Checklist Legal/Compliance GDPR

GDPR Readiness Checklist for Data Controllers

This checklist provides data controllers with a structured framework to demonstrate GDPR compliance. Each item references specific regulatory sections and includes concrete verification criteria. Organizations should complete this assessment to identify compliance gaps and implement required controls before processing personal data. Regular reviews (at least annually) are recommended to maintain ongoing compliance as business processes evolve.

  • Lawful Basis Documentation (Article 6): Document and maintain records identifying the lawful basis (consent, contract, legal obligation, vital interests, public task, or legitimate interests) for each processing activity. Verify that at least one basis applies before initiating any data processing.
  • Privacy Notice Implementation (Article 13/14): Create and deploy privacy notices at the point of data collection that disclose controller identity, processing purposes, legal basis, recipients, retention periods, and data subject rights. Confirm notices are clear, transparent, and provided in accessible language.
  • Data Processing Agreements (Article 28): Execute written Data Processing Agreements (DPAs) with all processors before they access personal data. Verify agreements include mandatory clauses covering subject matter, duration, nature, purpose, data types, categories of data subjects, and processor obligations.
  • Records of Processing Activities (Article 30): Maintain a comprehensive Data Processing Register documenting each processing activity, including processing purposes, categories of personal data, data subjects, retention periods, and security measures. Update the register when new processing begins or existing activities change.
  • Data Protection Impact Assessments (Article 35): Conduct and document Data Protection Impact Assessments (DPIAs) for high-risk processing activities, including automated decision-making, large-scale processing of special categories, or systematic monitoring. Retain assessment records and evidence of mitigation measures implemented.
  • Consent Mechanism Verification (Article 7): If relying on consent, verify that consent is freely given, specific, informed, and unambiguous through clear affirmative action (opt-in). Confirm records demonstrate when and how each consent was obtained and maintain withdrawal mechanism documentation.
  • Data Subject Rights Procedures (Articles 12-22): Establish documented procedures to fulfill data subject requests (access, rectification, erasure, restriction, portability, objection) within 30 days. Maintain logs of all requests received and responses provided, including any refusals with legal justification.
  • Special Categories Data Safeguards (Article 9): Document the specific lawful basis (Article 9(2)) for processing special categories of data. Verify appropriate safeguards are implemented and maintain evidence that additional conditions beyond Article 6 are satisfied.
  • International Data Transfer Mechanisms (Chapter V): For transfers outside the EEA, document and verify the applicable transfer mechanism (adequacy decision, Standard Contractual Clauses, Binding Corporate Rules, or derogation). Maintain Supplementary Measures documentation where SCCs alone are insufficient.
  • Data Retention and Deletion Procedures (Article 17): Define and implement retention schedules for all personal data categories specifying storage duration and deletion timelines. Document deletion procedures and maintain audit records confirming data destruction at the end of retention periods.
  • Breach Notification Procedures (Article 33): Establish written protocols for detecting, documenting, and reporting personal data breaches to supervisory authorities within 72 hours where there is risk to rights and freedoms. Maintain a breach register with incident details and mitigation actions taken.
  • Privacy by Design and Default (Article 25): Document that privacy principles have been integrated into system architecture and processing operations. Maintain evidence that data minimization, pseudonymization, and security measures are built into systems from the outset, not added later.
  • Data Protection Officer Designation (Article 37): If required, verify the Data Protection Officer (DPO) has been formally designated and their contact details provided to the supervisory authority. Confirm the DPO has sufficient resources and reports directly to management without conflicts of interest.
  • Third-Party Recipient Documentation (Article 6(1)(e-f) & 14(1)(e)): Maintain documented lists of all recipients who receive personal data, including their identity, categories of recipients, and purposes for which data is shared. Verify that recipients are subject to confidentiality or legal obligations.
  • Staff Training and Accountability (Article 32(4)): Implement mandatory GDPR and data protection training for all personnel handling personal data. Maintain training records, completion dates, and attendance logs demonstrating ongoing accountability and awareness.
  • Technical and Organizational Measures (Article 32): Document implemented security measures including encryption, pseudonymization, access controls, regular testing, staff vetting, and incident response procedures. Ensure documentation matches the level of risk and is reviewed annually.
  • Vendor and Sub-processor Management (Article 28(2) & (4)): Maintain a current list of all sub-processors used and demonstrate that prior approval from the data controller was obtained. Verify sub-processors execute their own DPAs incorporating equivalent data protection standards.
  • Accountability and Governance Records (Article 5(2)): Compile comprehensive documentation demonstrating compliance with GDPR principles (lawfulness, fairness, transparency, accuracy, integrity, confidentiality, and purpose limitation). Ensure records are available to demonstrate compliance to supervisory authorities upon request.