GDPR Compliance Checklist
Quick Answer
A GDPR compliance checklist covers data mapping, lawful basis documentation, privacy policies, consent management, data subject rights procedures, security measures, Data Protection Impact Assessments, breach notification processes, and vendor agreements.
GDPR Compliance Checklist
This checklist covers the major GDPR compliance requirements for data controllers and processors. Use it to assess your current compliance posture and identify gaps that need attention.
Key Takeaways
- Start with data mapping — you can't protect data you don't know about
- Every processing activity needs a documented lawful basis
- Consent must be freely given, specific, informed, and unambiguous
- Data subject rights must be actionable within 1 month of request
- 72-hour breach notification to supervisory authority is a hard deadline
1. Data Mapping & Inventory
Data Mapping Requirements
- Identified all personal data collected, processed, and stored
- Mapped data flows: where data comes from, where it goes, who accesses it
- Created a Record of Processing Activities (ROPA) per Article 30
- Identified all data processors and sub-processors
- Documented data retention periods for each processing activity
- Identified any international data transfers
2. Lawful Basis
Lawful Basis Documentation
- Identified lawful basis for each processing activity
- Documented legitimate interest assessments where applicable
- Consent mechanisms meet GDPR requirements (freely given, specific, informed, unambiguous)
- Consent records maintained with evidence of when and how consent was given
- Easy mechanism for withdrawing consent
3. Privacy Information
Privacy Notice Requirements
- Privacy policy/notice is clear, concise, and in plain language
- Includes identity and contact details of the controller
- Lists all purposes of processing and corresponding lawful bases
- Describes data retention periods (or criteria for determining them)
- Explains data subject rights and how to exercise them
- Includes right to lodge a complaint with a supervisory authority
- Describes any international data transfers and safeguards
- Discloses any automated decision-making including profiling
4. Data Subject Rights
Data Subject Rights Procedures
- Process for handling access requests (SAR) within 1 month
- Process for rectification requests
- Process for erasure requests (right to be forgotten)
- Process for data portability requests
- Process for restriction of processing requests
- Process for objection requests (including direct marketing opt-out)
- Identity verification procedures for data subject requests
- Documented procedures for staff handling data subject requests
5. Security Measures
Technical & Organizational Measures
- Encryption of personal data at rest and in transit
- Pseudonymization where appropriate
- Access controls with principle of least privilege
- Regular security testing and vulnerability assessment
- Data backup and recovery procedures
- Incident detection and response capabilities
- Employee security awareness training
- Physical security measures for premises and equipment
6. Breach Notification
Breach Preparedness
- Breach detection and assessment procedures documented
- 72-hour supervisory authority notification process in place
- Individual notification process for high-risk breaches
- Breach register maintained
- Breach response team and roles defined
7. Vendor Management
Data Processor Requirements
- Data Processing Agreements (DPAs) with all processors
- DPAs include all Article 28 required provisions
- Due diligence on processor security measures
- Sub-processor authorization and notification provisions
- International transfer safeguards for non-EU processors
8. DPO & Governance
Governance Requirements
- Assessed whether a Data Protection Officer (DPO) is required
- DPO appointed or documented reasons why one is not required
- Data Protection Impact Assessments (DPIA) conducted for high-risk processing
- Privacy by Design integrated into new projects and features
- Staff training on GDPR requirements and data protection
- Regular compliance reviews and updates
GDPR Compliance Timeline
Month 1-2
Data mapping, ROPA creation, gap assessment, identify lawful bases
Month 2-3
Update privacy policies, implement consent management, set up DSR processes
Month 3-4
Implement security measures, execute DPAs, conduct DPIAs where needed
Month 4-5
Train staff, test breach response, appoint DPO if required
Ongoing
Regular reviews, DPIA for new processing, monitor regulatory updates
Is this checklist exhaustive?
This covers the major GDPR requirements but isn't exhaustive. GDPR has 99 articles and 173 recitals. Specific requirements vary based on your processing activities, industry, and the supervisory authorities relevant to your operations. Use this as a starting point and consult GDPR-specific legal counsel for your situation.
How do I prioritize if I have many gaps?
Start with: (1) data mapping (you need this to address everything else), (2) lawful basis identification, (3) privacy policy update, (4) high-risk processing DPIAs, (5) breach notification procedures. These are the areas most likely to trigger enforcement actions.
Do I need to complete everything before processing EU data?
Technically, you must be compliant before processing begins. In practice, most companies achieve compliance iteratively. Focus on the highest-risk areas first and document your compliance roadmap to demonstrate good faith efforts.
Automate Your GDPR Compliance
Find tools that help you manage data mapping, consent, DSRs, and documentation.
Browse GDPR Tools