More Related Content Similar to Checklist for SMEs for GDPR compliance (20) Checklist for SMEs for GDPR compliance1. GDPR AUDIT CHECKLIST FOR SMALLER BUSINESSES
© 500 Words Ltd, 2018. You may share only provided you keep this notice. You have no licence to adapt. Please tell us if it needs changes. Page 1
Topic Action Y/N/DK Evidence/action GDPR Requirements
1. Awareness Is everyone aware of GDPR? Read ICO 12 Steps Train staff on GDPR
Have you identified possible compliance
issues?
You should ensure suppliers are GDPR-
compliant by asking them to confirm their
security measures. Check contracts include
requirements in Article 28(3).
Do you have records of the audit?
Have you completed due diligence on
your supply chain?
2. Information
audit
What personal data do you hold? GPR requires you to maintain records of your
processing activities. GDPR requires you to
show how you comply (accountability). Article
9 defines sensitive data.
Is it any of it sensitive data?
Where did it come from?
Where is it stored (device & location)?
Is it encrypted?
Who do you share it with?
3. Communicating
privacy info
What does your privacy notice say? GDPR requires you to explain your lawful basis
(see 6) for processing data, your data retention
periods and the individual’s rights (in plain
language).
See ICO Privacy Notice Guide
Do you need to update your privacy notice
for GDPR?
Is your privacy policy on your website?
Do you need to update your T&C for the
new data regulations?
4. Individuals’
rights
Do your data policy cover all rights
individuals have?
GDPR gives these rights to individuals:
the right to be informed
the right of access
the right to rectification
the right to erasure
the right to restrict processing
the right to data portability
the right to object
the right not to be subject to automated
decision -making including profiling
Does your data policy need updating?
Do you delete personal data?
Do you provide data electronically or in a
commonly used format?
5. Access
requests
Do your procedures allow you to (1)
handle requests for information in the
new timescales and (2) provide the
correct information?
GDPR gives a month to comply (was 40 days).
Mostly compliance is without charge.
2. GDPR AUDIT CHECKLIST FOR SMALLER BUSINESSES
© 500 Words Ltd, 2018. You may share only provided you keep this notice. You have no licence to adapt. Please tell us if it needs changes. Page 2
Topic Action Y/N/DK Evidence/action GDPR Requirements
6. Lawful basis What is the lawful basis for your
processing of data?
Lawful bases for necessary processing are:
Clear consent
Contract
Legal obligation eg as employer
Vital interests (protect life)
Public task
Legitimate interests
See ICO Guide on lawful processing
Do you have fair processing notices?
Where is that stated?
Have you updated your privacy notice to
explain it?
7. Consent Have you reviewed how you seek, record
and manage consent?
Consent must be freely given, specific,
informed and unambiguous. It cannot be
inferred from silence, inactivity or pre-ticked
boxes.
Do not rely on implied consent. Separate
consent requests from other T&C.
Simplify unsubscribing. See ICO Consent
Guidance
If someone joins your email list do they
know the content you will send?
Can you prove their consent?
Do your existing consents meet the GDPR
standards? Free choice + positive opt-in
Can they unsubscribe easily?
8. Children Does your data verify the ages of
individuals?
GDPR requires specific protection for children’s
(below 16YO) personal data and requires
parental consent if a child. Your privacy notice
should be understandable to children.
Do you need a procedure to get parental
consent?
9. Data breaches Do you have procedures to (1) detect, (2)
report and (3) investigate a data breach?
GDPR requires you to notify breaches to ICO if
it is likely to result in a risk to rights and
freedoms of individuals within 72 hours.
10. Privacy Impact
Assessment
Has everyone read the ICO Code of
Practice on Privacy Impact Assessments?
GDPR requires privacy by design. You may need
a Data Privacy Impact Assessments. See ICO PIA
Guidance Do you know how & when you will
implement any DPIA?
11. Data
Protection
Officers
Do you need a DPO to check compliance? GDPR requires a DPO if you are a public
authority, carry out large regular monitoring or
large scale processing of specific personal data.
Who is our DPO (or equivalent)?
12. International If you work across EU member states, who
is your lead data protection supervisory
authority?
Lead authority is where your main
establishment is.