GDPR Compliance Checklist for ESG Pro Limited


To drive compliance with the GDPR, and in accordance with the principles required of The Global reporting Institute (GRI) KPI 418, ESG Pro Limited offers its GDPR compliance checklist as a publicly available document.

Our Data Protection Principles:

  1. Lawfulness, Fairness, and Transparency: Ensure that personal data is processed lawfully, fairly, and transparently in relation to the data subject.
  2. Purpose Limitation: Collect personal data only for specified, explicit, and legitimate purposes.
  3. Data Minimization: Ensure that personal data is adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
  4. Accuracy: Keep personal data accurate and up-to-date.
  5. Storage Limitation: Keep personal data in a form that permits identification of data subjects for no longer than necessary.
  6. Integrity and Confidentiality: Ensure appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.
  7. Accountability: The data controller is responsible for, and must be able to demonstrate, compliance with the other data protection principles.

Rights of Data Subjects:

  1. Right to Information: Inform data subjects about how their data is being used.
  2. Right to Access: Allow data subjects to access their personal data.
  3. Right to Rectification: Permit data subjects to correct inaccurate personal data.
  4. Right to Erasure: Enable data subjects to erase their personal data.
  5. Right to Restrict Processing: Allow data subjects to block or suppress processing of their data.
  6. Right to Data Portability: Enable data subjects to move, copy or transfer personal data easily from one IT environment to another.
  7. Right to Object: Allow data subjects to object to processing of their personal data.
  8. Rights in relation to automated decision making and profiling: Ensure that data subjects are not subject to decisions based solely on automated processing.

Accountability and Governance:

  1. Data Protection Officer (DPO): ESG Pro shall appoint a qualified DPO responsible for data protection compliance.
  2. Policies and Procedures: Develop and implement data protection policies.
  3. Training: Provide training to employees on GDPR compliance.
  4. Record Keeping: Keep detailed records of all data processing activities.
  5. Data Protection Impact Assessment (DPIA): Conduct DPIAs where processing operations are likely to result in high risk to the rights and freedoms of individuals.
  6. Data Breaches: Have procedures in place to detect, report, and investigate personal data breaches.

Data Transfers:

  1. Transfer Mechanisms: Ensure that data transfers outside the EU/UK are lawful.
  2. Documentation: Maintain records of data transfers and the mechanisms applied.

Vendor Management:

  1. Processor Agreements: Ensure that contracts with data processors include GDPR-compliant terms.
  2. Audits and Assessments: Regularly audit data processors for compliance.

Program Establishment:

  1. GDPR Compliance Officer: Assign a GDPR Compliance Officer, even if not required to have a formal DPO.
  2. Cross-Departmental Team: Establish a cross-departmental GDPR compliance team.

Program Development:

  1. Data Mapping: Map out all data processing activities.
  2. Legal Basis for Processing: Identify and document the legal basis for each processing activity.
  3. Privacy Notices: Update privacy notices to meet GDPR requirements.

Program Implementation:

  1. Consent Management: Implement mechanisms to obtain and record consent where needed.
  2. Data Subject Requests: Establish processes to respond to data subject rights requests.
  3. Risk Assessment: Regularly conduct risk assessments to identify and mitigate risks.

Program Maintenance:

  1. Monitoring and Auditing: Implement regular GDPR compliance checks and audits.
  2. Continuous Improvement: Update policies and procedures as necessary.
  3. Incident Response Plan: Maintain an up-to-date incident response plan.

Program Documentation:

  1. Compliance Records: Keep thorough records of all compliance activities.
  2. Training Records: Maintain records of staff training and awareness sessions.

Program Verification:

  1. Third-Party Certification: Consider obtaining GDPR compliance certification from a recognized body.
  2. Legal Review: Have the GDPR compliance program reviewed by legal counsel specializing in data protection law.

Marketing Compliance for GDPR

Email List Building and Marketing Communications:

  1. Explicit Consent for Marketing:
    • Ensure that explicit consent is obtained before any personal data is used for marketing purposes.
    • Use clear, affirmative actions to indicate consent (e.g., ticking a non-pre-filled checkbox).
    • Provide an option for separate consent for different types of marketing (e.g., email, text, phone).
  2. Opt-In Procedures:
    • Where appropriate, implement a double opt-in procedure where the user must confirm their subscription via an email before being added to the list.
    • Keep clear records of consents obtained, including the date, method, and specific consent statement agreed to.
  3. Privacy Notice on Subscription Forms:
    • Clearly display a privacy notice on subscription forms explaining how personal data will be used, stored, and protected.
    • Include information on the frequency and type of communications subscribers will receive.
  4. Default Opt-Out:
    • Ensure that opt-in boxes are not pre-ticked by default.
    • Provide clear opt-out/unsubscribe options in all marketing communications.
  5. Age Verification:
    • Verify the age of subscribers to ensure you are not collecting data from children under the age of consent without parental permission.
  6. Consent Withdrawal:
    • Allow subscribers to withdraw their consent easily at any time.
    • Unsubscribe links should be clear, straightforward to use, and should process the withdrawal of consent immediately.
  7. Segmentation and Targeting:
    • Use data segmentation tools responsibly, ensuring that personal data is processed in line with the explicit consent provided.
    • Avoid creating marketing profiles based on sensitive data unless additional explicit consent is provided.
  8. Regular Consent Updates:
    • Regularly refresh consents to ensure they remain relevant and up-to-date.
    • Review the consent terms and the subscribers’ engagement to confirm that consent is still valid and that subscribers are still interested in receiving communications.
  9. Data Sharing:
    • Do not share or sell email lists without the explicit consent of the individuals on those lists.
    • Ensure third parties with whom data is shared are also compliant with GDPR and have appropriate safeguards.
  10. Training and Awareness:
    • Train all marketing staff on GDPR requirements, particularly relating to consent and personal data handling in marketing.
    • Create an internal policy for marketing practices to ensure GDPR compliance across all marketing activities.
author avatar
Humperdinck Jackman
Leads the daily operations at ESG PRO, he specialises in matters of corporate governance. Humperdinck hails from Bermuda, has twice sailed the Atlantic solo, and recently devoted a few years to fighting poachers in Kenya. Writing about business matters, he’s a published author, and his articles have been published in The Times, The Telegraph and various business journals.


Matt Whiteman

I hope you enjoy reading this article.

Wherever you are on your ESG reporting journey you should talk to us!.

Get in Touch


Swipe-up for help!