GDPR compliance checklist

GDPR compliance checklist
By purchasing through the links on this page, you are giving us the opportunity to earn a commission. Your support is greatly appreciated!

The General Data Protection Regulation (GDPR) is an important law for protecting the data privacy of European Union residents and giving users more control over how it’s used.

Non-compliance can lead to reputational damage and result in hefty fines depending on the severity of the violation. It can go up to 4% of global revenue or €20 million, whichever is higher.

We’ve prepared a complete GDPR compliance checklist for you to follow in order to prevent the consequences and penalties. This checklist is suitable for all companies to which the GDPR applies, whether you’re processing EU citizen data in the EU or outside of it.

Ensure GDPR compliance on Shopify in one click

Try TinyCookie free

What is GDPR compliance?

GDPR compliance means that an organization meets the requirements of the General Data Protection Regulation (GDPR). Following the requirements ensures a business handles personal user data in accordance with the law.

While the GDPR has many rules and requirements, there are specific standards that are universal for all companies. The essence of GDPR is that it must give users a level of control over their personal data. It must also acknowledge user rights as defined by the regulation and provide the utmost security for the information that is collected.

Importance of GDPR compliance

GDPR compliance helps increase data security, foster customer trust, and prevent the risk of a data breach. Additionally, it gives you a competitive advantage and makes your company look professional. Here are the main reasons why compliance with the GDPR is important for organizations:

  • Legal obligation. The GDPR requires ensuring and respecting the privacy of EU citizens and their data. It’s a legal requirement and can result in large GDPR fines in cases of non-compliance.
  • Prevents data breaches. Complying with GDPR means that you secure the data of your users. This guarantees higher prevention of data breaches which could result in reputational and financial damage.
  • Ensures customer trust. By complying with GDPR, companies ensure they’re transparent with their users, which leads to higher trust for the organization.
  • Prevent penalties. Refusing to comply with the GDPR can lead to warnings or a fine of up to 4% of the business’s total annual turnover or up to €20 million, whichever is higher. In extreme cases, it can lead to a temporary or permanent data ban.

13 step GDPR compliance checklist

Here are the main GDPR compliance requirements that you should implement and check off:

GDPR compliance checklist

Now, let’s take a look at all the requirements in detail.

1. Map out your data

Data mapping is important for understanding how data flows through your organization and what exactly is collected.

Here are the key points to identify to create data flow maps:

  1. Data flow channels. Understand how your data is flowing and where it is collected from, such as newsletter subscriptions or third-party integrations.
  2. Data categories. List all the information that is being collected, from names to IP addresses, and more.
  3. Data storage. Review how you store the information you collect, like a database or hard copy.
  4. Data access. Keep track of who has access to the collected data and don’t forget to review the security practices implemented to protect it.
  5. Data transfers. Document how data travels internally and when in possession of third parties to ensure data is not transferred outside the EU without complying with the GDPR.

When mapping out your data, make sure you also review the lawful basis for processing that you’ve outlined in your privacy policy.

2. Manage consent

Under the GDPR, businesses must ensure that they only collect users' personal data if they acquire explicit consent. This means that websites should use a cookie banner to ensure GDPR cookie consent compliance. Let’s take a look at the main requirements for consent management:

  • Provide data collection information. Details on a cookie banner must be written in a simple-to-understand language and explain what data categories are collected and for what purposes.
  • Include an opt-in button. Companies must provide a consent approval button and refrain from collecting data until the user accepts.
  • Enable consent management. It’s important to give users control over their personal data and allow them to manage specific data categories that they want to consent to or not.
  • Provide a withdrawal option. Users have the right to withdraw consent at any time, so the option to opt out of data collection should always be easily available on the site.
  • Link to the privacy policy. Organizations must make the privacy policy easily accessible so that users can know what they’re consenting to.

Here’s a simple example of how a GDPR-compliant consent banner should look like:

As you can see, it discloses the use of cookies and provides users with a level of control over their data using the “Manage preferences” button. Users can either accept or deny consent in a click of a button, and there’s also a link to the company’s privacy policy.

Add a customizable cookie banner on Shopify

Try TinyCookie free

3. Provide a legitimate basis

Organizations must provide a legal basis for processing user data. According to GDPR Art. 6, there are 6 lawful bases:

Legal basis under the GDPR

  • Explicit consent provided by the data subject
  • To fulfill a contractual obligation if the user is an involved party
  • To comply with a legal obligation
  • To protect the vital interests of a user
  • To carry out a task in the public interest
  • For legitimate organizations or a third party’s interests

Make sure you also update your privacy policy stating the clear legal basis for collecting and processing data.

4. Update your privacy policy

A privacy policy is a legally binding agreement that should always be available on the organization’s website. It must be written in plain and simple language so any user can understand what they’re agreeing to.

Additionally, your privacy policy should be reviewed regularly and updated when needed. It should include information on what specific data is collected, how long, how it will be used, and who it will be shared with.

