Iubenda logo
Start generating


Table of Contents

GDPR Compliance Checklist: 15 things to know

Need a GDPR Compliance Checklist? Look no further than this comprehensive GDPR cheat sheet! 👇

Safeguarding personal data and avoiding hefty fines is crucial in today’s data-driven world. This comprehensive GDPR compliance checklist serves as a valuable resource to assess your compliance status and secure your organization to avoid costly fines.

What is the GDPR?

The GDPR likely applies to you if you target Europe-based users (whether or not you’re based in Europe) or if you’re based in Europe (whether or not your target users are Europe-based).

Does the GDPR apply to you?

The GDPR applies to organizations, companies, individuals, corporations, public authorities and other entities – including small businesses, charities and nonprofit organizations – that are either based in the EU, offer goods or services (even for free) to people in the EU, or that monitor the behaviour of people in the EU, either directly or as a third party.

Keep reading for a need to know GDPR compliance checklist!

What are the key requirements of GDPR?

The General Data Protection Regulation (GDPR) sets out several key requirements to protect personal data. These include:

  • 1. Establishing a legal basis for processing personal information, such as obtaining consent or fulfilling contractual obligations;
  • 2. Presenting a clear privacy and cookie policy to users;
  • 3. Specifying the types of personal data collected and the reasons for its collection;
  • 4. Disclosing any instances of sharing data with third parties;
  • 5. Recognizing individuals’ rights to access and request the deletion of their data;
  • 6. Ensuring that consent for data processing is explicitly given, notably avoiding the use of pre-ticked consent boxes;
  • 7. Keeping detailed records of how and when consent was obtained;
  • 8. Providing mechanisms for users to access, correct, or delete their personal information upon request;
  • 9) Allowing users to object to data processing and to request the portability of their data; and 10) Implementing robust procedures to detect and report data breaches.

GDPR Requirements: 10 Key requirements of GDPR Explained

Requirement Description
Legal Basis Before you use someone’s personal information, you need a good reason. This could be because they said it’s okay (consent), you need it to complete a deal (contract), or the law says you have to.
Privacy Policy You must tell people clearly how you use their personal information. This information goes in a privacy and cookie policy that everyone can easily find and understand on your website or app.
Data Types and Purpose You have to explain what kind of personal information you collect, like names or email addresses, and why you need it, such as for sending newsletters or processing orders.
Third-Party Sharing If you share personal information with other companies or people (like delivery services), you need to tell everyone exactly who you’re sharing it with and why.
User Rights People have rights over their personal information. They can ask to see it, fix it if it’s wrong, or even ask you to delete it. You have to respect these rights and help them do these things if they ask.
Consent When you ask people if you can use their information, they have to say “yes” clearly and freely. You can’t just assume they agree or use a checkbox that’s already marked “yes.”
Record Consent Keep a record of when and how people say you can use their personal information. This way, you can show you got permission properly if someone asks.
Access and Correction Make it easy for people to ask for their personal information or change it if it’s not right. If they ask, you have to respond quickly and help them out.
Objections and Portability People can say no to some ways you use their information or ask to take their information to a different company. You have to let them do this and help make it happen.
Data Breaches If personal information gets lost, stolen, or exposed without permission, you have to have a plan to deal with it quickly. This includes telling the right authorities and the people affected by the breach.

What are the 7 principles of GDPR?

The 7 principles of GDPR are rules to make sure personal information is handled safely. Here’s what they mean:

  • Fairness and Transparency: Always be clear and honest about how you use user’s data.
  • Purpose Limitation: Use the data only for the reasons you’ve stated to users.
  • Data Minimization: Only collect the data you really need for your purposes.
  • Accuracy: Keep personal data up-to-date and correct any inaccuracies.
  • Storage Limitation: Don’t store data longer than necessary.
  • Integrity and Confidentiality (Security): Keep data safe and protected from unauthorized access or breaches.
  • Accountability: Be able to show how you’re following these rules.

