GDPR Checklist: 10 Steps

GDPR Checklist: Your Path to Compliance

Achieving and maintaining GDPR compliance requires a structured, systematic approach. This checklist provides 10 concrete steps that cover all key areas of the regulation and guide you from initial assessment through to ongoing compliance management.

Each step includes a time estimate with and without GRC tooling to help you plan realistically. The steps are designed to be worked through sequentially, as later steps build on the outputs of earlier ones.

Step 1: Determine Scope and Applicability

Identify all processing activities involving personal data across your organisation. Determine which entities, departments, and systems are in scope. If you operate across multiple EU member states, identify which national data protection laws supplement the GDPR. Review the complete GDPR requirements overview to understand the full regulatory framework.

Step 2: Create the Records of Processing Activities

Build your records of processing activities (ROPA) as required by Art. 30. Document every processing activity with its purpose, legal basis, data categories, recipients, retention periods, and technical measures. The ROPA forms the foundation for all subsequent compliance activities.

Step 3: Review Legal Bases

For each processing activity, verify that a valid legal basis under Art. 6 exists. Pay special attention to consent management: is consent freely given, specific, informed, and unambiguous? Can you demonstrate consent was obtained? For legitimate interest, have you conducted and documented the required balancing test?

Step 4: Implement Data Subject Rights Processes

Establish processes to handle all data subject rights requests within the one-month deadline: access, rectification, erasure, restriction, portability, and objection. Create intake channels, verification procedures, response templates, and escalation paths.

Step 5: Establish Technical and Organisational Measures

Implement appropriate technical and organisational measures (TOMs) pursuant to Art. 32. This includes encryption, access controls, backup strategies, pseudonymisation, and regular effectiveness testing. Document all measures and their rationale.

Step 6: Review Data Processing Agreements

Audit all data processing agreements with processors and sub-processors. Ensure all DPAs include the mandatory contents under Art. 28(3). Check that sub-processor chains are documented and that you have objection rights for new sub-processors.

Step 7: Set Up Breach Notification Processes

Establish a breach notification process that enables you to detect, assess, and report data breaches within the 72-hour deadline. Prepare notification templates, define escalation paths, and maintain a breach register. Conduct at least one tabletop exercise annually.

Step 8: Conduct Data Protection Impact Assessments

Identify processing activities that require a Data Protection Impact Assessment (Art. 35). Establish a threshold assessment process for new processing activities and conduct full DPIAs where required. Involve your DPO in the process.

Step 9: Address International Data Transfers

Map all international data transfers and ensure appropriate transfer mechanisms are in place (adequacy decisions, SCCs, BCRs). Conduct Transfer Impact Assessments where required and implement supplementary measures if needed.

Step 10: Establish Continuous Compliance Management

GDPR compliance is not a one-off project. Establish ongoing processes for: periodic ROPA reviews, annual TOM effectiveness assessments, DPA audits, DPO reporting to management, employee training, and monitoring of regulatory developments. Integrate GDPR requirements into your broader GRC processes.

Timeframes: With vs. Without GRC Tooling

These timeframes assume a mid-sized organisation without an existing ISO 27001 ISMS. Organisations with mature information security management can typically accelerate Steps 2 and 5 significantly. Review our ISO 27001 and GDPR cross-mapping to identify existing coverage.

Common Pitfalls to Avoid

• Treating GDPR as a legal project only: GDPR compliance requires cross-functional involvement from IT, legal, HR, marketing, and management. Without technical implementation, policies remain paper exercises.
• Underestimating the ROPA effort: The records of processing are often the most time-consuming deliverable. Start early and involve all departments.
• Neglecting employee training: Most data breaches involve human error. Regular awareness training is essential, not optional.
• Forgetting about processors: Your compliance extends to every processor that handles personal data on your behalf. DPAs and ongoing monitoring are mandatory.
• One-time compliance approach: The GDPR requires continuous compliance. Establish review cycles and update processes as your organisation evolves.