In a nutshell: The GDPR imposes strict obligations on any company that processes personal data in Europe, with heavy penalties for noncompliance. To comply, companies must map their data, verify the legal bases for processing, obtain valid consent, and ensure that data processing is secure. This guide provides a comprehensive checklist of tests and verifications to perform to ensure compliance with the GDPR.
Compliance with the General Data Protection Regulation (GDPR) is essential for all companies that process personal data in Europe.
The GDPR, which took effect in 2018, establishes strict requirements to ensure that individuals' information is collected, stored, and used in a secure and transparent manner.
However, complying with all the requirements of the GDPR can seem complex. A structured approach, based on regular testing and systematic checks, is essential for assessing and maintaining your compliance.
So, what exactly should be tested and verified?
In this article, discover a comprehensive checklist to guide you through your GDPR compliance process.
What is the GDPR?
The General Data Protection Regulation (GDPR) is a European regulation that harmonizes the processing of personal data throughout the European Union (EU).
This regulation holds companies accountable for the collection, storage, use, and transfer of personal data. It aims to protect the data rights of European citizens.
Thus, each person concerned may:
- Request the deletion of one's personal data,
- Knowing where this information is stored,
- Understand how they are used.
Consequences of Noncompliance
Failure to comply with the GDPR exposes companies to significant penalties: fines of up to 20 million euros or 4% of global annual revenue.
This underscores the importance of constant vigilance and strict compliance through regular testing and verification.
The Five Key Principles of the GDPR
The National Commission for Information Technology and Civil Liberties (CNIL) has defined five fundamental principles to ensure compliance with the GDPR:
1. Purpose: Data must be collected for a specific, explicit, and legitimate purpose. It must not be reused later for any other purpose.
2. Relevance: Only data that is strictly necessary to achieve the intended purpose should be collected.
3. Limited retention period: Personal data must be retained only for as long as is necessary to fulfill the purpose for which it was collected.
Subsequently, they must be deleted, anonymized, or archived in accordance with applicable legal requirements.
4. Security: The data controller must take all necessary technical and organizational measures to ensure the integrity and confidentiality of the data and to prevent any unauthorized access by third parties.
5. Individual rights: People must retain control over their personal data.
Every individual has the following rights, which they may exercise by contacting the data controller:
- Access to one's data and the ability to obtain a copy of it,
- Correction of inaccurate or incomplete data,
- Objection to their use (except where required by law, such as registration in a civil registry).
Who is subject to the GDPR?
The GDPR applies to a wide range of entities that process personal data, whether they are located in the European Union (EU) or not.
In other words, the regulation has extraterritorial reach, which means it can apply to organizations located outside the EU if they process the personal data of EU residents.
GDPR compliance is mandatory for:
Data controllers: organizations or individuals who determine the purposes and means of processing personal data.
Subcontractors: entities that process personal data on behalf of data controllers.
Data subjects: individuals whose personal data is collected and processed by an organization.
GDPR Compliance Checklist
1. Map and identify your personal data
The first step is to identify the data you collect and its flow within your company:
- What data do you collect? (names, email addresses, IP addresses, phone numbers, etc.).
- Where are they stored? (internal servers, the cloud, third-party services).
- Why are you collecting them? Make sure each collection has a clear and legitimate purpose.
- Who has access? Limit access to only authorized individuals within your organization.
Tip: Keep a treatment log to document this information.
2. Verify the legal basis for data processing
Every instance of data collection or processing must have a legal basis.
The right questions to ask:
- Did you obtain explicit consent?
- Is this required for a contract? For example, to provide a service or deliver a product.
- Is there a legal requirement? Such as keeping invoices or civil registry records.
- Is this in your legitimate interest? Of course, this interest must not infringe on the rights of the individuals concerned.
3. Make sure you obtain valid consent
Consent is at the heart of the GDPR. To be compliant:
- Use clear and simple forms, free of legal jargon.
- Provide an easily accessible option to opt out or withdraw consent.
- Keep a record of the consents obtained, including the date and context.
Example: If you send newsletters, make sure to include a checkbox that is not pre-checked so that the user can explicitly give their consent.
4. Protect Your Personal Data
A few essential measures when it comes to data security:
- Data Encryption: Protect sensitive information with encryption.
- Access Control: Only authorized individuals should have access to the data.
- Regular audits and tests: Conduct security tests (penetration tests, audits) to detect vulnerabilities.
- Incident Response Plan: Develop a clear procedure for responding to a data breach (notification to the CNIL and the affected individuals).
5. Respect users' rights
Data subjects have rights regarding their personal data, and it is your responsibility, as a company, to provide them with simple and accessible ways to exercise those rights.
- Data Access: Provide users with a way to access their information.
- Correction and Deletion: Allow them to correct or delete their data upon request.
- Data portability: Make it easier to transfer their information in a clear and structured format.
- Opposition: Respect their refusal to have their data used, particularly for marketing purposes.
Tip: Create a dedicated page or email address where users can submit their requests.
6. Audit Your Contractors and Third-Party Service Providers
If you use third-party service providers to process data (hosting providers, CRM systems, marketing tools), make sure they also comply with the GDPR:
- Compliant Contracts: Include clauses specifying your subcontractors’ data protection obligations.
- Regular verification: Audit their practices to ensure compliance.
- Notification in the event of a data breach: Make sure they alert you promptly in the event of a data breach.
7. Implement a compliant cookie policy
If your website uses cookies, inform your users and obtain their consent:
- Add a clear consent banner with options to accept, decline, and customize.
- Do not set any cookies until the user has given their explicit consent.
- Provide a link to your privacy policy for more details.
8. Update your privacy policies
Your privacy policy must be easily accessible (usually via a link in the footer of your website) and written in clear, understandable language.
It must include:
- Why you collect data.
- What types of data are collected?
- How they are used and protected.
- Users' rights and how they can exercise them.
9. Assess risks using a data impact assessment (DIA)
For high-risk processing activities (for example, the collection of sensitive data or large-scale surveillance), conduct a Data Protection Impact Assessment (DPIA):
- Identify risks to people's rights.
- Implement measures to mitigate them.
- Consult the CNIL if the risks cannot be mitigated.
10. Develop a contingency plan in the event of a breach
No system is foolproof. In the event of a data breach:
- Identify the source of the problem and block access to the data.
- Notify the CNIL within 72 hours.
- Notify the affected users if their rights are at risk.
- Document the incident and strengthen your security measures.
Ensure your GDPR compliance with Mr Suricate
Mr Suricate helps Mr Suricate ensure GDPR compliance by guaranteeing the security and reliability of your IT systems.
With our comprehensive suite of tests, we help you identify and fix potential vulnerabilities in your system.
Our solutions are designed to help you comply with the key principles of the GDPR: purpose, relevance, retention period, data security, and user rights.
Take back control of your applications by detecting bugs in real time on your websites, mobile apps, and APIs. We simulate user journeys at regular intervals to ensure continuous, high-performance monitoring.
FAQ
What is the GDPR?
The General Data Protection Regulation, in effect since 2018, governs the processing of personal data in Europe. It requires transparency, security, and respect for individuals’ rights, with penalties for noncompliance.
What are the risks of non-compliance with the GDPR?
Fines of up to several million euros or a percentage of revenue, as well as damage to the company’s reputation and customer trust.
How can you verify your GDPR compliance?
By following a checklist: map the data, verify the legal basis, ensure valid consent, and secure data processing. Regular testing (forms, cookies, consent) helps ensure compliance.

