Regulatory compliance
Aug 07, 2018
2 min read

A GDPR Checklist for Your Business

Sumsub Team

Sumsub Team

All-star

  1. Get the full picture of impact: Arrange a meet-up with your technical, customer support and legal colleagues and discuss what the GDPR means and how it impacts your organization from each side.
  2. Get a full picture of personal data processing in your company: Map data flows in your company — how it is stored and processed by your systems. You need to answer these questions:
  • What categories of personal data do you process? (financial information, biometrics, marketing-related information, etc.)
  • What categories of users do you process data for? (contributors, freelancers on your marketplace, drivers, etc.)
  • What are the reasons for processing?
  • How and why do you collect this information?
  • How do you secure these data?
  • Is the data transferred to third parties? Do you know who those third parties are? How long do they store information about individuals?
  1. Find legal basis for mappingThink about 6 legal bases mentioned here. For every processing operation identified in your data map, you have to refer to a legal basis. That connection will give you the full legal basis for the mapping.
  2. Create tools that can help users exercise their rights:
  • You need to be sure you have the information to answer the access request from the user (from your data mapping).
  • Note in your data map where exactly you store personal data (in your system and with cross-reference with other systems) to comply with a decline, modification and erasure requests of users.
  • Decide how you are going to respond to data portability requests. For that, you need to know what data formats your systems use.
  1. Map your data breach and incident response: Make sure that you and your security/tech/legal/PR colleagues have an incident response plan.
  2. Run a few test incidents and get everyone involved.

There are way more elements that could be added to this checklist, and you need to work with your internal experts and external advisors to come up with a list customized for your needs. For example, you may need to design data protection impact assessments, appoint a data protection officer, manage and review marketing and other company communication practices, and revisit your vendor management and contracting processes.

Having a solid basis by mapping out your data processing activities, gives you a big advantage for any subsequent GDPR compliance question that you may encounter.

You will find below some additional resources that we rely on and find helpful, and we hope they will be useful for you too.

If you want to know more 

Start with the source: The full legal text of the GDPR

The Data Protection Directive is described here.

Here is a Data Protection Authority (DPA) in each EU State. Some of them publish wonderful guidelines on the GDPR implementation. Check it here

Article 29: An advisory body appointed a representative from the DPA of each EU Member State. The best guideline is the most recent one. You can find WP29 Newsroom here

Regulatory Compliance

Explore more

Sumsub Compliance Digest—March, 2024
Sumsub Compliance Digest—March, 2024
Arina Rumyanceva

Arina Rumyanceva

Legal Counsel at Sumsub

  • Video
  • Mar 28, 2024
  • 6 min watch
What is the FATF Travel Rule? The Ultimate Guide to Compliance (2024)
What is the FATF Travel Rule? The Ultimate Guide to Compliance (2024)
Daria Sav

Daria Sav

Senior editor

Tony Petrov

Tony Petrov

Chief Legal Officer

Expert Corner: AI Regulations in APAC in 2024
Expert Corner: AI Regulations in APAC in 2024
Raymond Sun

Raymond Sun

Technology lawyer, 'Top Voice' on AI regulation on Linkedin