GDPR Compliance Checklist

GDPR Compliance Checklist

Key Points

  • The GDPR is the most stringent data protection and privacy legislation in the world. It is applicable to cloud-hosted companies that provide services to EU citizens, regardless of geographic location. It applies to data movement outside the EU.


A typical day in your life involves a large amount of your personal data being collected, tracked, and harvested. Trackers embedded in the apps you’re using collect location data, your online behavior, what sites interest you, and how much time you’re spending on them.

When data breaches occur at major cloud-hosted companies, there’s no saying where your personal data could end up and for what purposes it’s used. Salesforce has found that 60% of their customers felt that they have no control over how their personal data is used, an increase from 46% in 2019. 

The European Union established the General Data Protection Regulation (GDPR) on May 25, 2018, to modernize data privacy and security laws for EU citizens. 

Both cloud-hosted companies (processors) and their customers (data controllers) are mandated to comply with GDPR. Chapter 4: Controller and Processor contains articles that affect IT and security teams working in cloud environments that process personal data.  

If you, a growing cloud-hosted company, are wondering if the GDPR applies to you, we have put together a GDPR requirements checklist to help you understand what you need to do. 

Why Should You Comply With the GDPR?

The GDPR is a rigorous set of rules instituted by the European Commission that protects the data privacy and security of EU citizens. It gives them greater control over their personal data and limits how companies can use and store the data.

Cloud-hosted companies that process personal data from EU citizens are “in scope” of the GDPR. Even companies located outside the EU must be compliant if they have EU customers. GDPR also oversees the transfer of personal data outside the EU. 

Violation of the GDPR attracts heavy penalties ranging between €10 million and €20 million or 4% of your cloud-hosted company’s annual global turnover. You’re liable to be investigated by EU regulators and face potential lawsuits.

Penalties aside, in light of increasing public concerns around the use and storage of personal data, you don’t want to tarnish your company’s reputation. By complying with GDPR, you project your cloud-hosted company as trustworthy and professional. You also reduce the chances of data breaches by putting in place systems and processes for secure data processing.

If you’ve just discovered that you need to comply with the GDPR and aren’t sure how to go about it, don’t worry. We have an exhaustive GDPR requirements checklist to guide you through the process of becoming compliant.

12 Steps to Prepare for GDPR Compliance

Following are the 12 steps you need to adopt to prepare your cloud-hosted company for GDPR compliance:

Step 1: Raise awareness

Compliance with GDPR is not limited to top management or the DPO. 

You need to take a holistic approach to compliance work by involving all your employees. Raise awareness about data protection and security to inculcate a sense of responsibility.

  • Start by identifying areas that could cause non-compliance with GDPR such as your company’s risk register. 
  • Provide physical security to devices that employees carry and the office.
  • Control employee access to data to restrict the number of exit points.

Inquire whether your third-party suppliers and subcontractors are GDPR-compliant. If they’re not, you are not compliant either. Either request them to work towards becoming compliant or change your business partners.

You should also have data processing agreements (and not just verbal or written confirmation) with third-party suppliers to be fully compliant. 

Step 2: Keep a record of data processing flows

You have to know how your customers’ data flows in and out of your cloud-hosted company. By creating such records for every piece of data, you can align with GDPR’s accountability principle that requires companies to be able to show the steps they’re following to comply with the data protection principles.

Record the following pieces of information:

  • What are the departments in your company?
  • What type of personal data is recorded in each department?
  • How does each department process the personal data?
  • In each department, who is responsible for processing the data?

Compile the information in a coherent document and regularly update it to stay current with your data handling practices. 

If you have shared incorrect personal data with another company, you must notify that company so that it can correct its records. 

Step 3: Review current privacy notices

The GDPR mandates that additional information be given to individuals about their personal data. Previously, you had to inform people about your identity and how you intend to use the data. 

Now, you must update the content of your privacy policy in simple and unambiguous language to include the following:

  • How are you gathering the personal data?
  • Why are you gathering the personal data (lawful basis)?
  • What do you intend to use the personal data for?
  • How long will you hold the personal data?
  • What are the rights of your users? (They can file a complaint with the ICO if they’re not happy with your data handling.)

Also, create a detailed cookie policy that gives information on which cookies are active on your website and what their purpose is. Use automated cookie tools to conduct audits and generate declarations so that your cookie policy is always current. 

Step 4: Check your rights for individuals

Review your privacy and/or data protection procedures and policies to ensure that they address individuals’ rights as required by the GDPR. This includes information on how you will delete personal data and if you’re able to provide the data electronically in a commonly used format and free of charge.

Under the GDPR, individuals will have enhanced rights to:

For example, if a person asks for their personal data to be deleted, determine how your company would react. Do your systems allow you to locate and delete the data? Who will make data-related decisions?

Prepare GDPR

Step 5: Review and update procedures for submitting requests

Review and update your current procedures to handle subject access requests (SAR) efficiently within the required timescales. 

Develop a plan for how you will handle requests in light of the new rules:

  • In most situations, you will not be able to charge a fee for complying with a request.
  • You must comply with SARs within one month instead of the previously allowed timescale of 40 days.
  • You can refuse a request you deem to be excessive or evidently baseless. 
  • If you refuse a request, you must explain to the individual why and also inform them that they have the right to complain to the supervisory authority and pursue legal action. You must also do this without undue delay and within one month.

Consider whether your company can handle a large number of SARs within the required timescales, especially if you’re a large entity. Can you provide additional information such as data retention periods and rectification of inaccuracies within your current systems?

Some practical steps you can take:

  • Create GDPR-compliant response letters to ensure that SARs are addressed properly.
  • Update SAR policies and procedures to include the enhanced rights of individuals, new timescales, and the removal of the fee to comply with requests.
  • Establish technical procedures to process personal data quickly and in the required format. 
  • Create new policies to quickly correct inaccuracies in data and a procedure to stop processing where applicable.

