GDPR Compliance Checklist: Tips for Staying Compliant in 2022

Folder icon with paper scroll and Security icon on a dark background
Click here for a summary of this article!
Quick Guide: Everything You Need to Know about the GDPR

The European Union enacted sweeping privacy legislation in 2018, designed to protect consumers’ personal data. The General Data Protection Regulation (GDPR) is a serious law, and non-compliance has been punished in the years since the law’s enactment.

If you are a business that collects or saves data about customers or website visitors who reside in any European Union country, then you fall under the EU’s jurisdiction — no matter where your business is located.

Violating the GDPR can result in fines of up to 20 million Euros, which is why compliance is serious business for any business. To ensure you can protect both your business and your customers, regularly review our GDPR compliance checklist (as summarized below).

  1. Appoint or hire a Data Protection Officer (DPO)
  2. Assess your data privacy measures
  3. Outline your data management plan
  4. Implement tools for gathering user consent
  5. Document compliance, record keeping, and auditing procedures
  6. Identify your data breach protocols

Read our full article to learn more about the GDPR and other tips for avoiding violations that could destroy your business.

Privacy on and off the internet has been a growing concern for years. The European Union (EU) was at the forefront of data privacy when it enacted sweeping privacy legislation back in 2018. Their General Data Protection Regulations (GDPR) was comprehensive in its coverage — but also a bit scary, given the staggering fines for violations.

If you’re running a business of any size, you can’t afford to be in the dark about this piece of legislation. Read on to find out everything you need to know to avoid running afoul of the GDPR.

What is the GDPR?

On May 25th, 2018, a new EU law was enacted that impacted how businesses process personal data. The General Data Protection Regulation replaced the 1995 Data Protection Directive 95/46/EC (DPA). The new law was in response to how technological and consumer expectations changed in the decades since the DPA went into force.

The GDPR works to ensure the security of personal data. It does so by requiring websites to be transparent about data collection and to obtain consent from a website visitor before any collection takes place.

What rights do individuals have under the GDPR?

The GDPR refers to protected individuals as “data subjects” and to a person, business, or website that requests access to data as a “data controller.” Under the GDPR, data subjects have eight core rights:

Infographic showing what rights do individuals have under the GDPR updated

  1. Right of access by data subject (GDPR Art. 15) — Data subjects have the right to know when a controller has access to their data, what kind of data is being accessed and processed, why the controller is accessing their data, who receives access to their data, and more.
  2. Right to rectification (GDPR Art. 16) — Data subjects have the right to correct any inaccurate personal data being held by the controller.
  3. Right to erasure (GDPR Art. 17) — Data subjects can have their data deleted if it meets the necessary stipulations, such as when the data is no longer necessary for the purpose for which it was initially accessed.
  4. Right to restriction of processing (GDPR Art. 18) — Data subjects have the right to restrict the controller from processing data in certain situations, such as when the data being used is inaccurate, when the processing of the data is unlawful, and more.
  5. Right to receive notification about rectification or erasure of personal data or restriction of processing (GDPR Art. 19) — The controller must immediately notify a data subject about the rectification or erasure of personal data.
  6. Right to data portability (GDPR Art. 20) — Data subjects have the right to receive their data from the controller in a manner accessible to them.
  7. Right to object (GDPR Art. 21) — Data subjects have the right to object to the processing of their data, and the controller must cease processing said data as soon as the data subject says so.
  8. Right to refuse automated decision-making (GDPR Art. 22) — Data subjects have the right to not be subjected to automated decision-making, including profiling.

While data subjects have the rights and protections under the GDPR, businesses have the burden to comply with the legislation for any information collected from data subjects.

Consent is the cornerstones of the GDPR, and businesses are the ones that must get (and be able to prove) consent. The consent requirement puts the user in control of how their data is collected and processed. Under the GDPR, consent must be clear and informed, specific, and freely given.

