GDPR Checklist

Make sure you document every step you take towards GDPR compliance and keep a record on file as evidence of how your organisation aims to meet the requirements.

Getting Started

  1. Keep notes of decisions taken at internal meetings re GDPR.
  2. Assign a data protection officer, document your reasons not to, or nominate the Manager responsible for Data Protection.

Analyse the Personal Data you collect

  1. List what types of data your business collects and where it is stored
  2. Categorise the data
  3. Identify the lawful basis for processing each data category
  4. Create a retention schedule for data. When the data has reached the end of its retention period destroy it in accordance with a data destruction policy (minimise the data you hold

Technical Security

  1. Ensure your website is HTTPS (security by design)
  2. Ensure your office computers are encrypted (security by design) – Go to Settings > Security & Privacy > FileVault on a Mac to do this.

Physical security

  1. Review Physical security of data (USB disks, paper filing systems behind lock and key etc)
  2. Create an asset register of the serial numbers of all your computers regardless of contents – you may need to prove to the ICO that a stolen computer could not have had any personal data on it
  3. Consider which individuals should have access to the data on each device
  4. Create a password policy for all users (staff, website etc)
  5. Securely lock away any personal data

Policy Documents

  1. Update your website’s Terms of Use and Privacy Policies (to include identity of the controller purpose of the processing and the legal basis, the legitimate interest, any recipient or categories of recipients of the personal data, the right to withdraw consent at any time, and the data retention period)
  2. Include, or create a separate Cookies Policy covering which types of cookies are used on your website, and give users the option to opt-out.
  3. You’ll need to gain opt-in consent before providing a user with a Google Analytics tracking script.
  4. Review the ICO’s cookie policy, and consider using the Cookie Control tool by Civic UK 

Explicit Consent

  1. Update consent wording on all forms (paper and online) where necessary
  2. Review GDPR policy & practice of any 3rd party data processors your website uses – to ensure they are compliant!)
  3. Email your entire list of contacts (marketing or otherwise) to ask them to opt in to the various types of communication you plan on sending
  4. Keep a record of opted-in consents

User rights

  1. Implement a policy to identify and handle any data subject access requests
  2. Implement a policy to identify and handle any data erasure or corrections requests
  3. Create a data breach response policy, including a data breach log
  4. Create a document of non-compliance issues to show awareness of compliance omissions and to plan towards total compliance or at least thorough risk mitigation.

Staff Training

  1. Train your staff so they ALL understand what constitutes personal data (bonus points for practicing case scenarios with your team and for putting together an Staff GDPR Awareness Status Report to note down who has participated in which training)
  2. Train your staff to identify a breach (plus how to avoid email scams)


  1. Take legal advice, to ensure all required steps are taken for your organisation to be fully GDPR compliant
  2. Register with your national Data Protection Office (ICO in UK, fees start at £55 annual fee + £20 if you’re in the direct marketing industry)