GDPR Compliance Checklist 2018 – Are You Ready for GDPR?

Since the GDPR launch, our team of business strategists began extensive research for the better understanding the newly-launched data protection law & compiled a list of GDPR compliance checklist that will clear out a lot of confusion and answer most critical questions about GDPR.

Our detailed GDPR compliance checklist will also help small businesses, established organizations and entrepreneurs take the right steps to become GDPR ready. Before anything else, let’s get a quick understanding of GDPR compliance.

What’s GDPR?

Basically, GDPR is a set of data protection rules designed to overhaul the laws that protect personal information of individuals using internet for vast range of services.

The European Union’s General Data Protection Launch (GDPR) came into the force on 25th may 2018 and has become mandatory for businesses in (European Union) EU that collect data from individuals. In short, GDPR has been put into place to check wrongful storage, usage, and sharing of personal information.

Now that we have cleared the concept of GDPR and its basic principles, let’s focus on the critical question:


Data security


Are you ready for GDPR?

Since GDPR is a complex 11-chapter document with 99 articles that cover a vast range of data protection rules, we have simplified the rules to simpler understanding. This GDPR compliance checklist highlights the key points that you need to take care of systematically to become GDPR compliant. Here is the GDPR compliance checklist in the simplest form!

Determine whether your business needs GDPR compliance

The first step is to determine whether your business really needs to become GDPR compliant or not. Your business needs to comply with the GDPR if it collects individual data from European Union, distributes goods & services to individuals in EU, or monitors the behaviour of individuals in EU. If EU is not business area, then, there is no need to read ahead unless you are interested in learning about the hot topic!

Determine whether your business is a data processor or controller

The data processing businesses organize customer’s data on behalf of other companies. They are usually third party enterprises which deal with individual information whereas data controllers are the businesses that ask customers for their personal information such as Facebook. The purpose behind the information could be sending out newsletters, privacy policy updates etc. Under GDPR, there are different obligations for data processors and data controllers. So, take time to identify your data role.

Update your Business’s privacy policy

Under GDPR compliance, it’s mandatory for businesses to update their privacy policy and privacy notices with new terms and conditions. If your business’ privacy policy complies with Australian Privacy Policy Act 1988, then, you need some modifications such as:

  • Your business must start processing personal data in accordance with principles set out in the GDPR
  • Persons over 16 years can consent to the processing of personal data, but those who are below that need consent of their parents or guardians.
  • Individuals have the right to access their data, erase their data, request to restrict their data, and data portability.

The privacy policy updation is the major highlight in the GDPR and should top your list of GDPR compliance checklist.


Complete a DPIA (Data Protection Impact Assessment)

If your business processes data in large-scale and possesses high-risk to the rights and freedoms of individuals, then, it’s mandatory for your business to complete a DPIA (Data Protection Impact Assessment). A DPIA is required if your business:

  • Processes a systematic and extensive evaluation of the personal aspects of an individual, including profiling.
  • Processes sensitive data on large-scale
  • Monitors public areas on big-scale

For better understanding, we have included an example in this particular GPDR compliance checklist. Below is the same:

If a bank is screening its customer for credit reference database, then, it needs a DPIA since the bank is processing data on large-scale. However, a health practitioner doesn’t need a DPIA if he is processing personal data of his patients.

Assign a European Union representative

You need to appoint an EU representative if your business falls under the scope of GDPR. However, there is no need to assign a different representative in every EU member state if your business includes distribution of goods and services in the EU or observation of the behaviour of individuals within the EU.

In other scenario, your business doesn’t need an EU representative if:

  • Your business processes data which is unlikely to result in risk to the rights and freedom of individuals.
  • Your business processes data occasionally (criminal, offense, and special data is exceptional)
  • A business is a public authority.

Create privacy compliance manual & train your staff

It’s highly essential for businesses to make privacy compliance manual and educate their staff about privacy guidelines and best practices. Employees are the ones who respond to the individuals requesting access to their data or exercise their rights. So, your employees should be aware of the individual rights and respond according to that.

Data security & privacy

Note- If businesses that fall under the scope of GDPR do not comply with the GDPR can face fines of up to 20 million euros or 4% of their total annual worldwide turnover, whichever is higher. Recently, technology giants like Google, Facebook, Instagram, and WhatsApp faced fines of up to USD 9.3 Billion on the first day of new privacy law.

Creating an easy to understand privacy compliance manual and providing complete training to your staff is important to ensure GDPR compliance.

This super-informative GDPR compliance checklist ends here!

Do you need help with GDPR compliance and making your business ready for the new privacy laws of EU? Get in touch with Team Doynt at for free consultation session!

Author Bio

Leave a Reply

Your email address will not be published. Required fields are marked *