GDPR Checklist for Data Controllers
19
Checklist Items
1
Full Coverage
8
Partial
10
No Coverage
info
See Findings for GDPR-related audit findings tracked as GitHub issues.
Checklist Coverage
| Checklist Item | Coverage | Controls | Owner | Notes |
|---|---|---|---|---|
| Conduct an information audit | partial | SID-AUDIT-01 | shared | Platform logs data flows. Existing PII register is incomplete: missing enterprise identity binding and invite metadat... |
| Have a legal justification | partial | SID-ACCESS-03 | operator | Platform requires explicit consent per disclosure. Operator must determine and document lawful basis for all processing. |
| Provide clear information about your data processing | partial | SID-ORG-07 | operator | Platform displays relying party identity and requested attributes to users. Operator must publish full Art 13/14 priv... |
| Take data protection into account at all times | full | SID-PRIV-01, SID-DATA-01, SID-DATA-02, SID-CRYPTO-03, SID-CRYPTO-02 | platform | Selective disclosure, hardware-backed keys, and encrypted keystore enforced. Credentials and presentations stored ins... |
| Encrypt, pseudonymize, or anonymize | partial | SID-CRYPTO-01, SID-CRYPTO-03, SID-CRYPTO-02, SID-DATA-01, SID-DATA-06 | shared | Keystore and credentials encrypted (AES-256-GCM via PRF-derived keys), HSM for issuer keys, selective disclosure for ... |
| Create an internal security policy | none | SID-ORG-01, SID-PPL-02 | operator | Operator must create and maintain information security policy and awareness program for team members. |
| Know when to conduct a data protection impact | none | operator | Operator must conduct DPIA for wallet service. High-risk processing (large-scale identity data) likely triggers requi... | |
| Have a process in place to notify the authorities | partial | SID-OPS-01, SID-AUDIT-01 | shared | Platform provides audit logging for breach detection. Operator must implement 72h notification to DPA and communicati... |
| Designate someone responsible for ensuring GDPR | none | SID-ORG-02 | operator | Operator must designate GDPR compliance responsibility. |
| Sign a data processing agreement | none | SID-ORG-04 | operator | Data processing agreement required between operator and Siros Foundation. |
| organization is outside the EU | none | operator | Only applicable if operator is outside the EU. | |
| Appoint a Data Protection Officer | none | operator | Operator must appoint DPO if required by national law or processing scope. | |
| request and receive all the information | none | operator | Operator must implement right of access (Art 15). | |
| correct or update inaccurate | none | operator | Operator must implement right to rectification (Art 16). | |
| request to have their personal data deleted | partial | SID-PRIV-03 | shared | Platform supports individual credential deletion but lacks a bulk-erase endpoint that cascades across all collections... |
| ask you to stop processing | none | operator | Operator must implement right to restriction (Art 18). | |
| receive a copy of their personal data | partial | shared | Platform uses standard credential formats (SD-JWT, mDOC). Operator must support data portability (Art 20). | |
| object to you processing | partial | SID-ACCESS-03 | shared | Platform requires per-presentation consent. Operator must implement right to object (Art 21). |
| automated processes | none | operator | Operator must provide rights regarding automated decision-making (Art 22). |
Related Audit Findings
| Finding | Severity | Status | Owner | Controls |
|---|---|---|---|---|
P-1 — Dead credential storage path | 🟢 low | resolved | platform | SID-DATA-05 |
P-2 — Dead presentation storage path | 🟢 low | resolved | platform | SID-DATA-05 |
| P-3 — Enterprise identity fields stored as plaintext | 🟡 medium | open | platform | SID-DATA-06 |
| P-4 — Incomplete right-to-erasure cascade | 🟡 medium | in progress | platform | SID-PRIV-03 |