GDPR Compliance Checklist
The General Data Protection Regulation is the EU's comprehensive data protection law. This checklist covers the key requirements every website owner and business should address.
What is GDPR?
The General Data Protection Regulation (GDPR) is a data protection and privacy law adopted by the European Union in 2016 and enforced since May 25, 2018. It sets strict rules for how organisations collect, store, process, and share personal data of individuals in the EU and European Economic Area.
GDPR replaced the 1995 Data Protection Directive and introduced significantly higher penalties, stronger individual rights, and broader territorial scope. It applies regardless of where the organisation is located, as long as it processes personal data of EU residents.
Who Does GDPR Apply To?
GDPR applies to any organisation that processes the personal data of individuals in the EU, regardless of the organisation's location. This means:
- •Businesses established in the EU that process personal data.
- •Businesses outside the EU that offer goods or services to EU residents, or monitor their behaviour.
- •Any website that uses cookies, analytics, or tracking for EU visitors.
Key Requirements Checklist
Establish a lawful basis for processing
Identify and document a lawful basis (consent, legitimate interest, contract, etc.) for every type of personal data you collect.
Implement valid consent mechanisms
Use clear, affirmative opt-in consent for cookies and data processing. Pre-ticked boxes are not valid consent under GDPR.
Publish a transparent privacy policy
Provide a clear, plain-language privacy policy covering what data you collect, why, how long you retain it, and who you share it with.
Honour data subject rights
Implement processes to handle access, rectification, erasure, portability, and objection requests within 30 days.
Appoint a Data Protection Officer (if required)
Organisations that process data at scale or handle special category data must appoint a DPO.
Maintain a Record of Processing Activities
Document all processing activities including purposes, categories of data, recipients, and retention periods.
Conduct Data Protection Impact Assessments
Perform DPIAs for high-risk processing activities such as large-scale profiling or systematic monitoring.
Implement data breach notification procedures
Notify your supervisory authority within 72 hours of becoming aware of a personal data breach.
Ensure data processor agreements are in place
All third-party processors must have written contracts specifying GDPR obligations and data handling requirements.
Apply data minimisation principles
Collect only the personal data that is strictly necessary for the specified purpose.
Implement appropriate security measures
Use encryption, pseudonymisation, access controls, and regular security testing to protect personal data.
Manage international data transfers
Use Standard Contractual Clauses, adequacy decisions, or other approved mechanisms for transfers outside the EEA.
Penalties for Non-Compliance
GDPR violations can result in significant fines across two tiers:
Lower Tier
Up to €10 million or 2% of global annual turnover, whichever is higher. Applies to administrative and technical violations.
Upper Tier
Up to €20 million or 4% of global annual turnover, whichever is higher. Applies to violations of core principles and data subject rights.
Verifica la tua conformità ora
Usa Pryvii per analizzare automaticamente il tuo sito web e ottenere un punteggio di conformità con raccomandazioni pratiche.