GDPR compliance checklist

Requirement What to Check
Lawful Basis for Processing Do you have consent, contract, or legitimate interest for data collection?
Data Minimization Are you collecting only necessary data?
User Rights Can users access, correct, or delete their data?
Data Protection by Design Are security measures (encryption, access controls) implemented?
Breach Notification Can you detect and report breaches within 72 hours?
Data Transfer Safeguards If transferring data outside the EU, are SCCs or GDPR adequacy decisions in place?
DPO (Data Protection Officer) Is a DPO appointed (if required)?

Step-by-Step GDPR compliance check

Data mapping & inventory

  • Identify all personal data you collect (names, emails, IPs, cookies).

  • Document processing purposes (e.g., marketing, analytics).

  • Track data flows (where it’s stored, who accesses it).

Tool: Use a Data Protection Impact Assessment (DPIA) template (EU GDPR DPIA Guidelines).

User Rights (Articles 15-22)

Verify users can:

  • Access their data (DSAR – Data Subject Access Request).

  • Rectify incorrect data.

  • Erase data (“Right to be Forgotten”).

  • Port data to another service.

  • Object to processing (e.g., opt out of profiling).

Tool:

  • Automated DSAR system (e.g., OneTrust, Osano).

  • Privacy dashboard (e.g., “My Account” page).

Security Measures

  • Encryption (data at rest & in transit).

  • Access Controls (role-based permissions).

  • Pseudonymization (where possible).

  • Regular security audits (ISO 27001, SOC 2).

Check:

  • Do you have a breach response plan?

  • Are employees trained on data protection policies?

Third-Party Compliance

  • Review vendors (cloud providers, SaaS) for GDPR compliance.

  • Sign Data Processing Agreements (DPAs) with processors.

  • Ensure SCCs (Standard Contractual Clauses) for non-EU transfers.

Tool: Vendor risk assessment (e.g., TrustArc).

Documentation & accountability

  • Privacy Policy (clear, GDPR-compliant).

  • Records of Processing Activities (ROPA).

  • Data Protection Officer (DPO) if required.

Check:

  • Is your privacy policy updated?

  • Are audit logs maintained?

Free GDPR compliance tools

Tool Purpose
GDPR Checklist Self-assessment checklist
Cookiebot Cookie consent management
OneTrust DSAR automation
Microsoft Compliance Manager Cloud compliance tracking