In today’s data-driven economy, companies across industries are collecting data from users who visit their sites and interact with their brands. However, this could be costly if your business is not collecting this data in a GDPR-compliant way.

Enacted in May 2018, the General Data Protection Regulation (GDPR) is the European Union’s data privacy and security law. GDPR establishes data protection as a fundamental right to EU-based users and includes numerous protections covering the use, storage, confidentiality, and transfer of personal data. The fines for violating GDPR are severe, maxing out at €20 million or 4% of your global revenue (whichever is higher).

To protect your organization from these costly penalties, you’ll need to ensure your data collection practices comply with this law. We’ve created this checklist to make it easy for you to get GDPR compliant.

What are the benefits of GDPR compliance?

GDPR compliance is critical for businesses globally that collect data from EU residents. It’s legally required for these businesses and offers benefits, such as:

• Protecting your organization from severe fines.
• Maintaining the trust of consumers and clients.
• Removing barriers that prevent your business from expanding into the EU.
• Strengthening your data security.

---

How benchmarked Can Help Companies Become GDPR Compliant

Navigating GDPR compliance can be overwhelming, especially for organizations handling large volumes of personal data or operating across borders. benchmarked simplifies this process by offering expert-driven tools, guidance, and automation to help you meet every requirement of the GDPR with confidence.

With benchmarked, your business gains:

• Comprehensive Compliance Audits – Identify gaps in your current data practices through structured assessments tailored to GDPR standards.
• Automated Documentation & Reporting – Generate and maintain the required Records of Processing Activities (ROPA) and Transfer Impact Assessments (TIAs) with minimal manual effort.
• Ongoing Monitoring & Alerts – Stay up to date with evolving regulations and receive alerts for policy or procedure lapses before they become risks.
• Training and Enablement – Equip your teams with the necessary knowledge through built-in GDPR training modules and policy templates.
• Expert Support – Access privacy experts when you need guidance, whether it’s for Data Protection Impact Assessments or responding to data subject requests.

Benchmarked empowers your organization to not only achieve compliance—but to maintain it seamlessly, saving time, minimizing risk, and building trust with your customers.

---

GDPR Compliance Checklist

The GDPR legislation includes various requirements your organization must follow. We’ve included the steps you’ll need to take to be GDPR compliant in this checklist.

You can also download the checklist in .pdf format here:

1  Determine if you need to comply with GDPR

☐ Do you sell goods or services in the EU or UK?

☐ Do you sell goods or services to EU businesses, consumers, or both?

☐ Do you have employees in the EU or UK?

☐ Do persons from the EU or UK visit your website?

☐ Do you monitor the behavior of persons within the EU?

2  Document the personal data you process

☐ Identify and document every system (database, application, or vendor) that stores or processes EU/UK PII.

☐ Document the retention periods for PII in each system.

☐ Determine whether you collect, store, or process special categories of data, including:

☐ Racial or ethnic origins

☐ Religious or philosophical beliefs

☐ Genetic data

☐ Health, sex life, or sexual orientation data

☐ Political opinions

☐ Trade union membership

☐ Biometric data that could uniquely identify someone

☐ Confirm documentation meets GDPR Records of Processing Activities (ROPA) requirements:

☐ Controller name and contact details

☐ Purpose of the data processing

☐ Categories of data processed

☐ Data recipients

☐ Safeguards for international transfers

☐ Data retention periods

☐ Technical and organizational security measures

☐ Include vendor processing activity details:

☐ Processor contact details

☐ Categories of processing

☐ International transfer safeguards

☐ Technical and organizational security measures

3  Determine your legal grounds for processing data

☐ Consent of the data subject

☐ Contract with the data subject

☐ Necessary for compliance with a legal obligation

☐ Necessary to protect the vital interests of the data subject or a third party

☐ Necessary for the performance of a task carried out in the public interest or official authority

☐ Necessary for the purposes of the legitimate interests pursued by the controller or a third party

4  Review and update current customer and vendor contracts

☐ Review all customer and in‑scope vendor contracts to ensure they include appropriate Data Protection Addendums and Standard Contractual Clauses.

5  Determine if you need a Data Protection Impact Assessment (DPIA)

☐ Assess whether your processing is likely to pose a high risk to individual rights:

☐ Automated decision‑making, including profiling, with legal effects

☐ Processing special categories of data or criminal convictions/offences

☐ Large‑scale monitoring of publicly accessible areas

6  Clearly communicate privacy and marketing consent practices

☐ Publish a public‑facing privacy policy covering all products, services, and websites.

☐ Provide notices to data subjects per GDPR Article 13.

☐ Have a clear process for persons to change or withdraw consent.

7  Update internal privacy policies

☐ Update internal privacy notices for EU employees.

☐ Have an employee privacy policy governing collection and use of EU/UK employee data.

☐ Determine if you need a Data Protection Officer (DPO):

☐ Data processing by a public authority

☐ Core activities require large‑scale systematic monitoring of data subjects

8  Review compliance measures for external data transfers

☐ Identify the legal basis (e.g., Standard Contractual Clauses) for any EU/UK data transfer, storage, or processing.

☐ Perform and document a Transfer Impact Assessment (TIA).

9  Confirm you comply with additional data subject rights

☐ Maintain a process for timely responding to data subject requests.

☐ Provide information in a concise, transparent, and accessible form using clear language.

☐ Have a process for correcting or deleting data upon request.

☐ Maintain an internal policy for Compelled Disclosure from Law Enforcement.

10  Determine if you need an EU‑based representative

☐ Evaluate whether processing is occasional, not large‑scale, and does not involve special categories.

☐ If conditions are not met, appoint an EU‑based representative.

11  Identify a lead data protection authority (DPA) if needed

☐ Determine if you operate in more than one EU member state.

☐ Designate the supervisory authority of the main establishment as the lead DPA.

12  Implement employee training

☐ Provide appropriate security awareness and privacy training to staff.

13  Integrate data breach response requirements

☐ Create and implement an incident response plan for notifying EU/UK data subjects and authorities.

☐ Establish breach reporting policies that meet GDPR timelines.

14  Implement appropriate security measures

☐ Encrypt PII at rest and in transit.

☐ Implement pseudonymization where appropriate.

☐ Maintain suitable physical security controls.

☐ Implement and regularly review information security policies and procedures.

☐ Ensure only necessary personal data are processed by default (data minimization).

15  Streamline GDPR compliance with automation

☐ Explore tools for automating security and compliance tasks.

☐ Transform manual data collection and monitoring with continuous monitoring solutions.