Professional Documents
Culture Documents
GDPR Checklist Templates For SMEs Downloadable 1
GDPR Checklist Templates For SMEs Downloadable 1
1
December 2017
Categories of Elements of Source of the Purposes for Legal basis for Special categories Legal basis for Retention Action required to
personal data personal data personal data which personal each processing of personal data processing special period be GDPR compliant?
and data included within data is purpose (non- categories of
subjects each data processed special categories personal data
category of personal data)
List the List each type of List the source(s) of Within each For each purpose If special categories List the legal basis on For each Identify actions that are
categories of personal data the personal data category of that personal data of personal data which special category of required to ensure all
data subjects included within e.g. collected personal data list is processed, list the are collected and categories of personal data, personal data
and personal each category of directly from the purposes for legal basis on which retained, set out personal data are list the period processing operations
data collected personal data e.g. individuals; from the data is it is based e.g. details of the collected and for which the are GDPR compliant
and retained name, address, third parties (if collected and consent, contract, nature of the data retained e.g. explicit data will be e.g. this may include
e.g. current banking details, third party identify retained e.g. legal obligation e.g. health, genetic, consent, legislative retained e.g. deleting data where
employee data; purchasing history, the data controller marketing, (Article 6). biometric data. basis (Article 9). one month? there is no further
retired online browsing as this information service one year? purpose for retention.
employee data; history, video and will be necessary to enhancement,
customer data images. meet obligations research, product As a general
(sales under Article 14). development, rule data must
information); systems integrity, be retained for
marketing HR matters, no longer than
database; CCTV advertising. is necessary for
footage. the purpose for
which it was
collected in the
first place.
2
December 2017
Personal data
Question Yes No Comments/ Remedial Action
3
December 2017
Children's personal Where online services are provided to a child, are
data (Article 8) procedures in place to verify age and get consent
of a parent/ legal guardian, where required?
4
December 2017
Right to restriction of Are there controls and procedures in place to
processing (Article 18) halt the processing of personal data where an
individual has on valid grounds sought the
restriction of processing?
5
December 2017
Restrictions to data Have the circumstances been documented in
subject rights (Article which an individual’s data protection rights may
23) be lawfully restricted? Note: the Irish Data
Protection Bill will set out further details on the
implementation of Article 23.
Purpose limitation Is personal data only used for the purposes for
which it was originally collected?
6
December 2017
Other legal obligations Is your business subject to other rules that
governing retention require a minimum retention period (e.g. medical
records/tax records)?
Transparency requirements
Question Yes No Comments/ Remedial Action
Transparency to Are service users/employees fully informed of
customers and how you use their data in a concise,
employees (Articles 12, transparent, intelligible and easily accessible
13 and 14 and further form using clear and plain language?
guidance available on
GDPRandYou.ie)
7
December 2017
When engaging with individuals, such as when
providing a service, sale of a good or CCTV
monitoring, are procedures in place to
proactively inform individuals of their GDPR
rights?
8
December 2017
Other data controller obligations
Question Yes No Comments/Remedial Action
9
December 2017
Data security
10
December 2017
Data breaches
Question Yes No Comments/Remedial Action
11
December 2017
International data transfers (outside EEA) – if applicable
12
December 2017
Contact Us
13
December 2017