GDPR checklist

Many organisations get stuck in their GDPR journey and need some fresh ideas to move ahead. 

If you're already using our integrated business management software, you can request our GDPR checklist to be added as an audit in the Audit Manager module. Simply talk to your account manager for more information. 

Auditing software GDPR

This GDPR checklist makes it easy for you to:

  • Schedule recurring audits 
  • Don't miss a thing - everything is already in the system 
  • Assign roles and responsibilities 

If you're not already using our software, you can access a shorter version by downloading from the form below. 



Compliance management Software  By Qualsys - TH




Access our GDPR checklist as an excel spreadsheet free here:



Roles and responsibilities for GDPR team
Have roles and responsibilities been defined? 
Do you need to hire a Data Protection Officer?
Have you communicated to stakeholders their roles?
Have you assembled a GDPR team?
Have you identified what information we collect?
Have you assessed how information is processed?
Have you identified what information we store?
Risk assessments 
Have you got an information asset register? 
Have you completed a DPIA? (example below)
Is privacy by design a consideration when there is a business change? 
Identify the data flows
Describe the data flows 
If transferring personal data outside the EU, are there adequate protections in place? 
Identify privacy risks
Identify privacy solutions 
Record PIA outcomes 
Integrate outcome into project plan 
Have we a policy for:
Reporting a breach
Data retention
Privacy statement 
Privacy by design 
Change management 
GDPR statement
Risk management process
Security breach management
Subject access request form 
Data handling
Have reasonable steps been taken to protect sensitive data?
Have employees completed formal GDPR training? 
Are employees competent at raising risks, opportunities and vulnerabilities?
Whose data is being processed?
Format of data?
Volume of data held?
Where does the data come from?
Does information include: Personal, sensitive 
Have we provided information on how we will use the information: Terms and conditions, contract, privacy notice, cookie policy
Have we identified the legal / contractual reasons for processing this data? 
How do we process the data? 
Is there any personal data that is not required?
Where is the data backed up?
Does the cloud / back up reside in the EU?
How do you ensure personal data is accurate and kept up to date?
Wen was the data originally obtained?
Are you able to amend personal data provided to you?
Do you have a retention policy that covers the information stream identified? 
What is the retention period for this information stream? 
How is this enforced? 
Does software allow you to delete information in line with your retention policy?
Are you able to respond to subject requests for information easily? 
Can you trace subject data in the system?
Do you have full traceability of where subject data has been transferred? 
Can subjects opt out of their information being used for marketing purposes? 
What measures / controls are in place with regards to information security?
What organisation measures are in place in regard to information security? 
Do you know what the process is in the event of a security breach? 



Want more GDPR resources? Download our GDPR toolkit here.


Topics: GDPR

Share your thoughts on this article