Lumiform Mobile audits & inspections
Get App Get App

GDPR compliance template

Every company is unique. Since the GDPR (General Data Protection Regulation) takes a risk-based approach to data protection, each company must create, review and evaluate its own data collection and storage procedure. Legal advice may also be sought to ensure that business practices comply with the provision of the GDPR. The GDPR compliance checklist allows checking step by step if a company is GDPR compliant.

Downloaded 34 times
GDPR Compliance Checklist
Assessment of the Current Situation
What personal data is collected/stored?
Has this personal data been collected in a lawful manner?
Is it ensured that the personal data is not kept longer than necessary and is always kept up to date?
Is personal data kept in a safe and secure environment, and is a level of security appropriate to the risk ensured?
Is an encryption or pseudonymization procedure possibly required to protect the stored personal data?
Is access to personal data restricted so that it is used only for its intended purpose?
Are special categories of personal data, such as so-called "sensitive data," children's data, biometric or genetic data, or the like, collected and processed?
Is the personal data transferred outside the EU?
Has a data protection officer been appointed/appointed?
DSGOV Project Plan
Are there sufficient resources and funding and to implement and monitor the DSGOV provisions?
Does a data protection impact assessment need to be performed?
Has a policy on "privacy by design and default" been implemented to ensure a systematic evaluation of the potential impact of a project or initiative on the privacy of individuals?
Has the handling of employee data been considered in the plan?
Procedures and controls
Does the security team have the necessary knowledge and competencies to meet its obligations related to the GDPR, as well as sufficient resources to implement any necessary changes or new procedures?
Are adequate procedures in place to handle requests from data subjects for modification or deletion of, or access to, personal data?
Are data breach notification procedures in place that comply with the extended notification obligations under the GDPR?
Are employees fully trained in EU data protection to handle data in compliance with the rules?
Is the stored data regularly assessed and audited?
Has a privacy policy been implied?
Are clearly defined policies in place regarding the length of time various personal data is retained - be it customer, prospect, vendor, or employee data?
Are internal procedures documented to a sufficient extent?
Do contracts comply with the mandatory provisions of Art. 28 of the GDPR?
Are contracts with third-party providers who process personal data for the company designed in such a way that they comply with the requirements for processors set out in the GDPR?
Share this template:

This post is also available in: Deutsch Español

Please note that this checklist template is a hypothetical appuses-hero example and provides only standard information. The template does not aim to replace, among other things, workplace, health and safety advice, medical advice, diagnosis or treatment, or any other applicable law. You should seek your professional advice to determine whether the use of such a checklist is appropriate in your workplace or jurisdiction.
This site is registered on as a development site. Switch to a production site key to remove this banner.