process personal data?
• In each department, who is responsible for processing the data?

Compile the information in a coherent document and regularly update it to stay current with your data handling practices. 

If you have shared incorrect personal data with another company, you must notify that company so that it can correct its records. 

3. Review current privacy notices

The GDPR mandates that additional information be given to individuals about their personal data. Previously, you had to inform people about your identity and how you intend to use the data. 

Now, you must update the content of your privacy policy in simple and unambiguous language to include the following:

• How are you gathering the personal data?
• Why are you gathering the personal data (lawful basis)?
• What do you intend to use the personal data for?
• How long will you hold the personal data?
• What are the rights of your users? (They can file a complaint with the ICO if they’re not happy with your data handling.)

Also, create a detailed cookie policy that gives information on which cookies are active on your website and what their purpose is. Use automated cookie tools to conduct audits and generate declarations so that your cookie policy is always current. 

Also check out: How to automate GDPR compliance

4. Check your rights for individuals

Review your privacy and/or data protection procedures and policies to ensure that they address individuals’ rights as required by the GDPR. This includes information on how you will delete personal data and if you’re able to provide the data electronically in a commonly used format and free of charge.

Under the GDPR, individuals will have enhanced rights to:

• access their information
• have mistakes corrected
• data portability
• have personal data deleted
• prevent direct marketing
• prevent automated decision-making and profiling
  

For example, if a person asks for their personal data to be deleted, determine how your company would react. Do your systems allow you to locate and delete the data? Who will make data-related decisions?

5. Review and update procedures for submitting requests

Review and update your current procedures to handle subject access requests (SAR) efficiently within the required timescales. 

Develop a plan for how you will handle requests in light of the new rules:

• In most situations, you will not be able to charge a fee for complying with a request.
• You must comply with SARs within one month instead of the previously allowed timescale of 40 days.
• You can refuse a request you deem to be excessive or evidently baseless. 
• If you refuse a request, you must explain to the individual why and also inform them that they have the right to complain to the supervisory authority and pursue legal action. You must also do this without undue delay and within one month.

Consider whether your company can handle a large number of SARs within the required timescales, especially if you’re a large entity. Can you provide additional information such as data retention periods and rectification of inaccuracies within your current systems?

Some practical steps you can take:

• Create GDPR-compliant response letters to ensure that SARs are addressed properly.
• Update SAR policies and procedures to include the enhanced rights of individuals, new timescales, and the removal of the fee to comply with requests.
• Establish technical procedures to process personal data quickly and in the required format. 
• Create new policies to quickly correct inaccuracies in data and a procedure to stop processing where applicable.

6. Identify, record, and explain the legitimate basis

Review your cloud-hosted company’s data processing activities and identify the lawful basis for it. Document it and update your privacy notice to reflect the change clearly. You will also need to explain your lawful basis when responding to SARs. 

Identifying your lawful basis for processing data is important under the GDPR because some individuals’ rights will be modified depending on what it is. For example, if you identify your lawful basis as consent, people will have a stronger right to have their data deleted.

7. Update existing consent

Just like the cookie policy, the GDPR requires cloud-hosted companies to update their cookie consent banners in plain, easy-to-understand text that is concise and specific. 

It should have an opt-out button for people who do not want to give their consent. Automated cookie software can create customized user consents for you. 

Review any other methods for obtaining consent and seek fresh consent if your existing ones are not GDPR-compliant.

8. Protect children’s data

Consider whether you need to put systems in place to verify the age of individuals and obtain the consent of parents/guardians when processing children’s data.

The GDPR has introduced special protection for vulnerable data subjects, especially children, in the context of commercial internet services like social networking. 

If your cloud-hosted company provides “information society services” to children which requires consent for personal data collection, you must obtain the consent of a parent or guardian. This consent must be verifiable and communicated in child-friendly language. 

Children under 16 years of age (under 13 years in the United Kingdom) require such consent from a person with “parental responsibility.”

9. Detect, report, and investigate data breaches

Put the correct procedures in place to detect, report, and investigate a personal data breach. Conduct a GDPR assessment to determine the types of data you’re holding and document which ones will trigger a notification in case of a breach.

The GDPR has mandated that all cloud-hosted companies have to report certain types of data breaches to the ICO, and in some situations, to the individuals. 

For example, the breach is likely to result in a risk to the rights and freedoms of individuals and may cause financial loss, damage to reputation, loss of confidentiality, or discrimination.

You’re required to notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach. If there’s a high risk to the rights and freedoms of individuals, they should also be informed without undue delay.

Also, check out: Best GDPR compliance software that can help you automate the GDPR checklist.

