GDPR Is Here: Your Compliance Checklist

May 25, 2018 has come and gone, and GDPR is now the law of the land. If you have been following our earlier coverage, you have had months to prepare. But the reality is that many technology companies, particularly startups and SMEs, are still scrambling to achieve full compliance. The good news is that regulators have indicated they will consider good-faith efforts when assessing penalties. The bad news is that "we didn't get around to it" is not a good-faith effort.

The first wave of enforcement actions will likely target the most egregious violations and the largest data processors. But smaller companies should not take comfort in this. Complaints from individuals, which can trigger investigations, do not discriminate by company size. If a user submits a subject access request and you cannot fulfill it within the required timeframe, you have a compliance gap that could lead to regulatory scrutiny.

This checklist is designed as a practical, actionable guide for technology companies. Whether you are a SaaS provider, a web hosting company, an e-commerce platform, or a digital agency, these are the baseline requirements you must have in place now that GDPR is active.

Data inventory and legal basis: You must have a documented record of all personal data you process, the purpose of processing, the legal basis for each processing activity, and the retention period. If you rely on consent, you must be able to demonstrate that consent was freely given, specific, informed, and unambiguous. Review every form, cookie, and tracking mechanism on your properties.

Privacy notices and policies: Your privacy policy must be written in clear, plain language. It must specify what data you collect, why, how long you keep it, who you share it with, and how individuals can exercise their rights. If you process children's data, additional requirements apply. Update your cookie notices to provide granular opt-in choices rather than blanket acceptance.

Technical and organizational measures:

• Implement data subject access request (DSAR) workflows that can respond within 30 days
• Enable data portability by providing export functionality in machine-readable formats
• Configure data deletion capabilities across all systems, including backups and third-party integrations
• Establish a 72-hour breach notification process with templates and escalation procedures
• Conduct Data Protection Impact Assessments for high-risk processing activities
• Review and update all data processing agreements with third-party vendors

GDPR compliance is not a one-time project; it is an ongoing operational requirement. Staff training is essential. Everyone in your organization who handles personal data needs to understand the basics of GDPR, recognize potential data breaches, and know the escalation procedures. Regular refresher training should be scheduled at least annually.

Build privacy into your development workflow. Every new feature, product, or data processing activity should go through a privacy review. Implement privacy by design principles in your software development lifecycle. This means considering data protection implications at the design stage, not as a compliance checkbox before launch. Code reviews should include checks for unnecessary data collection, proper encryption, and secure data handling.

Monitor the regulatory landscape. GDPR is a principles-based regulation, and its interpretation will be shaped by enforcement actions, court decisions, and guidance from data protection authorities over the coming months and years. The European Data Protection Board is publishing guidelines on specific topics, and national supervisory authorities are issuing their own interpretations. Stay informed and adapt your compliance posture as the regulatory environment evolves.