You can check the official GDPR privacy policy template for specific requirements on what to include.

5. Know data subject rights

The GDPR Art. 33 states 8 rights that data subjects have and companies must comply with. They include:

  • Right to know. You must inform all users about your data collection practices and their purpose. Businesses must also disclose the data categories collected and the data collector.
  • Right to access. Data subjects may request you to provide access to their personal information.
  • Right to limit. If a user believes that the company is using unlawful data handling practices, they may request to limit their personal information collection.
  • Right to delete. In cases of unlawful handling, consent withdrawal, data collection of minors, or due to legal obligation, businesses must delete user data under request.
  • Right to data portability. If users want to receive their personal data to reuse it or transfer it to another controller, then they may request to get it in a machine-readable format.
  • Right to object. When processing is based on legal bases such as the legitimate interest of the company or public interest task performance, users can object to data processing.
  • Right not to be subject to a decision based solely on automated processing. If a decision affects a user, they cannot be subject to it without human intervention.

6. Create a request submission method

To exercise their rights, users must have request submission methods available. It can be verbal or in writing. For example, providing contact details in the privacy policy or creating a page with an online form.

When data subjects request access to their personal data, the GDPR Recital 64 requires organizations to verify their identity for security reasons.

According to research by IAPP, the most popular ways to verify the user’s identity in Europe are photo identification, email, or challenge questions.

How organizations verify data subjects

It’s also important to note that you can’t charge the user for an access request unless you find it excessive or unfounded. Even then, it should be a reasonable fee that isn’t meant for profit but to prevent the user from repeated unnecessary requests.

Organizations must also inform or take action within one month of the request receipt. If the request is complex, the GDPR Art. 12 allows extending it by two months. In such cases, you must inform the data subject about the extension.

7. Evaluate data collection risks

The Data Protection Impact Assessment (DPIA) is a process that helps identify and reduce data protection risks. It’s required by the GDPR Art. 35 for companies that handle sensitive data.

The sensitive data, according to the European Commission, includes:

  • Any personal data that reveals ethnic or racial origin, religious beliefs, political opinions, or ideological beliefs
  • Trade-union membership
  • Health-related data
  • Genetic or biometric data which is processed to identify individuals
  • Data regarding sexual orientation

If the company has appointed a Data Protection Officer, the data controller should seek advice for carrying out DPIA. You can check the Sample DPIA template on the GDPR website to help you get started.

8. Ensure data protection

GDPR Art. 32 encourages organizations to take appropriate measures to ensure data security, both technical and organizational. Here are the main GDPR requirements:

  • Data pseudonymization and encryption
  • Data confidentiality, integrity, and resilience of systems
  • Personal data access and availability restoration in the event of an incident
  • Regular testing, assessments, and evaluation of adopted security measure effectiveness

There are many tools that can be used to secure data. For example, VPNs and firewalls can help ensure the organization’s network is safe from unauthorized system access.

Additionally, full-disk and end-to-end encryption can safeguard the data from the origin point to its destination. For preventing data loss in cases of hardware failures or cyberattacks, creating data backups is also a security measure.

Even when incidents happen, it’s important to be prepared. Organizations should adopt access and identity management tools as well as start monitoring user, entity, or third-party activities.

9. Create a data breach response plan

It’s best to prepare your company for a data breach before it happens. Note that GDPR Art. 33 requires informing the supervisory authority with detailed data breach documentation in 72 hours to verify compliance.

Here are some of the main steps to ensure a good response plan:

  1. Assess your risks and assets to know what poses the biggest risks in your organization.
  2. Define response team responsibilities, including IT, HR, communications, and other departments.
  3. Ensure regular training so your response team members always understands their roles and are prepared.
  4. Adopt detection technologies, such as data-centric solutions and intrusion detection systems.
  5. Create an isolation plan which is important to contain affected systems.
  6. Document the incident in detail, from its nature to how it was contained and solved.
  7. Prepare a communication strategy, both internal and external, to ensure transparency and maintain user trust.

10. Document GDPR compliance

Under GDPR, companies are required to demonstrate their compliance to authorities. That’s why it’s best to document compliance by starting a GDPR diary. Let’s take a look at some of the main information you should point out in a GDPR compliance diary:

  1. Names of your organization’s data controllers and data protection officers
  2. The collected personal data categories
  3. Data flow
  4. Detailed documentation of processing activities
  5. Lawful basis
  6. Parties with access to the personal data
  7. Data protection impact assessment
  8. Implemented data security measures
  9. Transferring of personal data and security measures

The GDPR “Records of Processing Activities” issue states that companies are also required to keep records of their processing activities. This means that all of the user consent received should be stored in one secure place.

Consent management tools like TinyCookie automatically collect consents and let you export the data with a click of a button in case you want to store it elsewhere.