How to be GDPR compliant?

To be GDPR compliant, do these things:

  1. Understand Your Data: Know what personal data you have and why you have it.
  2. Clear Privacy Policy: Share a privacy policy that’s easy to understand.
  3. Proper Consent: Always get clear permission to use someone’s data.
  4. Access and Correction: Let people see their data and fix it if they ask.
  5. Protect the Data: Keep the data safe from any harm or theft.
  6. Demonstrate Compliance and Accountability: Be ready to respond to requests or inquiries from regulatory authorities or individuals. (Don’t forget to maintain detailed records of your data storage, usage, and processing activities)

What is a GDPR check?

A GDPR check is like a health check for how you handle personal information. It’s when you carefully check your processes to make sure they match up with General Data Protection Regulation (GDPR) rules. This includes making sure you protect data properly, use it fairly, and give people control over their own information.

Regular GDPR checks help you catch any issues early and keep data safe.

For more details and to make sure you’re doing everything right, you can refer to the following GDPR Compliance Checklist.

Not sure how to get started with GDPR Compliance?

Use our site scanner for a FREE website compliance audit

Scan your website now

How to Comply with GDPR: ✅ GDPR Compliance Checklist

Starting with a GDPR checklist is a smart move to make sure you’re handling personal data correctly. Here’s a guide to help you follow the GDPR compliance requirements:

To ensure GDPR compliance, it is crucial to establish a valid legal basis for processing personal data. This involves carefully assessing and documenting the lawful grounds on which you rely to process personal data. This can include obtaining consent, fulfilling a contract, complying with a legal obligation, protecting vital interests, performing a task carried out in the public interest or in the exercise of official authority, or pursuing legitimate interests.

Having a valid privacy and cookie policy is essential for GDPR compliance. This policy should be readily available and easily accessible to users on your website or app. It should clearly explain how you collect, use, store, and share personal data. Additionally, it should provide information about the use of cookies and other tracking technologies, including how users can manage their preferences.

In your privacy and cookie policy, clearly outline the types of personal data you collect from individuals. This includes information such as names, addresses, email addresses, phone numbers, and any other relevant data points. Furthermore, clearly state the purposes for which you collect this data, whether it’s for providing services, fulfilling orders, personalizing user experiences, or any other legitimate purpose.

Transparency regarding data sharing is crucial under the GDPR. In your privacy and cookie policy, provide an accurate and comprehensive list of any third parties with whom you share personal data. This can include service providers, business partners, or any other entities involved in processing or assisting with data management. Clearly state the purposes for which these third parties have access to the data.

Ensure that your privacy and cookie policy informs users about their rights under the GDPR. This includes the right to access their personal data, rectify inaccuracies, object to processing, request erasure, restrict processing, data portability, and withdraw consent. Clearly explain how users can exercise these rights and provide contact information for them to make such requests.

When consent mechanisms for data processing activities, it is important to use unambiguous language and require an explicit “opt-in” action from users. Avoid using pre-ticked boxes or opt-out mechanisms, as they do not meet the GDPR’s requirements for valid consent. Make sure that users actively and clearly indicate their agreement to the specific processing activities for which you are seeking consent.

When collecting personal data through contact, newsletter, and registration forms, clearly state your intentions for using the data. Provide links to your privacy policy to ensure users have easy access to comprehensive information. Obtain opt-in consent from users for each specific activity you plan to engage in with their data, such as sending marketing communications or sharing their information with third parties.

To demonstrate compliance with the GDPR, it is essential to maintain clear and detailed records of consent. This includes recording the time and date of consent, the specific preferences expressed by the user, any accompanying legal or privacy notices provided at the time of consent, and the specific form or mechanism used to obtain consent. These records will help you provide evidence of consent if required.

Under the GDPR, individuals have the right to access the personal data you hold about them. Implement mechanisms that enable customers to easily request and receive information about the data you have collected and processed on their behalf. Provide clear instructions on how they can make such requests and establish a process for responding to these requests promptly and securely.

