Lawful basis and transparency

Conducted an information audit to determine what information you process and who has access to it

Have a legal justification for data processing activities (refer to article 6)

Provided clear information about data processing and legal justification in the organization's privacy policy

Data Security

Follows the principles of "data protection by design and by default"

Implements encryptions such as pseudonymination, anonymation and etc.

Created an internal policy for team members that builds awareness on data protection (i.e., knowledge on email security, passwords, two-factor authentication, device encryption, and VPNs)

Have a data protection impact assessment scheduled and a process in place to carry it out

Have a process in place to notify the authorities and data subjects in the event of a data breach

Accountability and governance

Anointed personnel to ensure GDPR compliance across the organization

Signed data processing agreements between the organization and third-party services that handle personal data on your behalf

Appointed a Data Protection Officer (if necessary)

Privacy rights

It's easy for customers to request and receive all the information you have about them

It's easy for customers to correct or update inaccurate or incomplete information

It's easy for customers to request their personal data to be deleted

It's easy for customers to ask you to stop processing their data

Data Controller's Signature