How do you prove that you are compliant with the GDPR?

This is a list of probable questions that you will have to answer if your company is audited under the GDPR. If you can answer the following questions with a Yes then you can be reasonably sure that you are compliant in the stated area, where you answer  No then you need to start addressing this area.

Fair Obtaining

  1. At the time we collect information about individuals are they made aware of the uses of that information?
  2. Are people made aware of any disclosures of their data to third parties
  3. Have we gained peoples consent for any secondary uses of their personal data, which may not be obvious to them?
  4. Can we describe our data collection processes as open, transparent and up-front?

Purpose Specification

  1. Are we clear about the purpose (or purposes) for which we keep personal information?
  2. Are the individuals in our database also clear about this purpose?
  3. If we are required to register with the Data Protection Commissioner, does our register entry include a proper, comprehensive statement of our purpose?
  4. Has responsibility been assigned for maintaining a list of all datasets and the purpose associated with each?


Use and disclosure of information

  1. Are there defined rules about the use and disclosure of information?
  2. Are all staff aware of these rules?
  3. Are the individuals aware of the uses and disclosures of their personal data? Would they be surprised if they learned about them?
  4. If we are required to register with the Data Protection Commissioner, does our register entry include a full list of persons to whom we may need to disclose personal data?



  1. Is there a list of security provisions in place for each data set?
  2. Is someone responsible for the development and review of these provisions?
  3. Are these provisions appropriate to the sensitivity of the personal data we keep?
  4. Are our computers and our databases password-protected, and encrypted if appropriate?
  5. Are our computers, servers, and files securely locked away from unauthorized people?


Adequate, relevant and not excessive

  1. Do we collect all the information we need to serve our purpose effectively, and to deal with individuals in a fair and comprehensive manner?
  2. Have we checked to make sure that all the information we collect is relevant, and not excessive, for our specified purpose?
  3. If an individual asked us to justify every piece of information we hold about him or her, could we do so?
  4. Does a policy exist in this regard?


Accurate and up-to-date

  1. Do we check our data for accuracy?
  2. Do we know how much of our personal data is time-sensitive, i.e. likely to become inaccurate over time unless it is updated?
  3. Do we take steps to ensure our databases are kept up-to-date?



  1. Is there a clear statement on how long items of information are to be retained?
  2. Are we clear about any legal requirements on us to retain data for a certain period?
  3. Do we regularly purge our databases of data which we no longer need, such as data relating to former customers or staff members?
  4. Do we have a policy on deleting personal data as soon as the purpose for which we obtained the data has been completed?


Access Rights

  1. Is a named individual responsible for handling access requests?
  2. Are there clear procedures in place for dealing with such requests?
  3. Do these procedures guarantee compliance with the Act’s requirements?



  1. Are we clear about whether or not we need to be registered with the Data Protection Commissioner?
  2. If registration is required, is the registration kept up to date? Does the registration accurately reflect our practices for handling personal data?
  3. Is a named individual responsible for meeting our registration requirements?


Training & Education

  1. Do we know about the levels of awareness of data protection in our organization?
  2. Are our staff aware of their data protection responsibilities – including the need for confidentiality?
  3. Is data protection included as part of the training programme for our staff?


Co-ordination and Compliance

  1. Has a data protection co-ordinator and compliance person been appointed?
  2. Are all staff aware of his or her role?
  3. Are there mechanisms in place for formal review by the coordinator of data protection activities within our organization?