GDPR Checklist

This checklist will help you track your GDPR compliance efforts and reduce your
exposure to potential regulatory fines.

To learn how UpGuard can help you track GDPR compliance, reduce
vendor security risks, and protect your customer data from breaches, click
below to request a free trial.

Lawful Basis and Transparency

1 Conduct a data protection impact assessment (DPIA) to

identify and evaluate the risks associated with your processing
activities.

2 Keep an up-to-date and detailed list of all processing activities,

including the purposes, types of data processed, who has
access to it in your organization, any third parties that have
access (and their location), the measures taken to protect the
data, and the planned data retention periods (if applicable).

3 Choose a lawful basis for processing that complies with GDPR

requirements and document your rationale for selecting it.

www.upguard.com 1
 4 If you choose "consent" as your lawful basis, ensure that data
subjects are given clear and specific information about what
they are consenting to, and that they are given an ongoing
opportunity to revoke their consent.

5 If you choose "legitimate interests" as your lawful basis, conduct

a privacy impact assessment (PIA) to demonstrate that the
processing is necessary for a legitimate purpose and that the
interests of data subjects are not overridden.

6 Ensure that your privacy policy is up-to-date, easily accessible,

and provides a concise and transparent explanation of your data
processing activities, including how data is processed, who has
access to it, and how it is kept safe.

7 Provide data subjects with the information required by Article

12 of the GDPR at the time you collect their data, in a concise,
transparent, intelligible, and easily accessible form, using clear
and plain language.

8 Ensure that your privacy policy and any other communications

with data subjects are regularly reviewed and updated as
needed to ensure compliance with GDPR requirements.

9 Implement appropriate technical and organizational measures to

ensure the security of personal data, including measures such
as encryption and regular data backups.

10 Be prepared to demonstrate GDPR compliance by maintaining

accurate records of your processing activities, your lawful basis
for processing, and your compliance with GDPR requirements.

www.upguard.com 2
Data Security

11 Implement "data protection by design and by default" principles,

including appropriate technical and organizational measures to
protect personal data, such as encryption, pseudonymization,
data minimization, and regular data deletion.

12 Use productivity tools with built-in end-to-end encryption for

secure processing of personal data.

13 Create a security policy that includes guidelines for email

security, password management, two-factor authentication,
device encryption, and VPNs, and provide training to employees
who have access to personal data and non-technical
employees.

14 Conduct a data protection impact assessment (DPIA) to

understand how your product or service could jeopardize
customers' data and minimize risks. Perform a DPIA whenever
you plan to process personal data in a way that is likely to result
in a high risk to individuals' rights and freedoms.

15 Follow the guidelines provided by the UK Information

Commissioner's Office for conducting a DPIA, including using
their DPIA checklist.

16 Have a clear plan and procedure in place for reporting data
breaches to supervisory authorities and notifying affected data
subjects within 72 hours of the breach.

17 Regularly review and update your security policies and

procedures to ensure continued compliance with GDPR
requirements and to reflect any changes in the nature of your
data processing activities.

www.upguard.com 3
 18 Ensure that all personal data is stored in secure locations and
that access to it is limited to those who need it for legitimate
business purposes.

19 Conduct regular vulnerability assessments and penetration

testing to identify and address any weaknesses in your data
security.

20 Document your compliance efforts, including the technical

and organizational measures you have implemented to protect
personal data, and regularly review and update these measures
to ensure that they remain effective in mitigating data security
risks.

Accountability and Governance

21 Designate a person within your organization responsible for

ensuring GDPR compliance across all areas of your organization,
including evaluating data protection policies and their
implementation.

22 Ensure that all third-party service providers that process

personal data on your behalf sign a data processing agreement
that spells out the rights and obligations of each party for GDPR
compliance.

23 If your organization is located outside of the EU, appoint a

representative within an EU member state to communicate
on your behalf with data protection authorities in the member
state(s) where you process data relating to people.

www.upguard.com 4
 24 Consider appointing a Data Protection Officer (DPO), even if
you are not required to do so by the GDPR. The DPO should be
an expert on data protection and responsible for monitoring
GDPR compliance, assessing data protection risks, advising
on data protection impact assessments, and cooperating with
regulators.

