GDPR Checklist

Status: Ongoing

---

Part C: GDPR Compliance

#	Activity	Reference	Phase	Description
C1	Scope & GAP Analysis	Art. 2, 3	Preparation	Determine processing scope and analyse gaps
C1.1	— Territorial scope	Art. 3	Preparation	Processing data of EU residents?
C1.2	— Current state assessment	Art. 5, 24	Preparation	Audit current GDPR compliance state
C1.3	— GAP identification	Art. 24	Preparation	Identify gaps vs. GDPR requirements
C2	Data Mapping (ROPA)	Art. 30	Analysis	Records of Processing Activities
C2.1	— Personal Data Categories	Art. 30(1)(c)	Analysis	Names, emails, IPs, cookies, behavioural, health data
C2.2	— Legal Basis	Art. 6, 9	Analysis	Consent / Contract / Legal obligation / Legitimate interest
C2.3	— Data Subject Categories	Art. 30(1)(c)	Analysis	Customers, employees, partners, prospects
C2.4	— Retention Periods	Art. 5(1)(e), 30(1)(f)	Analysis	How long to retain? Auto-delete procedures
C2.5	— Data Flow Diagram	Art. 30	Analysis	Visualisation of personal data flows
C2.6	— Third-country transfers	Art. 44-49	Analysis	Transfers outside EU/EEA
C3	Data Processing Agreements (DPA)	Art. 28	Governance	Agreements with all processors
C3.1	— Controllers vs. Processors	Art. 4(7,8), 26	Governance	Audit: Who is controller? Who is processor?
C3.2	— Processor list	Art. 28(1)	Governance	List of all processors
C3.3	— Sub-processor Management	Art. 28(2,4)	Governance	Who are sub-processors? Approvals?
C3.4	— DPA Templates	Art. 28(3)	Governance	Standardised agreements
C3.5	— SCCs for transfers	Art. 46(2)(c)	Governance	Standard Contractual Clauses for non-EU transfers
C4	Privacy by Design & Default	Art. 25	Implementation	Privacy in system design
C4.1	— Privacy by Design principles	Art. 25(1)	Implementation	Embed privacy in system design
C4.2	— Privacy by Default	Art. 25(2)	Implementation	Default settings = minimum data
C4.3	— Data Minimisation	Art. 5(1)(c)	Implementation	Only necessary data. Delete unnecessary fields
C4.4	— Pseudonymisation	Art. 4(5), 25	Implementation	For analytics: pseudonymise where possible
C4.5	— Anonymisation	GDPR Recital 26	Implementation	Full anonymisation where possible
C5	Technical & Organisational Measures	Art. 32	Implementation	Security of processing
C5.1	— Encryption at rest	Art. 32(1)(a)	Implementation	Encryption of personal data at rest (AES-256)
C5.2	— Encryption in transit	Art. 32(1)(a)	Implementation	Encryption in transit (TLS 1.3)
C5.3	— Access control	Art. 32(1)(b)	Implementation	Access control for personal data
C5.4	— Confidentiality	Art. 32(1)(b)	Implementation	Ensure confidentiality
C5.5	— Integrity	Art. 32(1)(b)	Implementation	Ensure data integrity
C5.6	— Availability	Art. 32(1)(b)	Implementation	Ensure availability
C5.7	— Resilience	Art. 32(1)(b)	Implementation	System resilience
C5.8	— Restore capability	Art. 32(1)(c)	Implementation	Ability to restore data availability
C5.9	— Regular testing	Art. 32(1)(d)	Testing	Regular testing of measure effectiveness
C6	DPIA (Impact Assessment)	Art. 35	Analysis	Data Protection Impact Assessment
C6.1	— DPIA process defined	Art. 35(1)	Governance	When and how to conduct DPIA
C6.2	— DPIA template	Art. 35(7)	Governance	DPIA template
C6.3	— DPIA for high-risk processing	Art. 35(3)	Analysis	Conducted for high-risk processing
C6.4	— DPIA for AI systems	Art. 35 + AI Act	Analysis	DPIA for AI processing personal data
C7	Subject Rights (DSAR)	Art. 15-22	Implementation	Data subject rights
C7.1	— DSAR workflow	Art. 12	Implementation	Process for handling subject requests
C7.2	— DSAR email/form	Art. 12(2)	Implementation	Channel for receiving requests
C7.3	— Identity verification	Art. 12(6)	Implementation	Process for verifying requester identity
