10 Step Checklist for complying with GDPR

Step 1: Know the steps  
Make sure that decision-makers and key staff know about GDPR and understand its implications.  

Step 2: Know how to check if there’s a breach 
Organisations with ISO/IEC 27001 will already have these procedures, but otherwise check your means of detecting, investigating and reporting personal data security breaches.

Step 3: Check your privacy policy 
Review and update the organisation’s data privacy policy to align it with GDPR.   

Step 4: Stay on the right side of rights 
Check your procedures to make sure they uphold the rights of the individuals whose data you hold, e.g. the right of access to their data; to have their data deleted, etc.   

Step 5: Make sure you respond in time 
Check and if necessary update procedures so you can turn data requests around within the new one-month requirement.

Step 6: Demonstrate compliance
Identify the lawful basis of your processing activity, document it and update your privacy notice accordingly.    

Step 7: Manage consent correctly 
Check how you ask for, record and manage consent to use personal data, and update existing consents.    

Step 8: Know what data you’ve got 
Review and document all the personal information held including its source (how you got it) and who it’s shared with.       

Step 9: Confirm who’s in charge 
Designate or confirm who’s responsible for data protection compliance and make sure they have the authority to be effective.    

Step 10: Understand the international context 
If you do cross-border data processing in more than one EU state, decide which is your lead data privacy supervisory authority, based on where you make your most significant data processing decisions.