GDPR Compliance Checklist
By Het Mehta
Source: Based on the EU General Data Protection Regulation (GDPR).
Disclaimer: This checklist is for informational and tracking purposes only. Descriptions are interpretations and may not cover all nuances. Implementation details depend on your specific organizational context. Always consult the official GDPR text and qualified legal/privacy professionals for definitive guidance. This tool does not constitute legal advice.
| Done | Checklist Item | GDPR Article Ref. | Detailed Description | Responsible Dept. | Notes |
|---|---|---|---|---|---|
1. Data Mapping & Inventory |
|||||
| Identify Personal Data | Art. 4(1), Art. 30 | Identify all types of personal data processed by the organization (e.g., names, emails, IP addresses, financial data, health data). | IT, Legal, Business Units | ||
| Map Data Flows | Art. 30 | Document where personal data comes from, how it is processed, where it is stored, who has access, and where it is transferred. | IT, Legal, Compliance | ||
| Maintain Record of Processing Activities (RoPA) | Art. 30 | Create and maintain a detailed inventory of all processing activities involving personal data, including purposes, categories of data subjects/data, recipients, transfers, retention periods, and security measures. (Mandatory for most orgs). | Legal, Compliance, DPO | ||
2. Legal Basis for Processing |
|||||
| Identify Legal Basis | Art. 6, Art. 9 | For each processing activity identified in the RoPA, determine and document the appropriate legal basis (e.g., consent, contract, legal obligation, vital interests, public task, legitimate interests). Identify conditions for processing special category data if applicable. | Legal, Compliance, Business Units | ||
| Legitimate Interests Assessment (LIA) | Art. 6(1)(f) | If relying on legitimate interests, conduct and document a Legitimate Interests Assessment (LIA) balancing the organization's interests against the individual's rights and interests. | Legal, Compliance | ||
| Review Legal Basis Periodically | Recital 39, Art. 5(1)(a) | Regularly review the documented legal bases to ensure they remain appropriate for the ongoing processing activities. | Legal, Compliance | ||
3. Consent & Data Subject Rights |
|||||
| Valid Consent Mechanisms | Art. 7, Art. 4(11) | Ensure consent mechanisms are clear, specific, informed, freely given, and unambiguous. Use opt-in methods (e.g., unticked checkboxes). Keep records of consent. | Marketing, Legal, IT | ||
| Easy Consent Withdrawal | Art. 7(3) | Ensure individuals can withdraw consent easily at any time, and that withdrawal is acted upon promptly. | Marketing, IT, Customer Service | ||
| Procedures for Data Subject Rights (DSR) | Art. 12-22 | Establish clear procedures and assign responsibilities for handling Data Subject Requests (Access, Rectification, Erasure, Restriction, Portability, Objection, Automated Decision-Making). | Legal, DPO, Customer Service, IT | ||
| DSR Response Timelines | Art. 12(3) | Ensure DSRs are responded to without undue delay and within one month (extendable by two months if necessary, with justification). | Legal, DPO, Customer Service | ||
| Identity Verification for DSR | Art. 12(6) | Implement processes to verify the identity of individuals making DSR requests, where necessary. | Customer Service, Legal | ||
4. Data Minimization & Retention |
|||||
| Data Minimization Principle | Art. 5(1)(c) | Ensure only personal data that is adequate, relevant, and necessary for the specified purpose is collected and processed. | Business Units, IT, Legal | ||
| Data Retention Policy | Art. 5(1)(e) | Establish and implement a data retention policy defining how long personal data is kept for specific purposes. Ensure data is securely deleted or anonymized when no longer needed. | Legal, Compliance, IT | ||
| Implement Retention Schedules | Art. 5(1)(e) | Apply defined retention periods to data stores and systems; implement mechanisms for automated or manual deletion/anonymization. | IT, Data Owners | ||
5. Security Measures (Article 32) |
|||||
| Risk-Based Security | Art. 32(1) | Implement appropriate technical and organizational measures (TOMs) to ensure a level of security appropriate to the risk (considering state of the art, costs, nature, scope, context, purposes, and risks). | IT Security, CISO, Risk | ||
| Specific Security Measures | Art. 32(1) | Consider implementing: pseudonymization, encryption, measures ensuring confidentiality, integrity, availability, and resilience of systems, backup/restore capabilities, regular testing/assessment of security measures. | IT Security, IT Operations | ||
