GDPR Checklist for Small Businesses

Checklist for Compliance

The GDPR (General Data Compliance Regulation) applies to any business or organization within the EU that processes personal data and to any organization worldwide that processes data about an identifiable natural person in the EU. More specifically, this means:

Any operation on any data that:

Is or could be linked to a person (who has been or could be identified)


That person resides (lives, travels, etc.) within the EU.

Print the checklist below and use it as your guide to test your compliance with the GDPR. There is no need to panic – the steps are not difficult. But you can’t put it off any longer as the GDPR in already in force.


The 22 steps on the Checklist for Compliance


  1. Create a data protection repository in your digital filing system to collect all documents regarding data protection and the GDPR. Keep notes made during internal meetings. Every decision you make and every step you take towards GDPR compliance should be documented. Just in case you need it someday (to demonstrate compliance);
  2. Appoint a staff member to coordinate the actions and to guard the processes involved. Note: if you give him/her the title of data protection officer (DPO), the tasks and responsibilities as defined in GDPR articles 37-39 apply, irrespective of whether appointing a DPO is or is not a mandatory requirement for your organization;
  3. Analyze your data, i.e. establish which personal data your business collects, and where it is kept;
  4. Create a password policy and carefully consider who in your company who should have access to each set of personal data;
  5. Separate the personal data into categories, e. sensitive data, data related to criminal convictions, and other personal data. Remember that a photo of a person reveals their ethnic origin and, in light of this, is sensitive personal data;
  6. Identify the lawful basis for processing each set of data;
  7. Implement a policy to handle any withdrawal of consent. Keep a record of consent for people who have opted-in and those who have withdrawn consent later;
  8. Implement a policy to handle any data subject access requests;
  9. Implement policies to handle any data erasure and correction requests;
  10. Create a retention schedule for data. When the data has reached the end of its retention period destroy it in accordance with a data destruction policy (minimize the data you hold);
  11. Train your staff. Make sure they all understand what personal data is and the importance of the data protection processes and rules regarding this data.
  12. Train your staff on how to identify a personal data breach, including how to identify e-mail scams and other social engineering scams;


  1. Review the physical security of data. Keep USB disks and USB sticks, paper filing systems, and laptops behind lock and key as well as chained in place when not in use. Lock your computer (or lock the room) when you walk away for coffee, a break, etc.;
  2. Create an asset register featuring the serial numbers of all your computers regardless of contents. The register will help you to assess whether a computer is missing and what data it contains;
  3. Create a data breach log to record mistakes like “John e-mailed a group of clients using the Cc-field instead of the Bcc field”. Create an atmosphere in which reporting an error is seen as an opportunity to sharpen procedures rather than as a reason for a reprimand.
  4. Implement a breach response policy;

Websites & cookies

  1. Ensure your website uses HTTPS protocol instead of HTTP (the ‘s’ in HTTPS stands for secure). This way the data transport is encrypted, befitting the GDPR’s data ‘protection by design’ principle. As an extra, it also helps your site attain a higher ranking in Google’s search engine results.
  2. Update your website’s privacy policy. It should include at least contact details of the controller, the purpose of the processing, the legal basis, any (categories of) recipients of the personal data, and the data retention period. It must also inform the person concerned of their rights (the right to information, to withdraw permission, to access, to correction, to deletion and the right not to be subject of processing for direct marketing purposes, including profiling).
  3. The ePrivacy directive (and the ePrivacy regulation that will replace it shortly) requires that permission is obtained to place cookies on the user’s equipment. Consent to cookies, however, does not imply consent to process personal data. The information in a cookie is directly linked to the owner of the computer through the IP address, hence it is personal data and you need a lawful ground to process it.
  4. Be clear about what kind of cookies you use on your website, and make sure to honor the rights of the visitors to informed consent (to what they will accept) and to option to object to profiling (if they don’t). Be transparent and offer opt-in choices rather than referring users to ‘your cookie settings’ or to sites such as

Quality assurance and demonstrating compliance

  1. For any new data processing operation, conduct a data processing impact assessment to see whether the operation is likely to cause privacy issues. Plan for thorough risk mitigation and document your choices.
  2. Create a document featuring non-compliance issues to show awareness of compliance omissions and to plan towards total compliance.


This article has been written by guest author Leo Besemer.