Websites have long used cookies (tiny blocks of data a website stores on your device) to gather and store a visitor’s personal data for marketing and/or sharing with third parties. Before the GDPR, this collection was invisible to a website visitor.

Under the GDPR, however, a website must now get permission first. That is why, whenever you visit a new website today, you get a pop-up message about cookies, as illustrated by the screenshot below.

Screenshot of a "This website uses cookies" message

The GDPR also strongly advocates for “granular consent.” This term refers to the various parts of how user data is going to be used, as well as ensuring that the user gets to clearly choose which activities they wish to consent to.

The GDPR also states that the use of a service should not be detrimentally affected if a user refuses to consent. In other words: a user cannot be punished (by blocking access to a website) if they decline to consent to data collection.

The GDPR goes a step further by also requiring a way to manage a user’s revocation of consent. This can be verbal (over the phone, for example) or a digital method (like an email). One example of this is the inclusion of an “unsubscribe” link in every marketing email you get from a company. Businesses have to make it easy for a consumer to revoke consent.

Which Businesses are Affected by the GDPR?

The EU casts a wide net when it comes to which businesses must comply with the GDPR. If you collect, store, share, or do anything with the data of an individual from an EU state, you have to abide by the rules of the GDPR.

It doesn’t matter where your business is located, either. Even if you’re based outside the EU, if you interact with EU residents, you’re covered by the GDPR. The legislation also applies to businesses of any size and any type.

GDPR and small businesses

GDPR applies to companies of all sizes, including single-person businesses. Yet even the drafters of this complex legislation recognized that small- and medium-businesses (SMB) would be overly burdened with a one-size-fits-all approach to the extensive requirements. To alleviate that, the GDPR carved out a few special concessions for SMBs with less than 250 employees.

Smaller companies are not required to maintain records of processing activities unless those activities are a regular part of business and unless they concern sensitive data that could threaten a data subject’s rights.

If your business falls within this category, it is still a good idea to understand and follow basic GDPR principles. At the very least, all SMBs should:

Infographic showing what should small businesses do regarding GDPR

  • Understand their GDPR responsibilities
  • Understand their data
  • Define a data consent policy
  • Dispose of old data
  • Store data securely
  • Train staff how to properly handle data
  • Subject access request (SAR)
  • Document h0w your business manages data
  • Appoint a data protection officer (DPO)

What if my business is not in the European Union?

As noted earlier, the reach of GDPR is extensive. The law extends beyond the EU and includes your business if you interact with EU residents within an EU state.

In practical terms, any business, anywhere in the world, falls within GDPR jurisdiction if they interact with anyone in an EU state. Find out which countries are part of the GDPR below.

What Types of Data Does the GDPR Affect?

The GDPR was designed to protect “personal data.” But what, exactly, does that phrase mean? The GDPR has created two classifications of personal data, and these are important to differentiate in your business, as they also relate back to the levels of expected protection.

The two classes of data are:

1. Personal data (GDPR Article 4/1)

If you can identify an individual from any piece of data, it is deemed to be personal. Data that can be used to do this is known as an “identifier.”

So, for example, this would include, a name, address, and date of birth, as well as an online identifier like your IP address. Personal data also covers economic, cultural, or physiological information.

2. Sensitive personal data (GDPR Article 9)

It is important to differentiate between the personal data described above and “sensitive” personal data, as the GDPR has set out stringent rules to protect it.

Sensitive personal data includes genetic data, biometric data, and data that describe life preferences, e.g., religion, racial or ethnic origin, and trade union membership.

What Happens if I Violate the GDPR?

The GDPR proved it isn’t messing around when it unveiled the possible fines for a data breach violation. To say non-compliance fines can be expensive is an understatement. Companies like H&M and Grindr have previously been fined hefty fees for GDPR violations.