11. Appoint a Data Protection Officer

A Data Protection Officer (DPO) is responsible for ensuring that a business processes the personal data of data subjects in compliance with the GDPR. You need to appoint a DPO if one of the following statements applies to your organization:

  • Data processing is handled by public authority
  • The organization’s core activities include data processing that demands extensive regular data subject monitoring
  • The organization’s core activities include processing special data categories related to criminal offenses

A DPO can be the company’s staff member. Alternatively, it can be a person or organization outside of the company but under a contract.

The appointed individual or organization must have expertise in data protection laws and a deep understanding of the GDPR. They must also know how to monitor and handle data to ensure GDPR compliance and provide steps to ensure data protection assessments.

12. Protect children’s data

Under the GDPR Art. 8, organizations shouldn’t collect data of users under 16 years old, or in some member states, 13 years old. The collection of such user data must only be collected if a parent or guardian provides consent.

This means that organizations must ensure that children’s data isn’t automatically collected. The International Commissioner’s Office suggests one of the following verification methods:

  • Self-declaration. The user simply states their age, but this method is only suitable for low-risk processing.
  • Artificial intelligence. Analyze user interactions with AI to estimate the user’s age.
  • Third-party age verification services. Use a service to request specific users for age confirmation with a yes or no answer.
  • Account holder confirmation. If you provide logged-in or subscription-based services, you may confirm the user’s age based on the main account holder.
  • Technical measures. These are measures that prevent false age inputs and close accounts of underage users, such as neutral age declaration screens.
  • Hard identifiers. It’s possible to confirm user age with methods that link back to formal identity documents. This is only suitable for high-risk processing.

13. Provide staff training

Businesses must train their staff to understand what are GDPR requirements and how to prevent cybersecurity threats. You can start by explaining basic security measures, such as preventing leaving screens unlocked, creating weak passwords or writing them on paper, or connecting to public wifi.

You must also teach your staff how to spot a phishing attack so they don’t fall victim to it. Phishing is one of the most common cyber attacks on organizations. According to Statista, 76% of organizations experienced bulk phishing attacks in 2023.

Most common threats organizations experience

Since GDPR requires using security measures, teach employees about the importance of security tools and reasons for using them. For example, this can be urging them to use a VPN on public wifi. If your staff understands the risks, they’re more likely to implement the solutions.

Common challenges in GDPR compliance

While the GDPR has clear main requirements for protecting the rights of user privacy, compliance isn’t always easy. Here are some of the challenges that organizations face and how to overcome them:

  • Full data mapping. Across various systems, third-party platforms, and websites, it can be hard to locate all data collection sources and understand the flow. This makes compliance harder to achieve. However, companies can use third-party data discovery tools that help track personal data across entities and map it out.
  • Valid consent. GDPR states that users must give unambiguous and informed consent freely, and it would require resources and time to develop a comprehensive consent management system. For this reason, it may be cheaper to invest in full-fledged consent management tools, like TinyCookie for Shopify users.
  • Data protection. While the GDPR requires businesses to secure data or face hefty fines, the exact measures aren’t clear and cyber threats are always evolving. That’s why it’s better to get more comprehensive security solutions, from endpoint protection to backup and recovery.
  • International transfers. If your organization is transferring data outside the EU, the compliance requirement list grows even more. For such cases, it’s useful to check what countries the European Commission has adopted adequacy decisions for and utilize third-party services. You can learn all about international transfer requirements here.

Conclusion

GDPR compliance helps ensure that your organization is trustworthy when it comes to handling user data and protecting it from unauthorized access. It gives users a sense of control, increasing your reputation and preventing the risk of data breaches.

Adopting a consent management tool, updating your privacy policy as per GDPR requirements, ensuring transparency, and protecting user data are just some of the main steps in order to comply with the law. Make sure you also respect user rights and document compliance so that you can always be confident about your practices.

Frequently asked questions

If your organization processes the personal data of EU citizens, it must comply with the 7 main GDPR principles. They include lawfulness, transparency, data minimization, integrity and confidentiality, storage limitations, purpose limitations, and accountability.

Minor GDPR violations, including not keeping data processing records, can result in a fine of up to €10 million, or 2% of the firm’s global annual revenue, whichever is higher. More severe violations, which are listed in Art. 83 (5) GDPR, can result in a fine of up to up to €20 million, or 4% of the firm’s global annual revenue from the previous financial year, whichever is higher.

The General Data Protection Regulation (GDPR) is a privacy law that applies to any company or entity that processes the personal data of EU residents. It must comply with GDPR regulations no matter where it operates.

It’s best that businesses review their GDPR compliance, including the privacy policy and terms of use, at least once a year. This helps ensure an accurate reflection of the company’s legal documents and practices at all times.

About the author
Kristina Jaruseviciute
Kristina is a Senior Writer at TinyCookie, where she specializes in providing educational content for readers interested in web cookies and compliance. She covers an extensive scope of subjects, from cookie types, definitions, and tutorials to compliance tips for website owners.