Business

GDPR Compliance Checklist and Requirements for 2025

Internxt

9 min read
GDPR compliance checklist

For consumers and businesses, a GDPR compliance checklist helps everyone understand how to protect data, how to manage their data with companies, and what steps can be taken to limit how their data is used or prevent data breaches.

Throughout this article, we will discuss in depth what steps should be monitored when following a GDPR compliance checklist to avoid fines or legal consequences. This checklist serves as a useful tool for consumers and businesses, so they know exactly how they can protect data effectively.

Table of contents

GDPR overview

The General Data Protection Regulation, or GDPR, is a legal framework introduced by the European Union in 2018 to protect the personal data of individuals within the EU.

Its main goal is to give people more control over how their data is collected, used, and shared, while holding organizations accountable for protecting that data. Many people choose European tech companies, such as Internxt, as the GDPR has increased transparency and measures to ensure their data is handled securely and respectfully.

Who has to comply with GDPR?

Companies based in the EU that handle personal data for people in the European Union must comply with and follow a GDPR compliance checklist.

This includes businesses, non-profits, and public authorities. Even if this company is not based in the EU, it must comply if it markets to, provides services to, or tracks the activities of people in this region.

Finally, GDPR applies no matter the size of the organization, although smaller businesses may have fewer obligations if they process limited or low-risk data.

For example, a small local business will need to follow GDPR compliance for how they handle customer names or emails, but have fewer obligations than big corporations that process payment information.

GDPR compliance checklist

Identify and audit personal data

The first step when creating or following a GDPR compliance checklist is to create a clear database of what personal data you collect, why you collect it, where it’s stored, how it’s used, and who has access to it.

Internxt pricing plans

Once complete, physical and online data should be monitored, meaning databases, emails, cloud storage, marketing, data, and any physical documents with customer data.  It’s also important to consider the type of information that is being collected.

For example, finance and health information are frequently targeted by hackers due to the value it has for identity theft or fraud, so this will require more stringent data protection.

By following this step, companies can easily show compliance and accountability in their GDPR compliance plan.

Website security

A website’s security is an essential tool in a GDPR compliance checklist. Without it, companies are vulnerable to data leaks and cyberattacks that will lead to heavy fines and loss of customer trust.

One of the essential steps companies must take for website security is implementing HTTPS with a valid SSL certificate so that data sent between the user and the server is encrypted.

From there, regular monitoring of the website’s platform and software is needed to ensure everything is up to date, as poor maintenance and outdated software will cause data breaches.

In addition, the website's backend should have the necessary access controls and security protocols to prevent attacks. Some platforms use open source software for extra transparency, making their code available for review by experts to identify and prevent security issues.

If possible, carry out regular security audits to verify your platform's security and fix any potential vulnerabilities. Companies like Internxt show GDPR compliance by making all its source code open source and going through regular security audits from Securitum.

Implement other security measures

In addition to website security, other measures to protect user data include encryption, backing up important databases, and other measures such as firewalls, blocking unauthorized access, and anti-malware to remove threats of spyware or ransomware.

Internxt Antivirus protects you from malware.

Carrying out regular security audits will also help demonstrate compliance, accountability, and eliminate potential threats to data held by a company.

Transparent privacy policy

Your privacy policy should be written in simple, straightforward language that avoids legal jargon so that anyone can easily read and understand it.

This policy should explain what data is collected, why it is collected, how long it will be kept, and whether it will be shared with third parties.

It should also be clear and easy to find, without being hidden behind links or difficult-to-navigate pages. Therefore, it should be shown at the point where personal data is collected, such as when signing up for a newsletter or buying a product.

If your company has a Data Protection Officer, their contact details should be given so users know how to exercise their rights.

GDPR does not allow businesses to place non-essential cookies, like tracking or advertising, without first obtaining clear and informed consent from the customer.

Pre-ticked boxes or implied consent are not valid under GDPR. Instead, the banner should provide users with clear options to accept, reject, or customize their cookie preferences.

Necessary cookies for login sessions are necessary for the website, so they do not require consent, but should still be explained in the policy.

Review contracts with third parties

If your company shares personal data with a processor, there must be a written contract in place that clearly outlines each party’s responsibilities for data protection.

The same rules of the GDPR apply to these third parties, meaning a contract should specify how personal data will be processed, the purpose of processing, the security measures in place, and the obligations of the processor to comply with GDPR.

Review international data transfer

Any data sent outside the European Union must be protected to the same standard as within the EU, even if the company isn’t based within the EU.

Some countries appear on the EU’s list of “adequate countries,” meaning data transfers can proceed without adding any additional security measures.

If this isn’t the case, additional measures need to be taken, such as including legal measures and clauses approved by the European Commission, assessing the risks of weaker local data protection laws, and using methods such as data encyrption to mitigate these risks.

Follow user requests

Following user requests is a core requirement of a GDPR compliance checklist for companies to immediately respond to customers who want to exercise their right to manage their data.

Internxt is a cloud storage service based on encryption and privacy.

These requests include access to the personal data an organization holds about them, requesting corrections to any inaccurate information, asking for their data to be erased, or receiving their data in a portable format to transfer it to another service.