10. Adopt a privacy and data-protection mindset

Cloud-hosted companies should adopt “privacy by design.” 

• Carry out a Data Protection Impact Assessment (DIPA) in high-risk situations, such as when a profiling exercise can impact users or when a new technology is deployed. 

• Use either pseudonymization or anonymization to encrypt data as these methods are recommended by the GDPR. 

• Delete data that you’re no longer using or is needed to reduce the volume of data that needs protection. Also, delete obsolete data in your backups.

• Ensure that your data centers are located in areas with high data security, such as the US or Europe. 

• Implement IT measures like double authentication for employees and TLS/SSL certificates. 

• Encrypt the passwords to your systems and secure the devices that employees bring to work. 

• Conduct vulnerability scans on devices, systems, and networks regularly to identify potential security loopholes.

Read about GDPR requirements for US companies.

11. Assign a Data Protection Officer (DPO)

Identify and designate a Data Protection Officer (DPO) who will take responsibility for data protection compliance. Determine where this role will fit in your organizational structure and governance arrangements. Consider if you’re required to formally appoint a DPO. 

Under the GDPR, you must designate a DPO in the following cases:

1. You are a public authority 
2. Your company or you perform periodic and systematic monitoring of large amounts of data
3. You carry out the processing of special categories of data like health records or data about criminal convictions on a large scale. The Article 29 Working Party guides companies on the designation, position, and tasks of the DPO. 
   

Points (2) and (3) are applicable for most cloud-hosted companies because personal data processing and data monitoring are central activities for them. Thus, they must appoint a DPO (internal/external consultant) to be GDPR-compliant. 

An internally-appointed DPO may need some training to understand the GDPR and the responsibilities of the role. 

12. Choose your lead authority

If your cloud-hosted company operates in more than one EU member state or if you have a single EU establishment that carries out processing that affects EU citizens in other member states, you should choose a lead data protection supervisory authority and document it. Refer to guidelines from Article 29 Working Party. 

You can determine your “main establishment” by mapping where your company makes its most significant decisions about its data processing activities. The supervisory authority at this establishment will be the lead authority.

Companies located outside the EU have to comply with GDPR requirements if they offer services to EU citizens or they monitor behavior that takes place inside the European Union. 

Download Free GDPR Checklist

How do you get GDPR certified? 

A GDPR certification shows that you are compliant with data protection principles to the EDPB (European Data Protection Board) and your customers. It can be obtained from accreditation bodies like EuroPrise, TRUSTe, ISO 27001 ISMS, and Cyber Essentials, with the EDPB set to offer certification in the future.

To get the certification, you must first adhere to the checklist given above and then conduct the GDPR audit. This can either be done manually or through a compliance automation platform so that you don’t spend months during the process. 

Such a platform will allow you to monitor the controls regarding GDPR and fill in criteria gaps wherever you’re lacking. Once the overall dashboard shows that you are compliant with GDPR, you can get a GDPR-certified body to grant you the certification. 

Sprinto is a GRC platform that can help you achieve GDPR compliance by automating and streamlining the whole process. It maps controls to all the GDPR requirements. It allows you to monitor them in real-time and alert security teams when they fail. This makes the process of getting the audit done easier. 

Conclusion

The GDPR is considered to be one of the most stringent privacy and security legislations in the world. The full text of the legislation is unwieldy, spanning a massive 99 Articles across 88 pages. Let us make it easier for you to understand with the help of our data protection compliance checklist. 

You must comply with GDPR requirements if your cloud-hosted company operates in Europe or markets to European customers. Non-compliance attracts heavy penalties to the tune of millions of euros and a loss of trust and reputation.

After you ensure that you have all the requirements in the above checklist, you can get an audit done to ensure compliance. This can be easily enabled with Sprinto. By opting for GDPR in the platform, you can get the framework-specific health report that will help the auditor gain important insight into your controls. The dashboard can be directly used by the auditor while evidence gets collected automatically.

GDPR Compliance Checklist FAQs

What is considered personal data under the EU GDPR?

According to the GDPR, personal data is any information related to an identifiable person. It can be a name, ID number, location data, or unique characteristics. This can even include IP addresses, physical attributes, job, or political opinions.

What are the four key components of GDPR?

The four key components of GDPR are: 

1. Lawful basis and transparency
2. Data security
3. Accountability and governance
4. Privacy rights

What are the 7 principles of GDPR?

The seven principles of GDPR are:

• Lawfulness, fairness and transparency.
• Purpose limitation.
• Data minimisation.
• Accuracy.
• Storage limitation.
• Integrity and confidentiality (security)
• Accountability

What are the goals of GDPR?

GDPR, with its new data governance law, aims to focus on data governance, data management, and data transparency