A step-by-step GDPR compliance checklist (15 steps)
A step-by-step GDPR compliance checklist (15 steps)
In today’s data-driven economy, companies across industries collect data from users who visit their sites and interact with their brands. However, that can be costly if your business isn’t collecting and using data in a GDPR-compliant way.
Enacted in May 2018, the General Data Protection Regulation (GDPR) is the European Union’s data privacy and security law. GDPR establishes data protection as a fundamental right to EU-based users and includes protections covering the use, storage, confidentiality, and transfer of personal data. Fines for violations can be severe—up to €20 million or 4% of global revenue (whichever is higher).
To protect your organization from costly penalties (and to maintain trust), you’ll need to ensure your data collection and processing practices comply with GDPR. Use the checklist below as a practical, step-by-step path.
This guide covers:
- A 15-step GDPR compliance checklist you can operationalize
- The core artifacts you should be able to produce on demand
- Practical ownership and evidence guidance so the program doesn’t stall
GIF via GIPHY
Key takeaways
- GDPR scope depends on whose data you process—not where you’re located. Many non-EU businesses are still in scope if they target or monitor EU/UK individuals.
- Data mapping is the backbone. If you can’t answer “what data, where it lives, and who touches it,” DSARs, deletion, and breach response will break under pressure.
- Vendor and transfer governance are common blind spots. Subprocessors and cross-border transfers need repeatable review—not one-time paperwork.
- Make every step executable. Assign owners and keep evidence current so you can demonstrate compliance when asked.
Related guides:
- GDPR basics: everything you need to know to keep your business compliant
- GDPR compliance for US companies: a step-by-step guide
- How to make your website GDPR compliant in 8 steps
- Who should comply with the GDPR? All you need to know
What are the benefits of GDPR compliance?
GDPR compliance is critical for businesses that collect data from EU residents and is legally required for organizations that are in scope. It can also improve your day-to-day operations by:
- Protecting your organization from severe fines
- Maintaining the trust of consumers and clients
- Removing barriers that can block expansion into the EU/UK
- Strengthening data security through clearer governance and better controls
Step 1: Determine if you need to comply with GDPR
Not all organizations are legally required to comply with GDPR, so start by confirming applicability. Consider:
- Do you sell goods or services in the EU or UK?
- Do you sell goods or services to EU businesses, consumers, or both?
- Do you have employees in the EU or UK?
- Do people from the EU or UK visit your website?
- Do you monitor the behavior of people within the EU or UK?
If any of the above apply to your business, you should treat GDPR as in scope and proceed with the checklist below.
GDPR compliance checklist: 15 steps to follow
Step 2: Document the personal data you process
To scope your data practices:
- Identify and document every system (database, application, or vendor) that stores or processes EU/UK personal data.
- Document retention periods for personal data in each system.
- Determine whether you collect, store, or process special categories of data, including racial/ethnic origin, religious/philosophical beliefs, genetic data, health data, political opinions, trade union membership, biometric data, or sex life/sexual orientation data.
Also ensure your documentation can support a RoPA-style view of processing (controller/processor contacts, processing purposes, categories of data, recipients, transfers and safeguards, retention, and a high-level description of security measures).
Step 3: Determine your legal grounds for processing data
For each processing purpose and data category, determine the lawful basis:
- Consent of the data subject
- Contract with the data subject
- Necessary for compliance with a legal obligation
- Necessary to protect vital interests
- Necessary for a task in the public interest / official authority
- Necessary for legitimate interests (except where overridden by data subject rights)
Step 4: Review and update current customer and vendor contracts
Review customer and in-scope vendor contracts to confirm appropriate contract language is in place (commonly DPAs and, where relevant, Standard Contractual Clauses).
Step 5: Determine if you need a Data Protection Impact Assessment (DPIA)
Identify whether processing is likely to create high risk to individuals’ rights and freedoms, such as:
- Automated processing (including profiling) where decisions produce legal (or similarly significant) effects
- Special category data or data related to criminal convictions/offenses
- Monitoring publicly accessible areas on a large scale
If any are true, plan to conduct DPIAs for existing and new data projects and track mitigations to completion.
Step 6: Clearly communicate privacy and marketing consent practices
Ensure you have:
- A public-facing privacy policy covering your products, services, and websites
- Notice to the data subject with essential details required by GDPR (commonly aligned to Article 13/14, depending on collection method)
- A clear process for individuals to change or withdraw consent
Step 7: Update internal privacy policies
Common actions include:
- Updating internal privacy notices for EU employees
- Maintaining an employee privacy policy governing the collection and use of EU/UK employee data
- Determining if you need a Data Protection Officer (DPO) based on your processing activities and scale
Step 8: Review compliance measures for external data transfers
If you transfer, store, or process data outside the EU or UK:
- Identify your legal basis for transfer (often covered via SCCs, depending on facts)
- Perform and document a Transfer Impact Assessment (TIA)
Step 9: Confirm you comply with additional data subject rights
Confirm you can execute rights in practice:
- Do you have a process for timely responding to requests for information, modifications, or deletion?
