One of the novelties introduced by the EU General Data Protection Regulation (GDPR) is the principle of accountability. This is a sort of reverse burden of proof. In essence, it is not the authority that has to prove you are non-compliant with the data protection rules, but you have to prove your compliance.
What does this mean specifically?
You have examined whether or not you are required to appoint a Data Protection Officer. If so, you have appointed a DPO who has sufficient expert knowledge, is independent, cannot be instructed, has the necessary resources, etc., or otherwise you have documented the reasons for your decision not to appoint a DPO.
You have reviewed all business processes and looked at where personal data undergo processing. You have completed the data protection register for each process.
For each process, you know whether you are the controller or a processor.
An appropriate mechanism is in place for transfers of data outside the EU.
You have checked which data processing activities are considered high-risk. You have prepared a separate data protection impact assessment for each such activity.
All data processing activities are carried out relying on an appropriate legal basis. Where processing is based on a statutory obligation, you know the specific legislation permitting it. Where processing is based on legitimate interest, a Balancing Test has been prepared. Where processing is based on consent, you can prove that the consent was informed and freely given.
Employees have received appropriate data protection training, and you make sure that they keep their knowledge up-to-date. All the foregoing are documented.
You have reviewed your existing policies to check whether they are compliant with the new rules.
Contracts have been reviewed to check whether they regulate the processing of personal data properly.
It has been ascertained whether any software and services you use, such as cloud services, are in accordance with the provisions of GDPR (privacy by design).
Your website, direct marketing practices and video surveillance activities are compliant with the Regulation.
Your Privacy Notice contains all required information.
Adequate technical and security conditions have been provided to protect data; for example, personal data can only be accessed by those who have a business need to know them (“need-to-know” principle).
There are established procedures to handle personal data breaches.
Data subjects can exercise their rights in a predetermined way.
The above are the most frequently occurring tasks, but depending on the nature of your business, there are several other questions to answer during an inspection by the competent authority.