| Access Control | Art. 32(1)(b) | Implement strong access controls (e.g., role-based access, principle of least privilege) to limit access to personal data. | IT Security, HR | ||
| Security Testing & Assessment | Art. 32(1)(d) | Regularly test, assess, and evaluate the effectiveness of technical and organizational security measures (e.g., vulnerability scanning, penetration testing, audits). | IT Security, Internal Audit | ||
6. Privacy by Design & Default (Article 25) |
|||||
| Implement Privacy by Design | Art. 25(1) | Integrate data protection principles and safeguards into the design of new projects, processes, products, or services from the outset. | Product Dev, IT, Project Mgmt, Legal | ||
| Implement Privacy by Default | Art. 25(2) | Ensure that, by default, only personal data necessary for each specific purpose is processed (e.g., default settings are privacy-protective). | Product Dev, IT, Marketing | ||
7. DPIAs & Risk Assessments |
|||||
| DPIA Trigger Identification | Art. 35(1), Art. 35(3) | Establish a process to identify processing activities likely to result in a high risk to individuals' rights and freedoms, requiring a Data Protection Impact Assessment (DPIA). | Legal, DPO, Risk, Project Mgmt | ||
| Conduct DPIAs | Art. 35 | Conduct DPIAs for high-risk processing activities, documenting the assessment, risks identified, and measures envisaged to address risks. Consult DPO. | Project Owners, Legal, DPO, IT Security | ||
| Consult Supervisory Authority | Art. 36 | Consult the relevant Supervisory Authority prior to processing if a DPIA indicates high residual risk that cannot be mitigated. | Legal, DPO | ||
8. Vendor / Processor Compliance |
|||||
| Processor Due Diligence | Art. 28(1) | Conduct due diligence on data processors (vendors) to ensure they provide sufficient guarantees regarding technical and organizational security measures. | Procurement, Legal, IT Security, Vendor Mgmt | ||
| Data Processing Agreements (DPAs) | Art. 28(3) | Ensure legally binding Data Processing Agreements (DPAs) are in place with all data processors, containing mandatory clauses specified in Article 28. | Legal, Procurement, Vendor Mgmt | ||
| Processor Audits & Monitoring | Art. 28(3)(h) | Establish processes to monitor processor compliance and exercise audit rights as defined in DPAs. | Vendor Mgmt, Internal Audit, IT Security | ||
9. Cross-border Data Transfers |
|||||
| Identify International Transfers | Chapter V (Art. 44-50) | Identify all transfers of personal data outside the European Economic Area (EEA). | Legal, IT, Compliance | ||
| Implement Transfer Mechanisms | Art. 45, 46, 47, 49 | Ensure appropriate safeguards are in place for international transfers (e.g., Adequacy Decision, Standard Contractual Clauses (SCCs) + Transfer Impact Assessment (TIA), Binding Corporate Rules (BCRs), Derogations). | Legal, Compliance | ||
| Transfer Impact Assessments (TIAs) | Schrems II Judgement | Conduct and document TIAs when relying on SCCs or BCRs to assess the level of data protection in the third country and identify supplementary measures if needed. | Legal, IT Security | ||
10. Breach Notification Readiness (Articles 33 & 34) |
|||||
| Breach Detection & Response Plan | Art. 33, Art. 34 | Establish and maintain an incident response plan specifically addressing personal data breaches, including detection, assessment, containment, and recovery. | IT Security, IR Team, Legal, DPO | ||
| Breach Assessment Procedure | Art. 33(1) | Define a procedure to assess the risk to individuals' rights and freedoms following a breach to determine notification requirements. | Legal, DPO, IT Security | ||
| Supervisory Authority Notification | Art. 33 | Ensure procedures are in place to notify the relevant Supervisory Authority of a notifiable breach without undue delay, and where feasible, within 72 hours of becoming aware. | Legal, DPO, IR Team | ||
| Data Subject Notification | Art. 34 | Ensure procedures are in place to notify affected data subjects without undue delay if a breach is likely to result in a high risk to their rights and freedoms. | Legal, DPO, Communications, IR Team | ||
| Internal Breach Register | Art. 33(5) | Maintain an internal register of all personal data breaches, regardless of whether notification was required. | Compliance, DPO, IT Security | ||
11. Governance, Documentation & Training |
|||||
| Data Protection Policies | Art. 24, Art. 5 | Develop, approve, and disseminate comprehensive data protection policies and procedures covering all aspects of GDPR compliance. | Legal, Compliance, DPO | ||