To ensure data accuracy and compliance with the GDPR, provide accessible means for customers to correct or update inaccurate or incomplete data you hold about them. Implement a process that allows individuals to easily request corrections or updates to their data, and ensure that these requests are handled promptly and accurately.

To respect individuals’ rights, allow customers to easily to object to specific processing activities. Clearly communicate how they can exercise this right and provide a straightforward process for submitting objections. Review and address objections in a timely manner while considering the legal grounds for the objection and any potential exemptions.

Under the GDPR’s right to data portability, individuals have the right to receive their personal data in a structured, commonly used, and machine-readable format. Establish mechanisms that facilitate customers in receiving their data in such a format, making it easier for them to transfer their data to another company if desired. Clearly communicate the process for requesting data portability and provide the necessary assistance to fulfill these requests.

Ensure that customers can easily request the deletion of their personal data when certain conditions under the GDPR apply. Simplify the process for submitting data deletion requests, clearly communicate the steps involved, and promptly respond to and fulfill valid deletion requests. Keep records of these requests and document the actions taken to comply with them.

Under certain circumstances, individuals have the right to request the restriction of processing their personal data. Establish a process that enables customers to make such requests, provide clear instructions on how to submit them, and promptly address and implement valid requests for restricting data processing. Keep records of these requests and any actions taken to comply with the requested restrictions.

To ensure the security of personal data and comply with the GDPR’s requirements, implement robust technologies and procedures to detect, report, and investigate any personal data breaches. Establish mechanisms for monitoring and detecting potential breaches, have procedures in place for timely reporting to the appropriate authorities and affected individuals when required, and conduct thorough investigations to determine the scope and impact of the breach.

To demonstrate compliance and accountability, maintain detailed records of your data storage, usage, and processing activities. This includes documenting your data retention policies, the security measures you have implemented to protect personal data, the legal basis for each processing activity, any data transfers outside the European Union, and the parties involved in data sharing arrangements. These records will help you ensure transparency and respond to requests or inquiries from regulatory authorities or individuals affected by your data processing practices.

Achieving GDPR compliance is crucial for organizations handling personal data.

By adhering to this GDPR compliance checklist, you can enhance your data protection practices and ensure legal and ethical handling of personal information. Stay proactive in your compliance efforts to safeguard individuals’ privacy rights and maintain a trustworthy reputation in the digital landscape.

GDPR Checklist Overview

Establish a valid legal basis for processing personal data.

Maintain an up-to-date, understandable, and easily accessible privacy and cookie policy on your website or app.

Clearly describe the types of personal data collected and the purposes behind their collection in your privacy and cookie policy.

Accurately list all third parties with whom the data is shared in your privacy and cookie policy.

Inform users of their rights concerning their data in your privacy and cookie policy.

Ensure consent mechanisms are unambiguous and involve an explicit “opt-in” action. Avoid pre-ticked boxes and opt-out mechanisms.

Clearly state your intentions, provide links to your privacy policy, and obtain opt-in consent for various activities through contact, newsletter, and registration forms.

Maintain clear records of consent, including details like the time of consent, preferences expressed, accompanying legal or privacy notices, and the specific form used.

Enable customers to easily request and receive information about the data you hold on them.

Provide accessible means for customers to correct or update inaccurate or incomplete data.

Allow customers to easily to object to specific processing activities.

Facilitate customers in receiving their personal data in a format that can be readily transferred to another company.

Simplify the process for customers to request the deletion of their personal data..

Enable customers to request the restriction of processing their personal data..

Implement robust technologies and procedures to detect, report, and investigate any personal data breach.

Maintain detailed records of data storage, usage, and processing activities, including data retention policies, security measures, legal basis for processing, data transfers outside the EU, and the parties involved in data sharing.

Get started with GDPR Compliance

Or learn more about iubenda’s solutions

Start generating

About us


GDPR compliance for your site, app and organization


See also