Skip to main content

A checklist for complying with GDPR

Always be prepared to comply with GDPR regulations with this handy checklist. Through a systematic approach to your data and information security, you can ensure that you follow the necessary guidelines and protect your users’ personal information. Get ready to tackle GDPR requirements with this easy and effective checklist.

  1. Get to know the rules
  2. Appoint a data controller
  3. Implement technical data security measures
  4. Develop a privacy policy
  5. Identify your data
  6. Ensure processing of personal data
  7. Provide documentation
  8. Monitor compliance

1. Get to know the rules

The basis for complying with the GDPR is to understand the legislation that applies to one. In Denmark, the Personal Data Act defines the specific guidelines for processing personal data, while the GDPR constitutes the European data protection regulation that companies in Europe must comply with. For companies operating globally, there are additional regulations to consider, such as the CCPA and UK-GDPR. Companies must have a clear understanding of the relevant legislation, e.g. GDPR. This involves identifying how the law applies to their specific activities and what obligations it imposes.

2. Appoint a data controller

A Data Protection Officer (DPO) acts as an internal representative for data protection and is tasked with ensuring that the company complies with the requirements of the Personal Data Regulation. The person is involved in all aspects of data protection and acts as the company’s contact person for the Norwegian Data Protection Authority.

Very specific rules apply to when a company must appoint a data protection officer. Read more about it here.

Did you know that organisations that do not comply with regulations like GDPR face significantly higher costs when data breaches occur? (

3. Implement technical data security measures

You should also implement security measures and policies to protect the data you collect. These can include:

  • Strong passwords
  • Pseudonymisation
  • Encryption
  • Virus protection
  • Building security
  • Device security
  • DPIAs (Data Protection Impact Assessments)
  • Policies for data deletion and disposal of paperwork
  • Other policies to prevent unauthorised access to the data
  • Regular updates to your systems and databases

Read more about setting up security measures here.

4. Develop a privacy policy

Next, use what you’ve learned about your data to create a detailed privacy policy that outlines what data you collect and how you will use, store, and protect it.

A simple, clear policy shows customers that you care about their privacy. It also helps satisfy regulations that require you to keep people informed about how their data is handled. Your privacy policy should:

  • Tell people what kinds of data are collected, how, and why
  • Show how data is processed and kept safely
  • Explain users’ rights
  • Be up to date
  • Provide contact information
  • Let people know how they can make a complaint, if needed
Identify sensitive data

5. Identify your data

The first step to GDPR compliance is to identify the personal data you collect and store. This includes any personal data from customers, employees, or other individuals. Classify the data by sensitivity level. Ask:

  • What type of data is it?
  • What is the purpose of collecting and storing this data? 
  • How long have I had it?
  • Who has access to it? 
  • Who will it be shared with? 

Read more about how to find your sensitive data here.

Start your GDPR cleanup where it is needed the most

Sensitive data can tends to accumulate in the employees' e-mails. With a GDPR Risk Scan from DataMapper, you get a report that shows any potential GDPR risks in the company's e-mails.

6. Ensure processing of personal data

In order to comply with the GDPR, it is essential to process personal data properly. By doing this, you as a company not only protect the rights of the individual, but also maintain the trust and credibility of your customers, business partners and the outside world. Read more about responsible processing of personal data.

GDPR training

7. Provide documentation

Keep documentation that shows the company is actively working to be compliant. This may include policies, training records and results of completed audits.

8. Monitor compliance

Finally, you should regularly monitor your compliance with GDPR to make sure you (and everyone on your team) are putting your policies into practice. You should also stay up to date on any changes to regulations that affect your company, then ensure your processes continue to be in line with new requirements.

Need help on GDPR?

In our newsletter you get tips and tricks for dealing with privacy management from our founder Sebastian Allerelli.

When you sign up for our newsletter you get a license for one user to ShareSimple, which will give you a secure email in Outlook. This special offer is for new customers only, with a limit of one freebie per company.

An incomplete checklist

The fact is, there is no such thing as a perfect, foolproof GDPR checklist. All businesses and their data collection activities are different. Further, the GDPR itself deliberately uses ambiguous and open-ended language, for several reasons:

  1. Personal data has a broad definition.
  2. The types of personal data companies collect will vary.
  3. The roles and responsibilities of your company as a data controller may change.
  4.  Appropriate security measures and technology can change.
  5. New security threats may emerge.

This ambiguity in regulations and the constantly evolving world we work in both make it impossible to create a GDPR checklist that can guarantee compliance. However, that is not an excuse to sit back, do nothing, and just hope for the best. Take action. Start with the steps above. Going through them carefully will certainly put you ahead of the game and on the right track for compliance.

Do you need more help to comply with GDPR?

In Safe Online, we create SaaS solutions that make it easier to comply with GDPR. See our solutions here:

DataMapper – Find your sensitive data
ShareSimple – Send and receive data securely in Outlook
RequestManager – Process data subject requests easily

Sebastian Allerelli
Founder & COO at Safe Online
Governance, Risk & Compliance Specialist
Follow me on LinkedIn to get tips on GDPR →

Contact me today


How to handle sensitive personal data


How to find personal data with datamapping tool


How to prepare for a data audit