GDPR Compliance Checklist

The General Data Protection Regulation (GDPR) is the EU's comprehensive data protection law, in effect since May 2018. It applies to any organization that processes personal data of EU residents, regardless of where the organization is based. Compliance is not optional — violations can result in fines of up to €20 million or 4% of global annual turnover.

GDPR compliance is not a one-time project. It requires ongoing attention to how personal data is collected, processed, stored, shared, and deleted. This checklist covers the core requirements that every organization should address, organized into 8 categories that map to GDPR's key principles and obligations.

The checklist is designed to be practical, not exhaustive. It focuses on the requirements that matter most for SMBs and startups — the areas where DPAs most commonly find violations and impose fines. For a deeper dive into specific areas, use our specialized tools: the DPIA Helper for impact assessments, the Data Flow Mapping Tool for Article 30 records, and the Breach Cost Calculator to understand your financial exposure.

Lawfulness & Legal Basis — every processing activity needs a valid legal basis under Article 6. The six options are consent, contractual necessity, legal obligation, vital interests, public interest, and legitimate interest. Getting this wrong is the most common source of major fines.

Transparency & Data Subject Rights — individuals have the right to know what you do with their data and to exercise control over it. This includes access requests, erasure, portability, and objection. Your privacy notice must be clear and complete.

Data Minimization & Retention — collect only what you need, keep it only as long as necessary. This principle sounds simple but is one of the hardest to implement in practice, especially for organizations that have accumulated years of data.

Security Measures — Article 32 requires "appropriate technical and organisational measures." Encryption, access controls, vulnerability management, and staff training are the foundation.

Data Breach Response — when a breach occurs, you have 72 hours to notify the DPA and must notify affected individuals without undue delay if there is high risk. Having a tested plan is essential.

Processors & Third Parties — every vendor that processes personal data on your behalf needs a Data Processing Agreement. International transfers need specific safeguards.

Accountability & Governance — GDPR's accountability principle requires you to demonstrate compliance, not just claim it. This means documentation, policies, DPIAs, and regular reviews.

International Transfers — sending personal data outside the EU/EEA requires adequate safeguards. Standard Contractual Clauses are the most common mechanism for most organizations.