Many organisations get stuck in their GDPR journey and need some fresh ideas to move ahead.
If you're already using our integrated business management software, you can request our GDPR checklist to be added as an audit in the Audit Manager module. Simply talk to your account manager for more information.
This GDPR checklist makes it easy for you to:
- Schedule recurring audits
- Don't miss a thing - everything is already in the system
- Assign roles and responsibilities
If you're not already using our software, you can access a shorter version by downloading from the form below.
| Access our GDPR checklist as an excel spreadsheet free here: |
| Roles and responsibilities for GDPR team |
| Have roles and responsibilities been defined? |
| Do you need to hire a Data Protection Officer? |
| Have you communicated to stakeholders their roles? |
| Have you assembled a GDPR team? |
| Have you identified what information we collect? |
| Have you assessed how information is processed? |
| Have you identified what information we store? |
| Risk assessments |
| Have you got an information asset register? |
| Have you completed a DPIA? (example below) |
| Is privacy by design a consideration when there is a business change? |
| Identify the data flows |
| Describe the data flows |
| If transferring personal data outside the EU, are there adequate protections in place? |
| Identify privacy risks |
| Identify privacy solutions |
| Record PIA outcomes |
| Integrate outcome into project plan |
| Policies |
| Have we a policy for: |
| Reporting a breach |
| Data retention |
| Labelling |
| Privacy statement |
| Privacy by design |
| Profiling |
| Change management |
| GDPR statement |
| Risk management process |
| Security breach management |
| Contracts |
| NDAs |
| Subject access request form |
| Data handling |
| Have reasonable steps been taken to protect sensitive data? |
| Training |
| Have employees completed formal GDPR training? |
| Are employees competent at raising risks, opportunities and vulnerabilities? |
| DPIA |
| Whose data is being processed? |
| Format of data? |
| Volume of data held? |
| Where does the data come from? |
| Does information include: Personal, sensitive |
| Have we provided information on how we will use the information: Terms and conditions, contract, privacy notice, cookie policy |
| Have we identified the legal / contractual reasons for processing this data? |
| How do we process the data? |
| Is there any personal data that is not required? |
| Where is the data backed up? |
| Does the cloud / back up reside in the EU? |
| How do you ensure personal data is accurate and kept up to date? |
| Wen was the data originally obtained? |
| Are you able to amend personal data provided to you? |
| Do you have a retention policy that covers the information stream identified? |
| What is the retention period for this information stream? |
| How is this enforced? |
| Does software allow you to delete information in line with your retention policy? |
| Are you able to respond to subject requests for information easily? |
| Can you trace subject data in the system? |
| Do you have full traceability of where subject data has been transferred? |
| Can subjects opt out of their information being used for marketing purposes? |
| What measures / controls are in place with regards to information security? |
| What organisation measures are in place in regard to information security? |
| Do you know what the process is in the event of a security breach? |
Want more GDPR resources? Download our GDPR toolkit here.
Share your thoughts on this article