Skip to content
Cyber Security Consultancy
Virtual CISO
Virtual Information Security Manager
ISO 27001 Consultation
NIST CSF Assessments
Cyber Essentials
Enterprise Security Architecture
Secure Software Architecture Development
Cloud Security Architecture Review
Managed Security
Vulnerability Scanning
Advanced Threat Hunting
Managed Detection and Response
Penetrating Testing
Cloud Penetration Testing
Training
Incident Response Training
User Awareness Training
Data Protection
Virtual DPO
GDPR Consultation
Resources
Assessments
Cyber Risk Assessment
GDPR Compliance Assessment
Blog
Events
Contact us
Assessments
GDPR Compliance Assessment
GDPR Compliance Checklist for Data Controllers (SMEs)
1. Lawful Basis & Purpose
Have we identified and documented a lawful basis for each type of processing activity?
*
Select
Yes
No
Are individuals informed of the lawful basis via a privacy notice?
*
Select
Yes
No
Do we ensure data is only used for the specific purposes it was collected for?
*
Select
Yes
No
2. Transparency & Privacy Notices
Do we provide clear and accessible privacy notices to individuals?
*
Select
Yes
No
Do our privacy notices include details of data collected, purposes, rights, and contact info?
*
Select
Yes
No
Do we review and update privacy notices regularly?
*
Select
Yes
No
3. Data Minimisation & Accuracy
Do we collect only the data that is necessary for our purposes?
*
Select
Yes
No
Do we keep data accurate and up to date?
*
Select
Yes
No
Do we have procedures to rectify inaccurate or incomplete data quickly?
*
Select
Yes
No
4. Contracts & Processors
Do we have written contracts (DPAs) with all data processors we engage?
*
Select
Yes
No
Do contracts include GDPR-required clauses (processing only on instructions, security, sub-processor approval, etc.)?
*
Select
Yes
No
Do we carry out due diligence checks on processors before engagement?
*
Select
Yes
No
5. Data Subject Rights
Do we have processes for handling subject access requests (SARs) within one month?
*
Select
Yes
No
Can we handle requests for rectification, erasure, restriction, portability, and objection?
*
Select
Yes
No
Do we have internal logs to track requests and responses?
*
Select
Yes
No
6. Data Security
Do we have appropriate technical and organisational security measures in place?
*
Select
Yes
No
Do we ensure staff receive data protection and security training?
*
Select
Yes
No
Do we have policies for handling data securely (access control, encryption, backups)?
*
Select
Yes
No
7. Data Retention & Disposal
Do we have a clear data retention policy?
*
Select
Yes
No
Do we regularly review data and securely delete it when no longer needed?
*
Select
Yes
No
Do we ensure secure disposal of both digital and paper records?
*
Select
Yes
No
8. Data Breach Management
Do we have a breach response plan in place?
*
Select
Yes
No
Can we notify the ICO within 72 hours of a notifiable breach?
*
Select
Yes
No
Do we have procedures to inform affected individuals when necessary?
*
Select
Yes
No
Do we maintain a log of all breaches, even minor ones?
*
Select
Yes
No
9. International Data Transfers
Do we transfer data outside the UK/EU?
*
Select
Yes
No
If yes, do we have safeguards such as SCCs, IDTA, or adequacy decisions?
*
Select
Yes
No
Are individuals informed about international transfers in our privacy notice?
*
Select
Yes
No
10. Governance & Accountability
Do we maintain Records of Processing Activities (RoPA)?
*
Select
Yes
No
Do we conduct Data Protection Impact Assessments (DPIAs) where high risks exist?
*
Select
Yes
No
Do we appoint a Data Protection Officer (DPO) if required?
*
Select
Yes
No
Do we carry out regular audits of GDPR compliance?
*
Select
Yes
No
Submit
