Overview
GDPR set a new global standard for data privacy when it took effect in 2018, and its influence continues to shape privacy laws worldwide. Whether you are based in the EU or simply process data from EU residents, GDPR applies to your organization. This checklist provides a practical implementation path covering data mapping, lawful bases for processing, data subject rights, DPIA requirements, and the operational changes needed to maintain ongoing compliance.
Key GDPR Implementation Steps
- Complete a data mapping exercise covering all personal data flows
- Identify and document the lawful basis for each processing activity
- Update privacy notices and consent mechanisms
- Implement data subject rights procedures (access, erasure, portability, etc.)
- Appoint a Data Protection Officer if required
- Conduct Data Protection Impact Assessments for high-risk processing
- Establish cross-border data transfer mechanisms (SCCs, adequacy decisions)
- Implement data breach detection, investigation, and notification procedures
- Review and update vendor contracts with data processing agreements
- Train all staff who handle personal data
Data Subject Rights
| Right | Description | Response deadline |
|---|---|---|
| Access | Individuals can request a copy of their personal data | One month |
| Rectification | Individuals can request correction of inaccurate data | One month |
| Erasure | Right to have personal data deleted under certain conditions | One month |
| Restriction | Right to limit how data is processed | One month |
| Portability | Right to receive data in a structured, machine-readable format | One month |
| Objection | Right to object to processing based on legitimate interests or direct marketing | Without undue delay |
| Automated decisions | Right not to be subject to solely automated decisions with legal effects | Without undue delay |
Data Protection Impact Assessments
A DPIA is required whenever processing is likely to result in a high risk to individuals. This includes large-scale profiling, systematic monitoring of public areas, processing of special categories of data at scale, and any new technology that creates privacy risks. The DPIA should describe the processing, assess necessity and proportionality, identify risks to individuals, and outline measures to address those risks. Consult your DPO during the assessment and engage the supervisory authority if residual risks remain high after mitigation.
Cross-Border Data Transfers
- Verify whether each data transfer destination has an EU adequacy decision
- For non-adequate countries, implement Standard Contractual Clauses (SCCs)
- Conduct Transfer Impact Assessments to evaluate the legal regime of the recipient country
- Implement supplementary measures (encryption, pseudonymization) where needed
- Monitor for changes to adequacy decisions and SCCs
- Document all international transfer mechanisms and keep them current
Ongoing Compliance Operations
GDPR compliance is not a one-time project. Maintain your Records of Processing Activities and update them whenever processing changes. Review vendor data processing agreements annually. Run data subject access request drills to test your response process. Monitor regulatory guidance and enforcement trends from supervisory authorities. Conduct periodic privacy audits to identify drift from your documented practices. Report to leadership on the state of the privacy program at least quarterly.
Frequently Asked Questions
Does GDPR apply to organizations outside the EU?
Yes. GDPR applies to any organization that offers goods or services to people in the EU or monitors the behavior of people in the EU, regardless of where the organization is physically located.
When is a DPO required?
A Data Protection Officer is required when the organization is a public authority, when core activities involve large-scale systematic monitoring of individuals, or when core activities involve large-scale processing of special categories of data or criminal conviction data.
What are the maximum GDPR fines?
Up to 4% of annual global turnover or 20 million euros (whichever is greater) for the most serious infringements. Less serious violations can result in fines up to 2% of turnover or 10 million euros.
What is the difference between a controller and a processor?
A controller determines the purposes and means of processing personal data. A processor processes data on behalf of the controller. Both have distinct obligations under GDPR, but controllers bear primary accountability.
How should we handle consent under GDPR?
Consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes and bundled consent are not valid. You must be able to demonstrate that consent was obtained, and individuals must be able to withdraw it as easily as they gave it.
Ready to use this resource?
Download it now or schedule a demo to see how Hunto AI can automate your security workflows.