GDPR Checklist
19 requirements mapped to controls.
Requirements
| Requirement | Title | Controls | Owner |
|---|---|---|---|
| Conduct an information audit | Conduct an information audit to determine what information you process and who has access to it | SID-AUDIT-01 | platform |
| Have a legal justification | Have a legal justification for your data processing activities | SID-ORG-05 | operator |
| Provide clear information about your data processing | Provide clear information about your data processing and legal justification in your privacy policy | SID-ORG-07 | operator |
| Take data protection into account at all times | Take data protection into account at all times, from the moment you begin developing a product to each time you process data | SID-PRIV-01, SID-DATA-01, SID-DATA-02, SID-CRYPTO-03, SID-CRYPTO-02 | platform |
| Encrypt, pseudonymize, or anonymize | Encrypt, pseudonymize, or anonymize personal data wherever possible | SID-CRYPTO-01, SID-CRYPTO-03, SID-CRYPTO-02, SID-DATA-01, SID-DATA-06 | platform |
| Create an internal security policy | Create an internal security policy for your team members, and build awareness about data protection | SID-ORG-01, SID-PPL-02 | operator |
| Know when to conduct a data protection impact | Know when to conduct a data protection impact assessment, and have a process in place to carry it out | SID-ARCH-02 | operator |
| Have a process in place to notify the authorities | Have a process in place to notify the authorities and your data subjects in the event of a data breach | SID-OPS-01, SID-AUDIT-01 | platform |
| Designate someone responsible for ensuring GDPR | Designate someone responsible for ensuring GDPR compliance across your organization | SID-ORG-02 | operator |
| Sign a data processing agreement | Sign a data processing agreement between your organization and any third parties that process personal data on your behalf | SID-ORG-04 | operator |
| organization is outside the EU | If your organization is outside the EU, appoint a representative within one of the EU member states | SID-ARCH-02 | operator |
| Appoint a Data Protection Officer | Appoint a Data Protection Officer (if necessary) | SID-ARCH-02 | operator |
| request and receive all the information | It's easy for your customers to request and receive all the information you have about them | SID-ARCH-02 | operator |
| correct or update inaccurate | It's easy for your customers to correct or update inaccurate or incomplete information | SID-ARCH-02 | operator |
| request to have their personal data deleted | It's easy for your customers to request to have their personal data deleted | SID-PRIV-03 | platform |
| ask you to stop processing | It's easy for your customers to ask you to stop processing their data | SID-ARCH-02 | operator |
| receive a copy of their personal data | It's easy for your customers to receive a copy of their personal data in a format that can be easily transferred to another company | SID-ARCH-02 | operator |
| object to you processing | It's easy for your customers to object to you processing their data | SID-PRIV-01, SID-PRIV-03 | platform |
| automated processes | If you make decisions about people based on automated processes, you have a procedure to protect their rights | SID-ARCH-02 | operator |