GDPR Compliance Checklist

Home > Blog > GDPR Compliance Checklist
7 December, 2017

Whatever the size of your business, you must take action to prepare for the General Data Protection Regulation (GDPR), which comes into force on 25th May, 2018.

The new regulations that come into place cover the privacy and data protection of all individuals within the EU. Therefore, every company must reevaluate their privacy settings and update their policies, among other things.

We understand it can be difficult to know where to start. So, to help clear some of the confusion, we have compiled this checklist to help you what the GDPR means for your business.

GDPR Compliance Checklist:

First Steps

  • Firstly, appoint an individual to ‘lead’ on GDPR compliance in your organisation. You need someone to take ownership of the issue to ensure you are compliant by 25th May 2018.
  • Secondly, areas in which your organisation is currently non-compliant. You may wish to enlist the support of employees in this task, and document areas of concern.


  • Ensure that all employees are aware of their GDPR-related responsibilities.
  • Review who has access to information and what they can do with it. Set in place the ability to change access rights as appropriate. You need to protect your organisation against data breaches, but also ensure that employees have access to the information they need to do their jobs. A detailed audit will help you to do this.
  • Ensure employees understand what to do in the event of a data breach. Make sure you have a clear policy and procedure so that you can address issues proactively before they have a chance to escalate.

Information Gathering

  • Identify the lawful basis of your information-gathering, and ensure that the reasons are clear to all who are concerned. Your privacy notice might be the best way to communicate.
  • Make sure you currently seek consent when requesting information from individuals, and ensure that you document this properly.
  • If you collect data for email marketing purposes, ensure recipients have proactively opted in.  Furthermore, you should not add people to your mailing list without their consent.
  • Because the GDPR contains special protection for children, you may need to consider whether you need systems in place to verify people’s ages and obtain parental/guardian consent for data processing.

Information Management

  • Document what personal data you hold. Be clear on where the information came from, where you hold it, as well as who has access to it.
  • Review your IT systems to ensure information is held securely with appropriate backup.
  • Make sure your privacy notice is up-to-date and GDPR-compliant. This notice tells people from whom you collect data, who you are, as well as what you are going to do with their information. There are several requirements in GDPR which are additional to the current Data Protection Act, such as the need to explain your data retention periods.
  • Make sure you have the correct procedures in place to ensure that inaccuracies can be rectified. This is needed not just within your own organisation, but with any other person/organisation you pass that information onto.
  • Make sure you have robust procedures in place to identify, report and investigate any breaches in personal data that may occur.

Ensure your organisation can respond appropriately to information requests. Work out how you would comply with the individual rights that are outlines within GDPR, which are;

    1. The right to be informed
    2. The right of access
    3. The right to rectification
    4. The right to erasure
    5. The right to restrict processing
    6. The right to data portability
    7. The right to object
    8. The right not to be subject to automated decision-making, including profiling

International Businesses

If your organisation operates within other EU territories and you carry out cross-border processing (you are established in more than one EU country or your data processing substantially affects individuals in other EU states), you need to document the lead data protection supervisory authorities.

How Can Ten Ten Systems Help You Prepare for GDPR?

Because your IT systems are central to GDPR compliance, we are here to help. Our team can identify how it will affect your business, and also put in place the correct systems to ensure information is correctly handled.

“The penalties for non-compliance are severe, so you need to understand what GDPR means for your organisation and take action now.” – Steve Birks, MD

What to do next

Please contact us to discuss GDPR and its potential impact on your business. Alternatively, you can read our whitepaper, which gives useful information on the key principles of the Regulations, along with a step-by-step guide to compliance.

For more information about our service

Get in touch