Overview
The General Data Protection Regulation (GDPR) has been the global benchmark for data protection since it took effect in May 2018. It applies to any organization that processes personal data of individuals in the European Economic Area (EEA), regardless of where the organization is based. With fines reaching up to 4% of annual global turnover or 20 million euros (whichever is higher), and over 4.5 billion euros in cumulative fines issued through 2024, GDPR compliance remains a top priority for organizations worldwide. This checklist covers the key implementation areas.
Lawful Bases for Processing
| Lawful Basis | When to Use | Key Considerations |
|---|---|---|
| Consent | Individual has given clear consent for specific purposes | Must be freely given, specific, informed, and unambiguous; easily withdrawable |
| Contract | Processing necessary to fulfill a contract with the individual | Cannot extend processing beyond what the contract requires |
| Legal Obligation | Processing necessary to comply with the law | Must identify the specific legal requirement |
| Vital Interests | Processing necessary to protect someone's life | Only use when no other lawful basis applies; rarely applicable |
| Public Task | Processing necessary to perform a public authority function | Must have a basis in law for the public task |
| Legitimate Interests | Processing necessary for legitimate interests not overridden by individual rights | Requires a documented Legitimate Interest Assessment; does not apply to public authorities |
Data Subject Rights
- Individuals have eight fundamental rights under GDPR that your organization must operationalize:
- Right to be informed: Provide transparent privacy notices at the point of data collection
- Right of access: Respond to Subject Access Requests (SARs) within one month
- Right to rectification: Correct inaccurate personal data without undue delay
- Right to erasure: Delete personal data when there is no compelling reason to continue processing
- Right to restrict processing: Restrict processing in specific circumstances while issues are resolved
- Right to data portability: Provide personal data in a structured, commonly used, machine-readable format
- Right to object: Allow individuals to object to processing based on legitimate interests or direct marketing
- Rights related to automated decision-making: Provide human intervention for decisions made solely by automated processing
Implementation Checklist
- Conduct comprehensive data mapping to identify all personal data flows, storage locations, and processing activities
- Maintain a Record of Processing Activities (ROPA) as required under Article 30
- Identify and document the lawful basis for each processing activity
- Update privacy notices to include all GDPR-required information in clear, plain language
- Implement processes to handle data subject rights requests within the one-month deadline
- Conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities
- Appoint a Data Protection Officer (DPO) if required under Article 37
- Review and update data processor agreements to include Article 28 required clauses
- Implement appropriate technical and organizational measures (Article 32) including encryption and pseudonymization
- Establish data breach notification procedures to notify the supervisory authority within 72 hours
- Assess cross-border data transfers and implement appropriate safeguards (SCCs, BCRs, or adequacy decisions)
- Conduct regular data protection training for all staff who process personal data
Data Protection Impact Assessments
A DPIA is mandatory when processing is likely to result in a high risk to the rights and freedoms of individuals. This includes systematic and extensive profiling with significant effects, large-scale processing of special category data, and systematic monitoring of publicly accessible areas. The DPIA must describe the processing operations and their purposes, assess the necessity and proportionality of the processing, evaluate the risks to individuals, and identify measures to address those risks. If the DPIA indicates high residual risk that cannot be mitigated, you must consult your supervisory authority before proceeding.
Cross-Border Data Transfers
| Transfer Mechanism | Description |
|---|---|
| Adequacy Decisions | Transfer to countries the European Commission has deemed to provide adequate data protection |
| Standard Contractual Clauses (SCCs) | Use EU-approved contractual templates with supplementary measures where needed |
| Binding Corporate Rules (BCRs) | Intra-group transfers covered by approved corporate binding rules |
| Derogations | Limited exceptions for explicit consent, contract performance, or public interest |
| EU-US Data Privacy Framework | Transfer to certified US organizations under the DPF (effective July 2023) |
Frequently Asked Questions
Does GDPR apply to organizations outside the EU?
Yes. GDPR applies to any organization that offers goods or services to individuals in the EEA, or monitors the behavior of individuals in the EEA, regardless of where the organization is established. Non-EU organizations subject to GDPR must appoint an EU representative under Article 27.
When is a DPO required?
A DPO must be appointed when the organization is a public authority, when core activities involve regular and systematic monitoring of individuals on a large scale, or when core activities involve large-scale processing of special category data or criminal conviction data. Even when not mandatory, appointing a DPO is considered best practice.
What is the data breach notification timeline?
Personal data breaches must be notified to the relevant supervisory authority within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to individuals. If notification is made after 72 hours, you must include reasons for the delay. Affected individuals must be notified without undue delay if the breach is likely to result in a high risk to their rights.
How do we handle consent for cookie tracking?
Cookie consent is governed by both GDPR and the ePrivacy Directive. Strictly necessary cookies do not require consent, but analytics, advertising, and tracking cookies require prior, informed, and freely given consent. Consent must be as easy to withdraw as it is to give, and pre-ticked checkboxes are not valid consent.
What are the maximum fines under GDPR?
GDPR provides for two tiers of administrative fines. The lower tier (up to 10 million euros or 2% of annual global turnover) covers violations of technical and organizational requirements. The upper tier (up to 20 million euros or 4% of annual global turnover) covers violations of data processing principles, lawful basis requirements, and data subject rights.
Ready to use this resource?
Download it now or schedule a demo to see how Hunto AI can automate your security workflows.