Have you identified all the activities involving personal data in your business or organisation?

Do you have a complete record of your data processing activities (ROPA)?

Do you only collect the data that is necessary?

Do you have an internal process to ensure that requests are identified and processed within a set timeframe?

Do you seek consent before collecting any personal data?

Have you secured the personal data that you process - both digital and printed?

Is someone responsible for managing GDPR compliance within your business or organisation?

Have your business or organisation implemented procedures to manage data breaches?

Do you have control over third-party services that handle personal data on your behalf?

Do you inform individuals about their data’s purpose, use, and retention?