DATA PRIVACY COMPLIANCE CHECKLIST (GDPR, CCPA) Created by ChecklistGuro (https://checklistguro.com) --- DATA DISCOVERY & INVENTORY --- [ ] Describe the types of personal data collected on your website (e.g., name, email, phone number, address, financial information). [ ] List all lead generation forms and identify the personal data collected by each. [ ] Which data categories are collected? (Select all that apply) (Name, Email Address, Phone Number, Postal Address, Financial Data (Credit Card, Bank Account), IP Address, Device Information, Demographic Information, Biometric Data (e.g., facial recognition), Other (Specify)) [ ] Approximate number of leads/contacts stored in your CRM/database. [ ] Upload a data map outlining data flows (where data originates, where it’s stored, and how it’s processed). [ ] Which Property Management Software (PMS) is used? (If applicable) (No PMS Used, Yardi, AppFolio, Buildium, Rent Manager, Other (Specify)) [ ] Describe any data stored in physical files (e.g., paper leases, client records). [ ] Date of last data inventory review. --- LEGAL BASIS & CONSENT --- [ ] Primary Legal Basis for Data Processing (GDPR) (Consent, Contract, Legitimate Interest, Legal Obligation, Vital Interest) [ ] Data Processing Activities Requiring Consent (GDPR) (Marketing Communications, Profiling/Automated Decision-Making, Sharing Data with Third Parties (Non-Essential), Location Tracking) [ ] Method of Consent Acquisition (Website Banner, Form Checkbox, Click-Through Agreement, Other (Specify in LONG_TEXT)) [ ] If 'Other' consent method was selected, describe the process. [ ] Date Consent Was Last Obtained/Updated (for major changes) [ ] Describe the consent recordkeeping process. How is proof of consent documented? [ ] CCPA - Do you offer a clear 'Do Not Sell' option? (Yes, No, Not Applicable) [ ] Describe how you ensure consent is freely given and informed. --- PRIVACY POLICY & NOTICES --- [ ] Draft Introduction to Privacy Policy [ ] Describe Types of Data Collected (e.g., contact info, financial data, browsing history) [ ] Legal Basis for Data Collection (GDPR) (Consent, Legitimate Interest, Contract, Legal Obligation) [ ] Describe Data Sharing Practices with Third Parties [ ] Specify Third-Party Service Providers Mentioned in the Policy (Google Analytics, Mailchimp, CRM (Specify), Property Management Software (Specify), Other (Specify)) [ ] Explain Data Retention Periods [ ] CCPA: Do Not Sell/Share Opt-Out Instructions Included? (Yes, No) [ ] Contact Information for Privacy Inquiries --- DATA SUBJECT RIGHTS (GDPR) --- [ ] Date of Access Request Received [ ] Description of Access Request [ ] Date of Rectification Request Received [ ] Description of Rectification Request [ ] Date of Erasure Request Received [ ] Description of Erasure Request [ ] Date of Restriction Request Received [ ] Description of Restriction Request [ ] Date of Data Portability Request Received [ ] Description of Data Portability Request --- CONSUMER RIGHTS (CCPA) --- [ ] Consumer Request Received Date [ ] Consumer Request Details (Specific request, e.g., right to know, right to delete) [ ] Request Type (Right to Know, Right to Delete, Right to Correct, Right to Opt-Out of Sale/Sharing) (Right to Know, Right to Delete, Right to Correct, Right to Opt-Out of Sale/Sharing) [ ] Number of Data Points Returned (for Right to Know) [ ] Date Data Was Deleted/Corrected (for Right to Delete/Correct) [ ] Verification Method Used (e.g., Email, Phone, Security Questions) (Email Verification, Phone Verification, Security Questions, Other) [ ] Notes/Comments (e.g., Verification issues, Special circumstances) [ ] Date of Consumer Verification Completion [ ] Request Status (Pending, Verified, Completed, Rejected) (Pending, Verified, Completed, Rejected) --- DATA SECURITY & BREACH RESPONSE --- [ ] Encryption Strength (Key Length in Bits) [ ] Security Controls Implemented (Select all that apply) (Firewalls, Intrusion Detection/Prevention Systems, Data Encryption (at rest and in transit), Access Controls (Role-Based Access Control), Regular Security Audits, Vulnerability Scanning, Endpoint Protection (Antivirus/Anti-Malware)) [ ] Summary of Data Security Incident Response Plan [ ] Last Security Risk Assessment Date [ ] Data Breach Notification Process: Who is responsible? (Dedicated Security Officer, Legal Counsel, Data Protection Officer (DPO), Designated Team) [ ] Number of Employees Trained on Data Security Best Practices (and training frequency) [ ] Upload: Copy of Incident Response Plan Document [ ] Describe employee training provided, including content and frequency [ ] Method for Secure Data Deletion (Overwriting, Degaussing, Physical Destruction) --- THIRD-PARTY VENDOR MANAGEMENT --- [ ] Vendor Data Processing Agreement (DPA) in Place? (Yes, No, N/A - No Vendors) [ ] What data categories does the vendor process on your behalf? (Contact Information (Name, Email, Phone), Financial Data (Credit Card, Bank Account), Location Data, Demographic Data, Health Data, Biometric Data, Other - Specify in LONG_TEXT) [ ] If 'Other' selected above, please specify data categories. [ ] Has vendor been assessed for GDPR/CCPA compliance? (Yes, No, In Progress) [ ] Upload Vendor Assessment Documentation (e.g., SOC 2 report, Privacy Addendum) [ ] Number of Vendors Requiring Review [ ] Date of Last Vendor Review --- LEAD GENERATION & MARKETING --- [ ] Do you obtain explicit consent for marketing communications? (Yes, always, Sometimes, depending on the communication, No, we rely on legitimate interest, Not applicable) [ ] Which marketing channels do you use for lead generation? (Website forms, Email marketing, Social media advertising, Paid search advertising, Third-party lead generation services, Other (please specify)) [ ] Describe your process for obtaining consent from leads (e.g., checkboxes, double opt-in). [ ] Do you provide a clear and accessible opt-out mechanism on your website and in marketing emails? (Yes, No, In progress) [ ] Date of last review of marketing consent mechanisms. [ ] Specify the wording used in consent checkboxes for marketing communications (copy and paste). [ ] Do you conduct Data Privacy Impact Assessments (DPIAs) for marketing campaigns involving special categories of data (e.g., financial information)? (Yes, always, Yes, when required, No) --- PROPERTY MANAGEMENT (IF APPLICABLE) --- [ ] Do you use a dedicated Property Management System (PMS)? (Yes, No) [ ] Describe the data collected from tenants (e.g., contact information, financial data, lease agreements). [ ] How is tenant consent obtained for marketing communications? (Explicit opt-in, Implied consent, Other (specify)) [ ] Which types of data are shared with third-party vendors (e.g., background check services, maintenance providers)? (Contact Information, Financial Information, Lease Agreements, Maintenance Requests, Other (specify)) [ ] Date of last review of tenant privacy notices. [ ] Summarize the procedures for responding to tenant data subject requests (GDPR) and consumer rights requests (CCPA). [ ] Are maintenance requests stored electronically? If so, how is the data secured? (Yes, No, Unsure) [ ] Upload copy of tenant privacy notice. --- EMPLOYEE DATA & HR --- [ ] Is a Data Privacy Impact Assessment (DPIA) conducted for HR processes? (Yes, No, N/A) [ ] Summarize the HR team's training on data privacy and security. [ ] Approximate number of employees whose personal data is processed by HR. [ ] What types of employee data are collected and processed (select all that apply)? (Name, Address, Date of Birth, Social Security Number/National ID, Bank Account Details, Performance Reviews, Medical Information, Recruitment Application Data, Emergency Contact Information) [ ] Is employee consent obtained for data processing beyond what is strictly necessary for employment? (Yes, No, N/A) [ ] Date of last employee data privacy training. [ ] Describe the process for handling employee requests regarding their personal data (access, rectification, deletion). --- END OF TEMPLATE --- Transform this text into a digital, automated, and trackable mobile app! Visit: https://checklistguro.com/templates/task-management/data-privacy-compliance-checklist-gdpr-ccpa (Click "Install Template" to launch your digital inspection tool immediately)