Step 6: Identify, record, and explain the legitimate basis

Review your cloud-hosted company’s data processing activities and identify the lawful basis for it. Document it and update your privacy notice to reflect the change clearly. You will also need to explain your lawful basis when responding to SARs. 

Identifying your lawful basis for processing data is important under the GDPR because some individuals’ rights will be modified depending on what it is. For example, if you identify your lawful basis as consent, people will have a stronger right to have their data deleted.

Just like the cookie policy, the GDPR requires cloud-hosted companies to update their cookie consent banners in plain, easy-to-understand text that is concise and specific. 

It should have an opt-out button for people who do not want to give their consent. Automated cookie software can create customized user consents for you. 

Review any other methods for obtaining consent and seek fresh consent if your existing ones are not GDPR-compliant.

Step 8: Protect children’s data

Consider whether you need to put systems in place to verify the age of individuals and obtain the consent of parents/guardians when processing children’s data.

The GDPR has introduced special protection for vulnerable data subjects, especially children, in the context of commercial internet services like social networking. 

If your cloud-hosted company provides “information society services” to children which requires consent for personal data collection, you must obtain the consent of a parent or guardian. This consent must be verifiable and communicated in child-friendly language. 

Children under 16 years of age (under 13 years in the United Kingdom) require such consent from a person with “parental responsibility.”

Step 9: Detect, report, and investigate data breaches

Put the correct procedures in place to detect, report, and investigate a personal data breach. Conduct a GDPR assessment to determine the types of data you’re holding and document which ones will trigger a notification in case of a breach.

The GDPR has mandated that all cloud-hosted companies have to report certain types of data breaches to the ICO, and in some situations, to the individuals. 

For example, the breach is likely to result in a risk to the rights and freedoms of individuals and may cause financial loss, damage to reputation, loss of confidentiality, or discrimination.

You’re required to notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach. If there’s a high risk to the rights and freedoms of individuals, they should also be informed without undue delay.

Step 10: Adopt a privacy and data-protection mindset

Cloud-hosted companies should adopt “privacy by design.” 

  • Use either pseudonymization or anonymization to encrypt data as these methods are recommended by the GDPR. 
  • Delete data that you’re no longer using or is needed to reduce the volume of data that needs protection. Also, delete obsolete data in your backups.
  • Ensure that your data centers are located in areas with high data security, such as the US or Europe. 
  • Implement IT measures like double authentication for employees and TLS/SSL certificates. 
  • Encrypt the passwords to your systems and secure the devices that employees bring to work. 
  • Conduct vulnerability scans on devices, systems, and networks regularly to identify potential security loopholes.

Step 11: Assign a Data Protection Officer (DPO)

Identify and designate a Data Protection Officer (DPO) who will take responsibility for data protection compliance. Determine where this role will fit in your organizational structure and governance arrangements. Consider if you’re required to formally appoint a DPO. 

Under the GDPR, you must designate a DPO in the following cases:

  1. You are a public authority 
  2. Your company or you perform periodic and systematic monitoring of large amounts of data
  3. You carry out the processing of special categories of data like health records or data about criminal convictions on a large scale. The Article 29 Working Party guides companies on the designation, position, and tasks of the DPO. 

Points (2) and (3) are applicable for most cloud-hosted companies because personal data processing and data monitoring are central activities for them. Thus, they must appoint a DPO (internal/external consultant) to be GDPR-compliant. 

An internally-appointed DPO may need some training to understand the GDPR and the responsibilities of the role. 

Step 12: Choose your lead authority

If your cloud-hosted company operates in more than one EU member state or if you have a single EU establishment that carries out processing that affects EU citizens in other member states, you should choose a lead data protection supervisory authority and document it. Refer to guidelines from Article 29 Working Party. 

You can determine your “main establishment” by mapping where your company makes its most significant decisions about its data processing activities. The supervisory authority at this establishment will be the lead authority.

Companies located outside the EU have to comply with GDPR requirements if they offer services to EU citizens or they monitor behavior that takes place inside the European Union. 

Also read: GDPR audit checklist


The GDPR is considered to be one of the most stringent privacy and security legislations in the world. The full text of the legislation is unwieldy, spanning a massive 99 Articles across 88 pages. Let us make it easier for you to understand with the help of our data protection compliance checklist. 

You must comply with GDPR requirements if your cloud-hosted company operates in Europe or markets to European customers. Non-compliance attracts heavy penalties to the tune of millions of euros and a loss of trust and reputation.

Get your GDPR compliance hassle-free today with Sprinto by automating and streamlining the audit process. 

FAQ: GDPR Compliance

  • How to be GDPR compliant?

Cloud-hosted companies around the world understand that the GDPR affects them regardless of where they’re located if they have an EU customer base. If they do not comply, they face heavy fines, legal costs, and loss of reputation and consequently, business. 

Follow a 12-step GDPR privacy policy checklist to become compliant:

  1. Raise awareness among key decision-makers
  2. Document all policies and procedures around data processing activities
  3. Review and update current privacy policy notices
  4. Review current individuals’ rights 
  5. Analyse procedures for subject access requests (SAR)
  6. Identify, document, and explain the lawful basis for data processing activities
  7. Review and refresh existing consent
  8. Institute special protection for children’s data
  9. Detect, report to the ICO, and investigate personal data breaches
  10. Adopt “data protection by design” and perform DIPAs in high-risk cases
  11. Assign a Data Protection Officer (DPO)
  12. Select a lead data supervisory authority

When managed properly, personal data can create a significant competitive edge. Thus, achieving GDPR compliance ensures you have an advantage over your competitors.

Posted in: