Consent Management Checklist for GDPR Compliance

If you do business or serve customers in the EU, then the GDPR applies to you. Easily achieve compliance by reading our GDPR compliance checklist and downloading it to complete the steps.
Resources / Checklists / Consent Management Checklist for GDPR Compliance
Published by Usercentrics
9 mins to read
May 21, 2024

Companies across all industries collect data from their website visitors to learn more about their audiences’ activities, preferences, and interests. However, this standard business function could be costly if you’re not collecting this data in a GDPR-compliant way.

But GDPR compliance can be complex. The EU regulation provides individuals with data privacy rights, compliance responsibilities, and processing principles for organizations to follow. However, it allows for flexibility in each company’s implementation depending on their business, technologies in use, third-party platforms required, and user data processed. Each company requires customized expertise to determine how to achieve and maintain GDPR compliance.

We’ve outlined key elements you need to know about the GDPR’s requirements and created a GDPR compliance checklist that will help you achieve and maintain legal compliance.

What is considered personal data under the GDPR?

We’ll spare you the full definition of personal data from the General Data Protection Regulation (GDPR). The regulation was enacted in the EU in 2016 and came into force on May 25th, 2018. In essence, it’s designed to give EU citizens more control over their personal data and simplify rules for companies’ handling of it. Let’s go over what is considered personal data.

The GDPR defines personal data as “any information related to an identified or identifiable natural person.” 

This encompasses various data types, both from online and offline sources, that can directly or indirectly identify an individual alone or in combination with other data, such as:

  • names, addresses, phone numbers, and email addresses
  • identification numbers like Social Security, passport, or driver’s license numbers
  • location data such as GPS coordinates or IP addresses
  • biometric data like fingerprints, facial recognition, or DNA
  • genetic data
  • health-related or healthcare information
  • political opinions, religious beliefs, or membership in trade unions

Whether a company operates in ecommerce or serves B2B customers, the GDPR applies to them if they operate in the EU. 

The GDPR principles center around access to and use of personal data. Even seemingly harmless information can be classified as personal data if it can be linked to an individual, even if it has to be combined with several other data points to do so. This is why personal data includes sources like website cookies, social media posts, and audio/visual recordings.

Who does the GDPR apply to?

The GDPR applies to any organization that handles the personal data of EU residents, regardless of the company’s physical location. An organization that is based in the United States and that only services American customers does not need to comply with the GDPR. However, if an American company has EU customers, they do have to comply.

Download Checklist

Under the GDPR, several entities have responsibilities relating to data processing and privacy compliance, including:

  • companies based in the EU that collect or process personal data
  • companies based outside the EU that provide goods or services to EU residents or monitor their behavior
  • data controllers that determine how, why, and by whom personal data is processed
  • data processors that process personal data for specific purposes on behalf of a controller (e.g. vendors)

Noncompliance can lead to significant GDPR fines, potentially reaching up to EUR 20 million or 4 percent of global annual revenue, whichever is greater.

While there are some exemptions to compliance for personal or household activities and certain freedom of expression and information cases, the GDPR generally applies broadly to most organizations handling the personal data of EU residents. 

This also applies to organizations with a joint controllership relationship. In this scenario, both companies have a joint responsibility for handling people’s personal data.

Beyond legal requirements, demonstrating respect for data privacy with GDPR compliance brings business benefits, enhancing brand reputation and building trust with customers.

Who’s responsible for GDPR compliance within a company?

GDPR compliance responsibility within a company is shared across multiple functions and stakeholders, though ideally there is a central representative to oversee privacy operations, like a Data Protection Officer (DPO). Depending on a company’s data processing operations, this role may be required for GDPR compliance (e.g. if the data processed is very sensitive or processing is high risk to customers). For other companies, a DPO may just be recommended to oversee data privacy operations.

Generally, data controllers and processors are responsible for ensuring data processing they do is GDPR-compliant, though ultimately the controller has legal responsibility, including for processing and data protection by third-party processors, hence the importance of contractual agreements prior to initiating third-party processing. 

There can be other stakeholders regarding data processing and GDPR compliance, which include the following.

The stakeholders regarding data processing and GDPR compliance

Achieve regulatory compliance with a GDPR compliance checklist

The GDPR is one of the strictest data privacy and protection regulations in the world. The full text spans 99 Articles, outlining everything from what constitutes valid user consent to what entities have supervisory authority. Yet, many organizations struggle to determine clear guidelines, rules, or requirements for how they should handle users’ personal data.

To simplify the complexity, Usercentrics has compiled a detailed GDPR compliance checklist that demonstrates each step needed to help companies become privacy compliant. 

This 9-step GDPR audit checklist covers key areas to address, from data collection and storage to individual rights and data breach reporting.

What’s included in the GDPR compliance checklist?

By downloading Usercentrics’ printable GDPR compliance checklist PDF, you’ll learn:

  • how to create a privacy policy
  • requirements to inform users of their rights and how to exercise them
  • the way to obtain valid consent
  • best practices to securely document consent data

Bolster your company’s marketing operations with the data you need, while demonstrating your commitment to data protection. Give your customers confidence in how their personal information is handled and increase trust with your audience.

This checklist outlines companies’ responsibilities and users’ rights under the European Union’s General Data Protection Regulation (GDPR) and ePrivacy Directive, with steps to take to achieve compliance. It also includes the benefits of using a Consent Management Platform (CMP) and how to implement one to achieve GDPR compliance. 

Step 1: Determine if your company is required to comply

If your organization wants to collect and process (store, analyze, aggregate, share, sell, etc.) the personal data of residents in the EU: 

  • whether your organization is located the EU or not
  • whether the data will be processed inside or outside of the EU 
  • whether a transaction takes place (e.g. payment for goods or services) or not 

your organization is obligated to comply with the GDPR.

Important to know: The GDPR came into force on May 25, 2018. It uses a prior consent (“opt in”) model. This requires customer or user consent to be obtained before personal data is collected.

Step 2: Create a comprehensive Privacy Policy

  • Purpose: Inform consumers at or before the point of data collection:
    • how data is collected 
    • how long collected data is retained 
    • categories of personal data collected 
    • purposes for which data is collected 
    • whether data collected is sold to or shared with third parties 
    • the third parties with which data is sold or shared 
  • Rights: Inform website visitors of their privacy rights and how to exercise them. 
  • Language: Ensure the Privacy Policy and cookie banner are clear and easy to understand. For best user experience enable geolocation features (e.g. in a CMP) that can customize language displayed for users in different regions. 
  • Implementation: Implement a privacy notice with information about data use, consumers’ rights and user options, like consent opt out. Enable consumers to exercise rights, like opting out, via a banner or pop-up when visiting your site, e.g. with a CMP.

Important to know: You must have a valid legal basis for data processing. Consent is one legal basis.

Step 3: Inform users about their rights

Consumers’ rights under the GDPR: 

  • Right of Access: to be informed if personal data is processed, what data, and receive access to it, as well as information about processing purposes 
  • Right to Rectification: timely updates or corrections to inaccuracies in personal data collected, and notification from the processor when complete 
  • Right to Erasure: aka “right to be forgotten”, timely deletion of personal data that has been collected (with exceptions), and notification from the processor when complete
  • Right to Restriction of Processing: the processor must stop processing personal data temporarily or permanently 
  • Right to Data Portability: copy of personal data must be provided in a portable and readily useable format 
  • Right to Object: to processing of personal data (including sharing, sale, or profiling) 
  • Right to Know about Automated Decision-making: request information about automated decision-making and likely outcomes of using it, including profiling 
  • Right to Opt Out of Automated Decision-making: refuse use of automated decision-making technology with regards to personal data, including profiling 
  • Right to Non-discrimination: for exercising privacy rights

Important to know: Consent choices must be displayed equally. Do not use nudging or dark patterns. It must be as easy to decline or change consent preferences as it is to accept.

  • Explicit: Active acceptance required, e.g. ticking a box or clicking a link. 
  • Informed: Who, what, why, how long? 
  • Documented: You have the burden of proof in the case of an audit. 
  • In advance: No data can be collected before consent is obtained, e.g. cookies cannot be set on your website before the user has consented to them. 
  • Granular: Individual consent for individual purpose, i.e. consent cannot be bundled with other purposes or activities. The second layer of a CMP can display all cookies/tracking technologies in use and their purposes to enable highly granular consent choices. 
  • Freely given: Equally accessible and easy to use “Accept” and “Deny” options, e.g. buttons all on the first layer of the CMP. 
  • Easy to withdraw: Changing consent or opting out is as easy to do as opting in, e.g. available on the same layer of the CMP.

Important to know: Nonessential cookies and other tracking technologies on websites, apps, or other services cannot be triggered or loaded until valid user consent has been obtained.

Book a demo
  • If a user refuses data processing, no nonessential cookies can be set. Essential cookies (e.g. that make the website work correctly) can be set without requiring user consent.
  • Ensure users can still access your site, app, or service even if they refuse to allow the use of nonessential cookies or other tracking technologies. 
  • Nonconsenting users cannot be blocked entirely, but can be notified that without consent for certain technologies, some functions or services may not work correctly and may affect user experience.

Important to know: If the purposes for which you want to collect and process personal data change, or the parties that will have access to the personal data change, e.g. you are working with a new vendor, you must request consent again for the new purpose(s) and/or third parties.

Step 6: Stop data collection or processing as soon as the user opts out

  • Data collection and processing must stop as soon as the user opts out, whether that is the first time they visit your website or access your service, or if they update consent preferences later.
  • Once the user has declined or withdrawn consent, data also can no longer be forwarded or shared with third parties.
  • You have an obligation to take reasonable measures to securely record and store all user data received, including consent preferences. 
  • In the event of an audit by data protection authorities (DPA), you must be able to verify users’ consent for all data collected and the processing purposes. 
  • In the event of a data subject access request (DSAR) you must be able to provide the user with the data specified by the GDPR’s “Rights of the data subject” in a timely fashion, e.g. their consent preferences.

Step 8: Review and update your Privacy Policy every 12 months

  • Review your operations and potential changes in the law every 12 months. Update your Privacy Policy information and its effective date. Effective date should be updated even if you don’t make any other changes to the Policy. 
  • Transparency: Ensure that the information that users must be notified about is clear, comprehensive and up to date. Ensure that the date of the last update is clearly visible.
  • Data sold: List all the categories of personal information that your business has sold in the past 12 months.
  • If the consumer has opted out, you can present the option to opt-in again after 12 months.
Download Checklist

Frequently asked questions

What is a GDPR compliance checklist?

A GDPR compliance checklist is a detailed guide outlining what organizations must do to comply with GDPR requirements for data privacy. It covers essential steps like data mapping, obtaining user consent, implementing security measures, and setting policies to meet the regulation’s stringent data privacy standards.

How to be GDPR-compliant?

For GDPR compliance, organizations need to get clear and voluntary user consent for collecting and processing personal data, uphold data subjects’ rights, use proper security measures, keep thorough records of data processing, and appoint a data protection officer if required.

Does GDPR apply to emails?

GDPR applies to personal data required to send emails, and contained in them, including email addresses, names, account information, and any other identifying details.

What is an overview of GDPR requirements?

The seven principles of the GDPR provide an overview of its goals:

  • lawfulness, fairness, and transparency
  • purpose limitation
  • data minimization
  • accuracy
  • storage limitation
  • integrity and confidentiality (security)
  • accountability

What are the key components of GDPR?

GDPR establishes seven core principles to grant specific rights to data subjects and impose obligations on organizations to obtain user consent, maintain records, and report data breaches.

Jul 22, 2024
This checklist provides a simple step by step guide to help your company determine if you need to comply with the GDPR
Checklist app
Mar 14, 2022
We help you achieve privacy compliance with your apps. Build user trust and accelerate user acquisition to boost growth.
Colorado Compliance Checklist
Jul 22, 2024
Our CPA compliance checklist will help you achieve and maintain privacy compliance. Build user trust and achieve high opt-in rates.