Conducted an information audit to determine what information you process and who has access to it
Have a legal justification for data processing activities (refer to article 6)
Follows the principles of "data protection by design and by default"
Implements encryptions such as pseudonymination, anonymation and etc.
Created an internal policy for team members that builds awareness on data protection (i.e., knowledge on email security, passwords, two-factor authentication, device encryption, and VPNs)
Have a data protection impact assessment scheduled and a process in place to carry it out
Have a process in place to notify the authorities and data subjects in the event of a data breach
Anointed personnel to ensure GDPR compliance across the organization
Signed data processing agreements between the organization and third-party services that handle personal data on your behalf
Appointed a Data Protection Officer (if necessary)
It's easy for customers to request and receive all the information you have about them
It's easy for customers to correct or update inaccurate or incomplete information
It's easy for customers to request their personal data to be deleted
It's easy for customers to ask you to stop processing their data