Many people are looking for a GDPR compliance checklist. They want to be able to work through it and tick off the items on it and say done – we are GDPR compliant and then get GDPR certified. Many people are frustrated by the vagueness of GDPR compliance and simply want a list of things to do. Is there such a thing? Are they useful? What are the limitations? Where can you find one? They are important because you really do need a checklist in order to do a gap analysis. A GDPR compliance checklist is a type of legal checklist.
Is there such a thing as a GDPR compliance checklist?
Yes well, sort of. It depends. They come in many different shapes and sizes.
For which role player?
The first question is – for which role player? There is a different GDPR compliance checklist for controllers, joint-controllers, processors and sub-processors. They each have different obligations therefore different checklists. You need the right checklist that corresponds to the role that you play.
To comply with (or do) what?
The second question is – a GDPR compliance checklist to comply with (or do) what?
- To comply with all your clear and actionable regulatory obligations under law?
- To comply with all the vague regulatory obligations under law (which are open to interpretation)?
- To do things (like put controls in place, and create a culture and a governance structure) to enable your organisation to apply the principles going forward?
- To do what is reasonable and appropriate (or reasonably practicable) for your organisation to apply the data protection principles correctly to its current activities?
The first is quite easy and exists. We can provide this to you. The second and fourth are much harder. There is no generic checklist for these two because what each organisation is going to do will be different. People will interpret the law differently, the activities of organisations are different, and what is reasonable and appropriate will differ. The third is also easier, although this will also differ from organisation to organisation. So, a generic checklist works for some aspects of GDPR compliance but not others. There is no GDPR compliance checklist for how your specific organisation must apply the principles to its activities.
For all aspects of the GDPR or just some of them?
The third question is – a GDPR compliance checklist for all aspects of the GDPR or just some of them? For example, there are checklists that deal only with information security or direct marketing. There are also top ten or top six checklists. There are also lists of actions to take first.
For the process or to protect personal data?
There are lots of actions that need to be taken as part of the process of complying with data protection laws. You get checklists that focus on the process. You also get lists of quick wins that focus on the low hanging fruit to actually protect personal data.
GDPR compliance checklist or action list
Rather than calling the list a checklist, we prefer calling it an action list. A good action list clearly sets the action that needs to be taken, who is accountable and responsible for it, the risk of not doing it, the regulatory obligation or requirement that requires it (source in law), its status, its importance and priority, and when it must be done by. We also believe that lists should start with the action to be taken and not the regulatory obligation or requirement. We also generally provide lists for all data protection laws and not individual ones because we believe you should focus on the common 80% between data protection laws.
Action lists that we offer
We can provide various lists:
- Lists of generic actions at the end of each module of our programmes. Usually about ten per module.
- Lists of quick wins in our programmes (like this list of quick wins) that most organisation find to be low hanging fruit.
- List of actions to take first to help people prioritise and do important things first.
- List of process actions that you could take.
- List of your clear and actionable regulatory obligations under law depending on your role.
- List of actions to take to enable your organisation to apply the principles going forward.
We can also help you create a customised bespoke list for your specific organisation of what is reasonable and appropriate (or reasonably practicable) for your organisation to do to apply the data protection principles correctly to its current activities. This is no easy task and is open to interpretation. This exercise can become time-consuming and costly.
- Lists for all data protection laws, or individual ones (like the GDPR or POPIA).
- Lists for specific departments or all departments.
Are there any free GDPR compliance checklists online?
Yes, there are some generic GDPR compliance checklists but they are not very useful.
- The Lexing 11 point gap analysis (requires translation from French) is based on a checklist of sorts.
- There are some data protection standards, which in a way are checklists.
- Some supervisory authorities provide lists, like the ICO guide on preparing for the GDPR 12 Steps to Take Now and various checklists for Data Protection Impact Assessments (DPIA).
- The SaaS CTO security checklist – This is a basic checklist that any SaaS CTO (and anyone else) can use to harden their security. This only relates to information security and is mainly for controllers.
- A basic checklist you can use to harden your GDPR compliancy. People contribute to this list through Github and in this sense it uses crowdsourcing. Can be tailored for controllers and processors but has its limitations.
- A GDPR checklist for the direct marketing industry. Good but limited to direct marketing.
- There are some GDPR compliance checklists that are freely available online that are really just marketing material – checklists of things you can buy from a company.
- There are some GDPR compliance checklists in the media (for example Forbes), which are really just some suggestions on things to tackle first. They are not complete checklists. They are often top five or top ten lists, which are often good but are only checklists for the most important things, not all things.