There are two levels of fines enforced through the GDPR and their supervisory authorities. These are:

LevelFineReasons for the fine
Level 12% of annual global revenue or 10 million Euros, whichever is higher
  • Data breaches
  • Failure to employ the services of a DPO (if required)
  • Did not conduct a DPIA (where required)
  • Failure to keep appropriate records
Level 24% of annual global revenue or 20 million Euros
  • Failure to gain consent
  • Not upholding consumer rights under GDPR rules
  • Moving data outside the EU within the confines of Chapter 5 of the GDPR

As you can see, the penalties for violating the GDPR are harsh. Sometimes they are even catastrophic for a business.

Does My Business Need a Data Protection Officer (DPO)?

One way to protect a business from a potential GDPR violation is by hiring a Data Protection Officer (DPO). This is an individual employed by your organization to advise and carry out some of the duties concerning the GDPR. The DPO can be an employee or a consultant.

For example, under certain conditions, the GDPR specifies that a Data Protection Impact Assessment (DPIA) must be carried out. A DPO can advise and help with this.

The GDPR stipulates that you MUST use a DPO if any one of the following applies to you:

  • You are a public authority or body
  • You process data on a large scale
  • You process “special category” data

Even if you don’t fall into any of the categories above, having the advice of a privacy specialist, like a DPO, can be useful in helping with how to apply the GDPR requirements.

List of Countries in the EU: Which Countries Does the GDPR Apply to?

By now, you are no doubt wondering which countries can ensnare you in GDPR compliance. Here’s a list of the countries that are part of the GDPR.

EU CountriesEEA CountriesOther Countries, Territories, and Islands
  • Austria
  • Belgium
  • Bulgaria
  • Croatia
  • Cyprus
  • Czech Republic
  • Denmark
  • Estonia
  • Finland
  • France
  • Germany
  • Greece
  • Hungary
  • Ireland
  • Italy
  • Latvia
  • Lithuania
  • Luxembourg
  • Malta
  • Netherlands
  • Poland
  • Portugal
  • Romania
  • Slovakia
  • Slovenia
  • Spain
  • Sweden
  • Iceland
  • Lichtenstein
  • Norway
  • Azores
  • Canary Islands
  • Guadeloupe
  • French Guyana
  • Madeira
  • Martinique
  • Mayotte
  • Reunion
  • Saint Martin

Of course, the EU is a fluid entity. New countries are regularly joining the arrangement. Likewise, some members today may no longer be members tomorrow. Businesses must stay abreast of EU member developments to ensure GDPR compliance.

How did BREXIT impact the GDPR?

One very recent example of the fluid nature of the European Union is the UK’s recent withdrawal from the compact.

BREXIT — the informal name for the move to free the United Kingdom from the European Union — finally went into force on January 31, 2020. On that date, England, Scotland, Wales, Northern Ireland, and their associated islands were no longer members of the EU. Although no longer a part of it, the BREXIT withdrawal did not impact how the GDPR functions in any way.

However, when the GDPR went into effect, the UK quickly adopted its own UK Data Protection Act in 2018 — which is still in effect today. The new law adopted the GDPR into national law and included almost all the original provisions, plus a few additions.

Practically speaking, the only impact BREXIT had on individual data protection is which regulating authority will prosecute you for a violation.

How to Be GDPR Compliant

GDPR should not be thought of as a one-off tick box exercise. Instead, it is a process of understanding the how’s and why’s of personal data processing in your business.

A large part of GDPR involves documenting processes and mapping or classifying data. Besides complying with the GDPR, this can be a useful thing to do as a general security awareness exercise.

As you assess your GDPR compliance, you may also spot security vulnerabilities. Fixing these will benefit your organization, your customers, and your clients. Ultimately, coming into compliance with GDPR may take some effort — but it will be worth it to avoid hefty fines and to show that your organization respects user privacy preferences.

A GDPR compliance checklist you can use today

Ensuring your compliance with the GDPR can be an overwhelming task. Having a GDPR compliance checklist to walk you through what you must address simplifies the process.