| Maintain Documentation | Art. 5(2), Art. 24, Art. 30 | Keep records to demonstrate compliance (accountability principle), including policies, RoPA, consent records, DPIAs, DPAs, TIAs, breach logs, training records. | All Depts, Compliance, DPO | ||
| Staff Training & Awareness | Art. 39(1)(b), Art. 47(2)(n) | Conduct regular data protection training for all relevant staff members, tailored to their roles and responsibilities. Maintain training records. | HR, Compliance, DPO, IT Security | ||
12. DPO Role & Internal Accountability |
|||||
| Appoint Data Protection Officer (DPO) | Art. 37 | Determine if a DPO appointment is mandatory. If so, appoint a DPO with expert knowledge, ensure independence, and provide necessary resources. Publish DPO contact details. | Legal, HR, Senior Management | ||
| Define DPO Responsibilities | Art. 39 | Clearly define and document the DPO's tasks (informing, advising, monitoring compliance, cooperating with authorities, acting as contact point). | Legal, Senior Management | ||
| Internal Accountability Structure | Art. 24 | Establish clear internal roles, responsibilities, and reporting lines for data protection compliance across the organization. | Senior Management, Compliance, Legal | ||
13. Logging, Monitoring & Audit Trails |
|||||
| Implement System Logging | Art. 32(1)(b) | Implement logging mechanisms for critical systems processing personal data to record access, modification, and deletion events (where appropriate and feasible). | IT Operations, IT Security | ||
| Monitor System Activity | Art. 32(1)(d) | Regularly monitor system logs and security alerts for suspicious activities or potential security incidents involving personal data. | IT Security, SOC | ||
| Maintain Audit Trails | Art. 5(2), Art. 24 | Ensure audit trails are maintained for key data processing activities to support accountability and incident investigation. Securely store logs. | IT Operations, Compliance, IT Security | ||
14. Preparing for DORA (aligned GDPR controls for resilience) |
|||||
| Review Security Measures (Art. 32) for Resilience | GDPR Art. 32 / DORA Art. 9, 12 | Assess if current GDPR security measures (confidentiality, integrity, availability, resilience, backup/restore) meet the heightened operational resilience expectations under DORA. | IT Security, Risk, BCM | ||
| Align Incident Response with DORA Reporting | GDPR Art. 33 / DORA Art. 17-19 | Review and update the data breach response plan to align terminology, classification, and reporting timelines with DORA's ICT-related incident reporting requirements. | IR Team, Legal, DPO, Compliance | ||
| Review Vendor DPAs for DORA Clauses | GDPR Art. 28 / DORA Art. 30 | Assess if existing DPAs with critical ICT service providers include clauses covering DORA requirements (e.g., audit rights, exit strategies, resilience standards). Plan updates. | Legal, Vendor Mgmt, Procurement | ||
| Enhance Resilience Testing | GDPR Art. 32(1)(d) / DORA Art. 24-27 | Incorporate resilience testing (BCP/DR tests, potentially TLPT if applicable under DORA) into the regular security testing schedule required by GDPR. | IT Security, BCM, Risk | ||
GDPR Core Concepts Map
graph TD
GDPR[GDPR Compliance] --> PRINCIPLES(Core Principles Art. 5)
GDPR --> BASIS(Lawful Basis Art. 6 & 9)
GDPR --> RIGHTS(Data Subject Rights Art. 12–23)
GDPR --> OBLIGATIONS(Controller & Processor Obligations)
GDPR --> TRANSFERS(International Transfers Chapter V)
GDPR --> ACCOUNTABILITY(Accountability)
PRINCIPLES --> LAWFULNESS(Lawfulness, Fairness, Transparency)
PRINCIPLES --> PURPOSE(Purpose Limitation)
PRINCIPLES --> MINIMIZE(Data Minimization)
PRINCIPLES --> ACCURACY(Accuracy)
PRINCIPLES --> STORAGE(Storage Limitation)
PRINCIPLES --> INTEGRITY(Integrity and Confidentiality)
RIGHTS --> ACCESS(Access – Art. 15)
RIGHTS --> RECTIFY(Rectification – Art. 16)
RIGHTS --> ERASE(Erasure – Art. 17)
RIGHTS --> RESTRICT(Restriction – Art. 18)
RIGHTS --> PORT(Portability – Art. 20)
RIGHTS --> OBJECT(Objection – Art. 21)
OBLIGATIONS --> SECURITY(Security – Art. 32)
OBLIGATIONS --> PBD(Privacy by Design – Art. 25)
OBLIGATIONS --> ROPA(Records of Processing – Art. 30)
OBLIGATIONS --> DPIA(Data Protection Impact – Art. 35)
OBLIGATIONS --> PROCESSOR(Processor Management – Art. 28)
OBLIGATIONS --> BREACH(Breach Notification – Art. 33/34)
OBLIGATIONS --> DPO(DPO – Art. 37–39)
ACCOUNTABILITY --> DOCS(Documentation)
ACCOUNTABILITY --> POLICIES(Policies)
ACCOUNTABILITY --> TRAINING(Training)
style GDPR fill:#ccf,stroke:#333,stroke-width:2px;
style PRINCIPLES fill:#cfc;
style BASIS fill:#ffc;
style RIGHTS fill:#fcc;
style OBLIGATIONS fill:#cff;
style TRANSFERS fill:#f9c;
style ACCOUNTABILITY fill:#ddd;
This map shows key areas and articles within GDPR.