25 Establish a GDPR compliance program that includes ongoing

monitoring and evaluation of your data protection policies and
procedures, as well as regular training and awareness-raising
efforts for all employees.

26 Develop and implement appropriate internal controls to ensure

the accuracy, completeness, and reliability of personal data,
including policies for data retention, data deletion, and data
access.

27 Regularly review and update your GDPR compliance program

to ensure that it reflects changes in the nature of your data
processing activities, as well as changes in applicable laws and
regulations.

28 Document all aspects of your GDPR compliance efforts,

including your designated GDPR compliance officer, data
processing agreements with third parties, the appointment of
a representative within an EU member state (if applicable), and
the appointment of a DPO (if applicable).

29 Ensure that all employees are aware of their responsibilities

under the GDPR and receive regular training on GDPR
compliance.

30 Conduct periodic GDPR compliance assessments to evaluate

the effectiveness of your GDPR compliance program and
identify areas for improvement.

www.upguard.com 5
Privacy Rights

31 Develop and implement a process for responding to requests

from data subjects to access their personal data, including
verifying their identity, providing the requested information
for free within a month, and charging a reasonable fee for
subsequent copies.

32 Put in place a data quality process to keep personal data up

to date and accurate, and make it easy for data subjects to
view and update their personal information for accuracy and
completeness within a month of their request.

33 Develop and implement a process for responding to requests

from data subjects to delete their personal data within a month
of their request, except in limited circumstances outlined by the
GDPR, and verify the identity of the person making the request.

34 Develop and implement a process for responding to requests

from data subjects to restrict or stop the processing of their
personal data within a month of their request, while notifying
them before processing their data again.

35 Develop and implement a process for responding to requests

from data subjects to receive their personal data in a commonly
readable format and transmit it to a third party they designate.

36 Develop and implement a process for responding to requests

from data subjects to object to the processing of their personal
data for the purposes of direct marketing and immediately stop
processing their data for that purpose.

www.upguard.com 6
 37 If your organization uses automated decision-making processes
that have legal or "similarly significant" effects, set up a
procedure for data subjects to request human intervention, to
weigh in on decisions, and to challenge decisions already made.

38 Ensure that all employees who handle personal data are trained
on responding to requests from data subjects and the GDPR's
requirements for privacy rights.

39 Document all aspects of your privacy rights compliance efforts,

including your procedures for responding to requests, data
quality processes, and employee training.

40 Regularly review and update your privacy rights compliance

program to ensure that it reflects changes in the nature of your
data processing activities, as well as changes in applicable laws
and regulations.

www.upguard.com 7
Protect Your Business and
Customers from Costly Breaches
with UpGuard
UpGuard helps businesses address internal and third-party data breach attack vectors with
a range of powerful features, including:

• Vendor Data Leak Detection - Don't let a vendor leak your data. Provide UpGuard with
a list of vendors you want to monitor, and get notified if any of them start leaking data.

• Risk Assessment Workflows - Every vendor risk matters. UpGuard automates your
risk assessment workflows, accelerating decision-making and helping you to assess,
waive or create actionable remediation plans that are fully auditable.

• Comprehensive Security Ratings - Our security ratings provide a data-driven,

objective, and dynamic measurement of your security posture. We use trusted
commercial, open-source, and proprietary threat intelligence feeds and non-intrusive
data collection methods.

• Questionnaires Mapping to Regulations - Achieve compliance for ISO27001, GDPR,

NIST, and others by using UpGuard security questionnaires for your vendors.
We're here to help, shoot us an email at sales@
upguard.com

Looking for a better, smarter way to protect your

data and prevent breaches?

UpGuard offers a full suite of products for

security, risk and vendor management teams.

www.upguard.com 650 Castro Street, Suite 120-387, Mountain View CA 94041 United States

+1 888-882-3223
© 2023 UpGuard, Inc. All rights reserved. UpGuard and the UpGuard
logo are registered trademarks of UpGuard, Inc. All other products or
services mentioned herein are trademarks of their respective companies.
Information subject to change without notice.