Of course, GDPR compliance can get complicated, and there is no one-size-fits-all approach. How you comply with the GDPR depends on the size and complexity of your business. It is always a good idea to work with a professional to ensure full GDPR compliance and avoid hefty fines.

But to get you thinking about GDPR compliance, here are the main areas to cover.

  1. Appoint or hire a data protection officer (DPO). Put someone in this role at your company. While not always required by the GDPR, you’ll at least have one point of contact for all things GDPR-related.
  2. Assess your data privacy measures. Inventory all your data collection processes and evaluate how confidential the information is, why you are collecting it, and the security of the data.
  3. Outline your data management plan. Identify and assemble the people, processes, and technology required to appropriately handle the data collected in all areas of your business.
  4. Get user consent. Implement the tools necessary to gather the requisite consent from your users, and make sure the tools offer transparency and give users control over how and what personal data is collected
  5. Document compliance, record keeping, and auditing procedures. Write down all the processes that prove how your organization is compliant with the GDPR, as regulators can demand this information at any time.
  6. Identify your data breach protocols. Prepare procedures for notifying regulators if/when a personal data breach occurs, as this notice is required within 72 hours of becoming aware of such a breach.

Staying Compliant with the GDPR

The EU’s General Data Protection Regulation laws can be a scary web of requirements for any business to navigate. But even so, the GDPR is not something to ignore.

Business-destroying fines for violations show just how serious the European Union is about individual data protection in today’s highly online world. Whenever you engage with a resident of an EU state, no matter where your business is located, you have to comply with the GDPR’s requirements.

Start with our GDPR compliance checklist to identify areas where you might need to strengthen your GDPR efforts. Whether required or not, appoint a Data Protection Officer. Finally, work with legal experts to ensure your business is compliant with the EU’s rules on data privacy and security.

GDPR: Frequently Asked Questions

Still have questions? Read our answers the most frequently asked questions about the General Data Protection Regulation (GDPR).

The GDPR is an acronym for sweeping consumer privacy legislation enacted by the European Union in 2018: the General Data Protection Regulation. Violating the GDPR can result in fines of up to 20 million Euros.

Read our full article to find out more about the GDPR, including ways to ensure you don’t violate this serious law.

Complying with the General Data Protection Regulation (GDPR) means a company is protecting the personal information of customers and website visitors. Compliant companies:

  • Understand their GDPR responsibilities, including how to report a data breach
  • Understand their data
  • Define a data consent policy
  • Dispose of old data appropriately
  • Store data securely
  • Train staff how to properly handle data
  • Incorporate a procedure for handling an individual request for the data you have about them — known as a Subject Access Request (SAR)
  • Document how your business manages data
  • Appoint a Data Protection Officer (DPO), even if one is not required

Read our full article for a GDPR compliance checklist you can use and other tips on how to be GDPR compliant.

GDPR compliance starts by understanding the law, and documenting, mapping, and classifying all processes that deal with personal data. A GDPR compliance checklist can help you walk through the process.

Read our full article that includes a GDPR compliance checklist and shares other important information about the GDPR.

Two types of personal data are protected under the GDPR:

  • Personal data — any information that identifies an individual
  • Sensitive personal data — genetic data, biometric data, and data that describes life preferences (e.g. religion, race, etc.)

Read our full article to learn everything you need to know about the GDPR and how to stay compliant with it.

If your business runs afoul of the GDPR, you have an immediate responsibility to proactively notify regulators within 72 hours of becoming aware of the breach. Your business should have documented procedures on who and how this notice is provided.

Our GDPR compliance checklist covers this and all other responsibilities your business has under the GDPR.

Author
Tech journalist
Liz is a professional writer with a special interest in online privacy and cybersecurity. As a US expat who travels and works in diverse locations around the world, keeping up with the latest internet safety best practices remains her priority.
Contributor
Corporate IT security expert
Susan has been involved in the IT security sector since the early nineties, working across diverse sectors such as file encryption, digital rights management, digital signing, and online identity. Her mantra is that security is about human beings as much as it is about technology.