These requests must be handled within the one-month timeframe required by GDPR.

Have a plan to detect, report, and investigate data breaches

If the worst happens and a company is targeted in a data breach, then a clear data breach response plan must be implemented immediately to prevent more damage.

If a breach is detected, the organization must report it to the relevant supervisory authority within 72 hours if there is a risk to individuals’ rights and freedoms.

A solid data breach response plan should include:

  1. Who is responsible for managing and limiting a data breach.
  2. Procedures for containing and assessing the impact.
  3. Monitoring systems for unusual activity
  4. Using security tools to identify vulnerabilities
  5. Training staff to recognize signs of a breach.

Train employees

As human error is one of the major causes of data breaches, companies must take the time to train employees on how to identify phishing emails, use strong passwords, and protect sensitive data with multiple authentication methods.

Companies that train their employees effectively have seen phishing attempts drop from 30% to between 4 and 6%. Therefore, adding employee training for office and remote workers is a valuable addition to your GDPR compliance checklist to limit phishing and other social engineering tactics from scammers.

Risk of non-compliance with GDPR

Non-compliance with GDPR can put a company out of business due to financial loss, loss of customer trust, and disruption of business operations. Below are some of the biggest and most recent examples of GDPR fines for non-compliance.

Examples of GDPR fines for non-compliance

  1. May 2023: The Irish Data Protection Commission (DPC) issued a record €1.2 billion fine against Meta for transferring European user data to the United States without adequate protection, violating GDPR's data transfer rules
  2. September 2023: The DPC fined TikTok €345 million for processing children's personal data without sufficient safeguards, including making videos public by default and enabling comments on children's accounts.
  3. October 2024: The DPC imposed a €310 million fine on LinkedIn for using member data for behavioral analysis and targeted advertising without proper consent, violating GDPR's data processing principles
  4. August 2024: The Dutch Data Protection Authority fined Uber €290 million for improperly transferring European taxi drivers' personal data to the United States, breaching GDPR's data transfer rules.

Get GDPR Compliance with Internxt

Internxt is a private cloud storage company based in Valencia, Spain. It is the first cloud storage with advanced post-quantum encryption, and has various authentication tools, access controls, and privacy-focused products to protect your data online.

Internxt never shares your data with third parties, as we believe only you should have control over your personal information. Our zero-knowledge policies mean only you can access your files and data in its cloud storage, unless you choose to share it with others.

Internxt also offers GDPR compliant cloud storage for businesses and S3 storage for large enterprises. Your data is further protected with Internxt plans with cloud storage, VPN, Antivirus, Backups, and private email and video conferencing with Meet and Mail.

Visit the Internxt website to get the best European cloud storage that protects your data, complies with GDPR, and gives you everything you need to live privately online.

Internxt VPN lets you browse the web securely and privately.

Frequently asked questions

What are the 7 principles of GDPR?

A GDPR compliance checklist is based on the following seven principles:

  1. Lawfulness, fairness, and transparency: Process personal data legally and fairly, and inform individuals about how their data will be used.
  2. Purpose limitation: Limit data collection for specific and legitimate reasons only.
  3. Data minimization: Organizations should only collect and use the minimum amount of personal data necessary for their intended purposes.
  4. Accuracy: Keep personal data accurate and up to date, and correct it if necessary.
  5. Storage limitation: Do not store data for longer than necessary, and delete or anonymize it once its purpose is fulfilled.
  6. Integrity and confidentiality: Protect personal data from unauthorized access, loss, or disclosure through appropriate security measures.
  7. Accountability: Organizations are responsible for following the GDPR principles and should be able to demonstrate their compliance.

What counts as personal data under GDPR?

The GDPR classifies the following as personal data under its guidelines.

  1. Names and surnames
  2. Email addresses
  3. Phone numbers
  4. Home addresses
  5. IP addresses or device IDs that can identify a person
  6. Cookies or online identifiers linked to an individual
  7. Health information
  8. Racial or ethnic origin
  9. Political opinions
  10. Religious or philosophical beliefs
  11. Sexual orientation
  12. Biometric data
  13. Any information that can indirectly identify a person when combined with other data

Do small businesses need to comply with GDPR?

Yes, compliance is not determined by business size, but rather the type of data they collect s even if a company collects names or email addresses must follow GDPR compliance.

To obtain valid consent under GDPR, it must be freely given, specific, informed, and unambiguous.

Individuals must actively indicate their agreement by ticking a box or selecting preferences; consent given by pre-ticked boxes or inactivity is not valid under GDPR, and could lead to fines for non-compliance.

When does a company need a data protection officer?

A company needs a Data Protection Officer, or DPO, under GDPR if it is a public authority or body, if its core activities involve large-scale regular and systematic monitoring of individuals, or if it processes large amounts of special categories of data, such as health information. T

What are the penalties for not complying with GDPR?

The maximum fine one can get for non-compliance with the GDPR is up to €20 million or 4% of the annual global turnover, whichever is greater. In some cases, it will not stop with a financial penalty. The authorities may ask you to delete the personal data you hold or stop processing it.

Protect your privacy with Internxt