GDPR Compliance Checklist
GDPR compliance checks for data protection and privacy
Checks
Privacy Policy
Verify privacy policy is published and accessible
Required by GDPR Article 13
Consent Mechanism
Verify consent mechanism is implemented for data collection
Required by GDPR Article 6
Granular Consent
Verify consent is granular (not all-or-nothing)
Required by GDPR for different processing purposes
Consent Withdrawable
Verify users can withdraw consent easily
Required by GDPR Article 7
Data Subject Rights
Verify mechanism for data subject rights requests (access, rectification, erasure)
Required by GDPR Articles 15-17
Data Retention Policy
Verify data retention policy is defined and implemented
Required by GDPR Article 5
Data Minimization
Verify only necessary data is collected
Required by GDPR Article 5
Lawful Basis
Verify lawful basis for processing is documented
Required by GDPR Article 6
Data Processing Agreement
Verify DPAs are in place with all processors
Required by GDPR Article 28
Data Breach Procedure
Verify data breach notification procedure is documented
Required by GDPR Article 33
DPO Appointed
Verify DPO is appointed if required
Required by GDPR Article 37 for certain organizations
Records of Processing
Verify records of processing activities are maintained
Required by GDPR Article 30
Cross-Border Transfer
Verify adequate safeguards for transfers outside EEA
Required by GDPR Chapter V
Data Encryption
Verify personal data is encrypted in transit and at rest
Required by GDPR Article 32
Access Controls
Verify access controls limit who can access personal data
Required by GDPR Article 32
Cookie Consent
Verify cookie consent banner is implemented
Required by ePrivacy Directive
Cookie Policy
Verify cookie policy is published
Required by ePrivacy Directive
Age Verification
Verify age verification for users under 16 (or local age)
Required by GDPR Article 8
Opt-Out Mechanism
Verify opt-out mechanism for marketing communications
Required by GDPR for marketing
Data Portability
Verify mechanism for data portability requests
Required by GDPR Article 20
Profiling Consent
Verify consent for automated decision-making/profiling
Required by GDPR Article 22
Third-Party Disclosure
Verify privacy policy discloses all third parties
Required by GDPR Article 13
Data Security Measures
Verify appropriate technical and organizational measures
Required by GDPR Article 32
Regular Security Audits
Verify regular security audits are conducted
Required by GDPR Article 32
Staff Training
Verify staff are trained on GDPR requirements
Required by GDPR Article 32
Incident Response Plan
Verify incident response plan is documented
Required by GDPR Article 33
Data Mapping
Verify data mapping documents all personal data flows
Required for GDPR compliance
Privacy by Design
Verify privacy by design principles are applied
Required by GDPR Article 25