GDPR enforcement is accelerating. In 2025 alone, European supervisory authorities issued over EUR 2 billion in fines. The pattern is clear: regulators are moving beyond large tech companies and targeting mid-market businesses that assumed compliance was optional.
This checklist is built for organizations that need to get compliant — or verify they still are. It covers the practical requirements, not theoretical interpretations.
1. Data Mapping and Inventory
You cannot protect data you haven't mapped. Article 30 requires a Record of Processing Activities (ROPA), and supervisory authorities ask for it first during investigations.
- Identify all systems that process personal data (CRM, email, analytics, HR, finance)
- Document for each system: what data is collected, why, legal basis, who has access, where it's stored, and how long it's retained
- Map data flows between systems, including third-party processors
- Classify data types: names, emails, IP addresses, financial data, health data, biometric data
- Identify special category data (Article 9) that requires explicit consent or another exemption
- Review data flows to third countries — standard contractual clauses or adequacy decisions must be in place
A static spreadsheet becomes outdated the day it's created. The organizations that pass audits maintain a living data inventory that's updated when systems change.
2. Legal Bases for Processing
Every processing activity needs a valid legal basis under Article 6. There are six options, and choosing the wrong one is a common mistake.
- Consent (Article 6(1)(a)): Must be freely given, specific, informed, and unambiguous. Pre-ticked boxes don't count. Consent must be as easy to withdraw as it is to give.
- Contract (Article 6(1)(b)): Processing necessary to perform a contract with the data subject. Cannot be stretched to cover marketing.
- Legal obligation (Article 6(1)(c)): Tax records, employment law requirements, financial reporting.
- Vital interests (Article 6(1)(d)): Rare — applies in life-or-death situations.
- Public interest (Article 6(1)(e)): Primarily for public authorities.
- Legitimate interests (Article 6(1)(f)): Requires a documented balancing test (LIA). Most misused basis — "we want the data" is not a legitimate interest.
For each processing activity in your data inventory, document which legal basis applies and why. If you're relying on legitimate interests, the balancing test must exist before processing begins.
3. Data Subject Rights (DSAR Process)
Articles 15-22 give individuals specific rights. You need documented processes for handling each one.
- Right of Access (Art. 15): Provide a copy of all personal data within one calendar month
- Right to Rectification (Art. 16): Correct inaccurate data without undue delay
- Right to Erasure (Art. 17): Delete data when the legal basis expires, consent is withdrawn, or data was unlawfully processed
- Right to Restrict Processing (Art. 18): Pause processing while accuracy or legal basis is contested
- Right to Data Portability (Art. 20): Provide data in a structured, machine-readable format
- Right to Object (Art. 21): Stop processing for direct marketing immediately. Other objections require a balancing test.
- Rights related to automated decisions (Art. 22): If you use automated decision-making with legal or significant effects, data subjects can request human review
For each right:
- Define who handles requests and the escalation path
- Set internal deadlines shorter than the legal deadline
- Document the verification process for confirming the requester's identity
- Have templates for acknowledgement, extension notification, and response
- Capture evidence of every step for audit purposes
4. Retention and Deletion Policies
You cannot keep personal data indefinitely. Article 5(1)(e) requires storage limitation — data should be kept only as long as necessary for the stated purpose.
- Define retention periods for each data category and processing purpose
- Document the legal basis for each retention period (contract duration, legal requirement, legitimate interest)
- Implement automated deletion or manual review processes when retention expires
- Verify deletion actually happens — soft-deleted data that lives forever in backups doesn't count
- Handle exceptions: legal holds, ongoing disputes, regulatory investigations
Retention policies are only useful if they're enforced. Schedule regular verification cycles to confirm data is actually being deleted on time.
5. Privacy Notices and Transparency
Articles 13 and 14 require clear, accessible privacy notices at every point where personal data is collected.
- Website privacy policy: Must cover all Article 13/14 requirements in clear, plain language
- Cookie banner: Provide genuine choice — "Accept all" cannot be easier than "Reject all"
- Employee privacy notice: Separate from customer-facing privacy policy
- Third-party data collection notice: If you receive data from sources other than the data subject (Article 14)
- Layered approach: Use a short notice at the point of collection linking to the full policy
- Review annually: Privacy policies must reflect current practices, not what you did two years ago
6. Data Processing Agreements
Every third-party processor handling personal data on your behalf needs a Data Processing Agreement (Article 28).
- Audit your vendor list: Cloud providers, analytics tools, email services, payment processors, HR platforms
- DPA requirements: subject matter, duration, nature and purpose, data types, processor obligations, sub-processor controls, audit rights, deletion obligations
- Sub-processor management: Processors must inform you of new sub-processors and give you the right to object
- Verify DPA coverage: Many vendors have DPAs available online — download and countersign them
Missing DPAs are one of the easiest findings for a regulator to flag, and one of the simplest to fix.
7. Security Measures (Article 32)
The GDPR requires "appropriate technical and organizational measures" — what's appropriate depends on the risk.
- Encryption: Data at rest and in transit (TLS 1.2+)
- Access controls: Role-based access, principle of least privilege
- Authentication: Strong passwords, multi-factor authentication for admin access
- Monitoring: Intrusion detection, access logging, anomaly detection
- Backup and recovery: Regular tested backups, documented recovery procedures
- Incident response plan: Documented, tested, with clear roles and communication chains
- Employee training: Annual privacy awareness training with documented attendance
8. Data Breach Notification (Articles 33-34)
You have 72 hours to notify the supervisory authority after becoming aware of a breach that poses a risk to individuals.
- Detection capability: How will you know a breach has occurred?
- Assessment process: Documented criteria for determining notification obligation
- Authority notification template: Pre-drafted with variable fields (nature of breach, categories of data, approximate number of subjects, likely consequences, measures taken)
- Data subject notification: Required when breach poses a "high risk" — plain language, without undue delay
- Breach register: Document ALL breaches, not just notifiable ones (Article 33(5))
- 72-hour countdown: Starts when you become "aware" — not when the investigation concludes
9. Data Protection Impact Assessments (Article 35)
DPIAs are mandatory for processing likely to result in high risk to individuals.
- Triggers: Systematic monitoring, large-scale special category data, automated decision-making with legal effects, new technology processing, combined datasets
- Content: Description of processing, necessity and proportionality assessment, risk assessment, and mitigation measures
- Timing: Before processing begins — not retroactively
- Consultation: If residual risk remains high after mitigation, consult the supervisory authority (Article 36)
10. Evidence and Accountability
Article 5(2) requires you to demonstrate compliance — not just be compliant. This is where most organizations fall short.
- Document decisions: Why you chose a legal basis, how you conducted balancing tests, what security measures you considered
- Timestamp everything: When policies were created, reviewed, updated
- Capture verification evidence: Screenshots, system logs, attestations showing policies are followed
- Maintain audit trails: Who did what, when, and with what authorization
- Prepare for regulators: Organize evidence into a portable format that demonstrates compliance across all GDPR requirements
A Deal Pack — a pre-assembled package of evidence covering your data inventory, DSAR processes, retention verification, and security measures — gives you a structured way to demonstrate compliance to auditors, regulators, or business partners.
The Compliance Lifecycle
GDPR compliance is not a project with a finish date. It's an ongoing process:
- Map your data processing activities
- Assess legal bases and risks
- Implement policies, procedures, and controls
- Document everything with timestamped evidence
- Monitor for changes, breaches, and new requirements
- Review and update regularly (at minimum, annually)
The organizations that handle regulatory scrutiny well are the ones that can show, with evidence, that they follow this cycle. Not the ones scrambling to assemble documentation after receiving an inquiry.