C7.4	— Right to Access	Art. 15	Implementation	Workflow: respond within 30 days
C7.5	— Right to Erasure	Art. 17	Implementation	Delete user data including backups
C7.6	— Right to Rectification	Art. 16	Implementation	Correct errors, audit log
C7.7	— Right to Portability	Art. 20	Implementation	Export in CSV/JSON/XML
C7.8	— Right to Restriction	Art. 18	Implementation	Restriction of processing
C7.9	— Right to Object	Art. 21	Implementation	Objection to processing
C7.10	— DSAR register	Art. 12	Monitoring	Record of processed requests
C8	Consent Management	Art. 7	Implementation	Consent management
C8.1	— Cookie Management	Art. 7, ePrivacy	Implementation	Essential/Functional/Analytics/Marketing cookies
C8.2	— Cookie banner	ePrivacy	Implementation	GDPR-compliant cookie banner
C8.3	— Email Consent Tracking	Art. 7(1)	Implementation	Double-opt-in workflow
C8.4	— Consent Withdrawal	Art. 7(3)	Implementation	Consent withdrawal procedure
C8.5	— Consent records	Art. 7(1)	Monitoring	Records of given consents
C9	Privacy Policy & Transparency	Art. 12-14	Documentation	Information obligation
C9.1	— Privacy Policy	Art. 13, 14	Documentation	Clear, complete, up-to-date
C9.2	— GDPR Transparency (Art. 13/14)	Art. 13, 14	Documentation	18 information items for subjects
C9.3	— AI Transparency	Art. 22 + AI Act	Documentation	Information about AI in decision-making
C9.4	— Layered notices	Art. 12(1)	Documentation	Multi-layered information (summary + detail)
C10	Data Breach Management	Art. 33, 34	Incident	Breach reporting procedure
C10.1	— Breach detection	Art. 33	Incident	Breach detection processes
C10.2	— Breach assessment	Art. 33(1)	Incident	Risk assessment of breach impact
C10.3	— DPA notification (72h)	Art. 33	Incident	Notification within 72 hours
C10.4	— Subject notification	Art. 34	Incident	Notification of subjects in case of high risk
C10.5	— Breach register	Art. 33(5)	Monitoring	Record of all breaches
C10.6	— Notification templates	Art. 33, 34	Documentation	Templates for notifications (DPA, subjects)
C11	DPO (Data Protection Officer)	Art. 37-39	Governance	Data Protection Officer
C11.1	— DPO appointed	Art. 37	Governance	DPO designated and appointed
C11.2	— DPO independence	Art. 38(3)	Governance	DPO independence ensured
C11.3	— DPO Contact Public	Art. 37(7)	Governance	dpo@company.com published on website
C11.4	— DPO registered with DPA	Art. 37(7)	Governance	DPO registration with supervisory authority
C11.5	— DPO Responsibilities	Art. 39	Governance	Monitoring, audit, education, liaison
C12	Training & Awareness	Art. 39(1)(b)	Training	Employee training
C12.1	— GDPR training (all staff)	Art. 39(1)(b)	Training	Basic GDPR training for all
C12.2	— Role-specific training	Art. 39(1)(b)	Training	Specialised training (HR, Marketing, IT)
C12.3	— Training records	Art. 24(1)	Monitoring	Records of completed training
C12.4	— Awareness programme	Art. 39(1)(b)	Training	Ongoing awareness raising

---

Critical Path

1. C2 Data Mapping (ROPA) -> complete by 31.1.2026
2. C7.4-C7.5 DSAR Access + Erasure -> complete by 28.2.2026
3. C10 Breach Management -> complete by 28.2.2026
4. C3 DPA with all vendors -> complete by 31.3.2026
5. C5 Technical Measures -> complete by 31.3.2026

---

Implementation Phases

---

Resources

• GDPR text (EUR-Lex)
• EDPB Guidelines

---

Disclaimer

This content is for informational purposes only and does not constitute legal advice. For your organisation’s specific situation, we recommend consulting a qualified lawyer.

What’s next?

Need help with implementation? We offer a free 15-minute consultation.

Book a consultation -> | Test your readiness -> | Self-Assessment ->