CHECKLIST FOR GDPR COMPLIANCE

Area

Task

Completed

People

Board sponsorship with GDPR ‘champion’ appointed

Does a Data Protection Officer need appointing?

Create a project team supported by a cross functional task force

Develop and implement Board and employee training on data

protection and the new GDPR

Contact your legal support/ Supervisory Authority and make your

teams familiar with the relevant points of contact

Communication schedule outlining changes and revised approach

‘Best Practice’ focus group

Amendments to Role descriptions/Objectives

ICO registration

Any resource implications?

Process

Conduct and map end-to-end data audit identifying:

 What is held

 Where it’s come from

 Where it’s stored

 Who its shared with (3

parties)

 What you do with it

Demonstrate/record this audit

Ensure you are only collecting what is needed, deleting what is no

longer relevant

Review data being sent to Data Processors, third parties and

location the data is being sent to.

Ensure specific contractual terms in place for Data Processors with

audit reviews

Document all data processes (including actions for safeguarding

data) and data processing activities

Review and document lawful and legal basis for processing (update

privacy notice)

Review and redesign process for capturing, recording and noting

withdrawal of consent from Data Subjects

Establish appropriate practices for verifying Data Subjects’ age, and

where necessary, for gaining parental or guardian consent. Also

need a process for child to adult switch.

Review and update ‘Privacy Notices’ as may need to include, your

lawful basis for processing the data, data retention periods and to

complaint process

Right to Access – process documented (can they access there own

data online?)

Right to Rectification – process documented

Right to Restrict Processing – process documented