GDPR Compliance Checklist

 GDPR compliance checklist that will help you become and stay compliant


✓ What is the GDPR?

The GDPR is the European Union’s data privacy law. Its goal is to ensure that businesses and governments treat people’s data fairly and responsibly. It also informs people about where their data is going and why.

✓ Who Does the GDPR Apply to?

The General Data Protection Regulation applies to ‘controllers’ and ‘processors’.

A controller determines the purposes and means of processing personal data.

A processor is responsible for processing personal data on behalf of a controller.

If you are a processor, the GDPR places specific legal obligations on you. For example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.

However, if you are a controller, you are not relieved of your obligations where a processor is involved. The GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.

✓ What Rights is GDPR Providing to You?

The GDPR provides the following rights for you:

  • Receive information in a clear and transparent manner about the collected and processed data.
  • Easily access the personal data that companies have on you.
  • Request the alteration of any personal data that companies holds on you and is inaccurate.
  • Have your data erased.
  • Restrict the processing of personal data

✓ Data Mapping

You will have to conduct a data mapping exercise to figure it out what personal data you collect.

Secondly, you will make sure you know why you are collecting it, where it goes, and at the same time who has access to it. You should document any third parties or data processors who have access to company’s data.

Read more about how you do data mapping. 

✓ Security Review

Together with the IT manager, review how data is secured in storage and transit. Also, you should examine whether the technologies meet data protection best practices.

✓ Policy Review

Make sure you have an externally facing privacy policy that meets the requirements set out in Article 13  and 14 GDPR.

You should also make sure you have an internal data protection policy. This describes your procedures around data handling, access, collection, storage, deletion, and disclosures to third parties.

✓ Data Processing Records

Once you’ve reviewed your policies and processes against GDPR requirements, it’s time to fix any mismatches or gaps in your compliance programme. Here are some common areas where organisations have trouble: subject access requests, rights compliance, and privacy notices.

✓ Conduct a DPIA

Additionally, if you plan to use a new technology that poses a high risk to data subjects, you will need to make a Data Protection Impact Assessment, or DPIA.

A Data Protection Impact Assessment, or DPIA, is also required if you plan to implement a new technology that poses a high risk to data subjects.
A description of the intended processing procedures as well as the processing purpose should be documented in the DPIA.
You must examine all of the risks that new technology poses to data subject rights and take appropriate actions to prevent those risks.

Read more about Sovy's Data Protection Impact Assessments Detailed Guidance.

✓ GDPR eLearning for staff

Equally important are your employees. You should present the new data hygiene tailored to each department of your company and enrol your team in eLearning courses.


✓ GDPR compliance checklist for small or large businesses

If you are a small business or even a one man show, this GDPR compliance checklist will help you with the main requirements. However, if you are a business with a large processing of personal data it is advisable to designate a DPO.

The GDPR is specific on the qualifications of the Data Protection Officer (DPO) and its role within the company.

Benefits of Sovy GDPR Privacy Essentials


Maintain your ongoing compliance programme with ease using our suite of tools


Our affordable subscriptions mean you can stay compliant with the GDPR as it evolves, year after year


Benefit from our years of expertise in regulatory risk and data protection and continuing development of our tools

Sovy Partner Program

Join our Partner Program today and start reselling Sovy products immediately.

Help your clients become GDPR compliant with the Sovy GDPR Privacy Essentials. Whether you want to offer as an add-on to your existing services, or take a hands off, referral approach, we can accomodate your needs.

Get in touch today for more information.