ao link
My Account
Remember Login
New to Affino?
Remember Login
New to Affino?
Remember Login
New to Affino?
You are viewing 1 of 1 freely accessible monthly articles as an unregistered user

You will need to Register to read UNLIMITED articles. 

Already a Member?

Please Login or Register

GDPR Implementation Checklist

Here are the essential tasks for a GDPR implementation project. You will want to change the sequence to suit your organisation but should look to check off each of these tasks.


Please note that this is not legal advice, which should be sought separately.


Handy GDPR Checklist

Key GDPR implementation tasks

Make sure you've got GDPR covered

Appoint a Chief Data Officer (CDO)


In larger enterprises or ones with deep profiling this person needs to have a direct to board reporting line


Seek Legal Advice


You will want to seek legal advice, particularly prior to and to validate your LIAs and PIA (see below)


GDPR Training


It is recommended that key staff are trained on GDPR, including board members from the outset so that they are fully aware of the GDPR requirements and support the rollout


Customer Data Source Audit


Identify the sources of the existing customer data and what fields / type of data is being kept, as well as the quantity, including: systems, CRMs, website platforms, ecommerce platforms, marketing platforms, spreadsheets, accountancy solutions etc.


Customer Data Audit


Identify the quality of the data, and the specific permissioning of the data sets and individual customer data records


Work through your Legitimate Interest Assessments (LIAs)


LIA is to identify where ... processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data ...


Work through the Data Privacy Impact Assessment (DPIA)


A Data Protection Impact Assessment, also known as a PIA, is an assessment to identify and minimise non-compliance risks, this needs to be firmly in place.


Customer Data Workflow Analysis


As part of the PIA and LIAs you should have identified all the customer data workflows, and either have identified which ones need changing or which datasets need to be removed, as well have having all the remaining ones being fully justified.


Identify GDPR platforms and compliant Processes


Identify which will be the core GDPR system where the customer GDPR permissioning is stored and available


Identify all the other systems which will contain data affected by GDPR and identify the data routing / workflows you will need to have in place


Change Management


Identify all the changes in working practices and systems, along with the integrations that are required.


Data Cleanse


Ensure you have cleansed your datasets as far as possible prior to any re-permissioning campaigns.


Re-permissioning Campaigns


Running ‘wild’ email re-permissioning campaigns is likely to affect your email / campaign deliverability, or potentially to have you suspended by some email service providers, and will affect your audience engagement. Cleaning up the data as far as possible in advance will minimise these risks.


Use online and offline means to re-permission, including 3rd party data bureaus and services, in particular prior to the 25th May. Ensure all marketing re-permissioning is against the specific GDPR grade permissioning statements and that all are fully audited.


Preference Centre


Make sure that all customers can update their personal permission through an online preference centre. These then have to be distributed to all your internal systems and for all your customer data / marketing / sales workflows and platforms.


Also make sure that you have a cookie preference centre and proper control over cookie permissioning for non identified / permissioned users (this still requires legal clarification in the UK)




Identify and execute on all the technical API integrations and import / export workflows. Cease using the workflows / systems / processes which cannot be made GDPR compliant.


Data Best Practice Policy


Ensure you create a data policy that is shared with all the staff.


Ensure that everyone is trained and aware of the new data policy and that it is part of any staff contract and onboarding process


Privacy Policy


You will need to update your Privacy Policy to be GDPR compliant. You can see Affino’s here.


Cookie Policy & Dashboard


You will need to update your Cookie Policy to be GDPR compliant. You can see Affino’s here. Make sure that your Cookie Dashboard is also in place and that you have fully documented all the cookies in their correct categorisation. Ensure that the cookie bar also has the correct text as per your chosen GDPR strategy.


Data Breach Policy


Ensure you have a Data Breach Policy in place and make sure you have effective reporting workflows in place. You can see Affino’s here.


Terms and Conditions


Ensure that your website and service Terms and Conditions are updated to be GDPR compliant. You can see Affino’s here.


Set up your GDPR Forms


Depending on how you are set up to handle personal data requests you will want to ahve in place a host of GDPR related forms, potentially inlcuding: Forget me, Send me my data, and Do not profile me. You can see Affino’s here.


Lead Capture

Review your approach to Lead Capture and sharing. To be fully GDPR compliant, contacts whose details you are sharing (or selling) must have explicitly signed up to the third party’s company’s marketing / comms voluntarily (and un-bundled), and provided both permission and given you their preferences.


Auto Contact Archiving


If your platform, like Affino SaaS, supports auto contact archiving then explore putting it in place to ensure that you only have the personal data in your database that you should have.




We strongly recommend insuring against GDPR related incidents. Note also that there is a high likelihood that you will need to update your working practices to be able to get appropriate insurance, e.g. 3 month enforced password updates for team members who have access to your CRMs.


Ongoing Review


Ensure that all the systems, workflows, and policies are continuously reviewed and updated, in particular when new processes and systems are on-boarded.


GDPR Implementation Plan


A key requirement is to have your GDPR implementation plan in place, and steadily reviewed and updated as milestones are hit. In the absense of full compliancy, having a plan in place is absolutely essential.

Other Checklists


If you are an Affino user you will want to follow the Affino GDPR Help Guide. It is packed with useful pointers as to the exact steps and elements which are essential to being fully GDRP compliant when using Affino.


The ICO has two useful checklists as well, one for Data Controllers and one for Data Processors, see them both here, and if you want to see how Parliament is doing with shaping the legislation, now not due until the last minute ... see here

Markus Karlsson Profile

Markus Karlsson, CEO | Founder, Affino

20 years of digital business experience with: Audi, BBC, Casio, Diesel, EMI, MasterCard, Rovio, UBM, UMG, and now Gill, Procurement Leaders, Briefing Media, Ocean Media, and IDG. Lead consultant for digital business transformation.




or Call +44 (0)20 3393 3240

Add New Comment
You must be logged in to comment.

Did you find this content useful?

Thank you for your input

Thank you for your feedback

Related Articles

Upcoming and Former Events

Affino Contacts

Markus Karlsson

Markus Karlsson

Quang Luong

Quang Luong

Stefan Karlsson

Stefan Karlsson

Driving business at some of the world's most forward thinking companies

Our Chosen Charity

Humanity Direct

And delivering industry leading awards

2016 British Media Awards - Technology Provide of the Year - Silver
2014 PPA Connect Awards - Procurement Leaders awarded Event Brand of the Year
2014 PPA Digital Publishing Awards - Procurement Leaders awarded Business Media Digital Brand of the Year (Again!)
2014 PPA Awards - Procurement Leaders awarded Business Media Brand of the Year (Again!)
2014 AOP Digital Publishing Awards - Procurement Leaders awarded Best Business to Business Website
2013 PPA Awards - Procurement Leaders awarded Independent Publisher Digital Product of the Year
2013 PPA Awards - Procurement Leaders awarded Business Media Brand of the Year
2013 PPA Digital Publishing Awards - Procurement Leaders awarded Business Media Digital Brand of the Year