- Can you provide information in a concise, transparent, intelligible, and accessible form using clear language?
- Do you have a process for correcting or deleting data when requested (including propagation to vendors where required)?
- Do you have an internal policy regarding compelled disclosure requests (for example, law enforcement)?
Step 10: Determine if you need an EU-based representative
Depending on your location and processing, determine whether an EU representative is required. You may not need one if processing is occasional, not large scale, does not include special categories or criminal conviction/offense data, and does not present meaningful risk to individuals’ rights and freedoms.
If those conditions don’t apply, appoint an EU-based representative and document the decision.
Step 11: Identify a lead data protection authority (DPA) if needed
If you operate in more than one EU member state, determine whether you need to designate a lead supervisory authority based on your main establishment (where applicable).
Step 12: Implement employee training
Provide appropriate security awareness and privacy training to staff (role-aware, recurring, and tied to real workflows).
Step 13: Integrate data breach response requirements
Create and implement an incident response plan including:
- Procedures for reporting a breach to EU/UK data subjects and appropriate data protection authorities (where required)
- Breach reporting policies that comply with prescribed timelines and include all recipients (authorities, controllers, and data subjects)
Step 14: Implement appropriate security measures
Confirm you have “appropriate” technical and organizational measures, such as:
- Encryption of personal data at rest and in transit (where appropriate)
- Pseudonymization where it reduces risk
- Physical security controls
- Information security policies and procedures that match how you operate
- Controls that support “privacy by default” (only necessary personal data is processed for each purpose)
Step 15: Streamline GDPR compliance with automation
GDPR compliance is ongoing. To reduce drift:
- Explore tools for automating security and compliance
- Transform manual data collection and observation processes via continuous monitoring
A practical owner-and-evidence table (so work doesn’t stall)
| Checklist area | Likely owner(s) | “Done” output | Evidence to keep current |
|---|---|---|---|
| GDPR scope decision | Privacy lead + Legal | Written applicability decision | Scope memo, assumptions |
| Data inventory / RoPA inputs | Privacy lead + Eng + IT | System/vendor inventory + data map | System list, vendor list, RoPA entries |
| Lawful basis | Legal + Product | Purpose-to-lawful-basis mapping | Lawful basis register, consent logs, LIAs |
| Contracts (DPAs/SCCs) | Legal + Procurement | Updated customer/vendor terms | Signed DPAs, SCCs, subprocessor list |
| DPIAs | Privacy lead + Security | DPIA decisions + mitigations closed | DPIAs, approvals, remediation tickets |
| Notices and consent | Product + Marketing + Legal | Accurate notices + withdrawal process | Notice versions, consent specs |
| DSAR operations | Support + Privacy lead | Repeatable request workflow with SLAs | DSAR runbook, request logs |
| Transfers (TIA) | Legal + Security | Transfer safeguards + TIAs | TIAs, transfer map |
| Incident response | Security + Legal + Privacy | Breach decision workflow + templates | IR plan, tabletop notes |
| Security measures | Security + IT + Eng | Controls implemented and reviewed | Access reviews, MFA, logs, encryption posture |
Streamline GDPR compliance with SecureSlate
GDPR compliance is easier when it’s operational: clear owners, repeatable workflows, and evidence that stays current as your systems and vendors change.
SecureSlate helps teams:
- Centralize GDPR artifacts (RoPA inputs, DPIAs, policies, vendor documentation) in one place
- Assign owners and deadlines for recurring work like access reviews and policy refreshes
- Track vendors, subprocessors, and review cadences without spreadsheet churn
- Maintain an audit-ready trail of evidence for customers, regulators, and renewals
Get started for free to turn GDPR requirements into trackable execution.
FAQ
What are the seven GDPR requirements?
The requirements for GDPR compliance are commonly summarized as seven key principles: lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability.
Is GDPR compliance required in the US?
GDPR compliance can be mandatory for some US companies. GDPR scope depends on whose data you process—not where your organization is located. If you collect or process personal data from EU/UK individuals, GDPR may apply.
What are the four key components of GDPR?
At a high level, GDPR includes data protection principles, rights of data subjects, legal bases for processing, and responsibilities and obligations of controllers and processors.
Does GDPR require a certification?
There is no universal “GDPR certification” required to be compliant. In practice, the emphasis is on operating controls and being able to demonstrate compliance through documentation, workflows, and evidence.
Disclaimer (legal note)
SecureSlate is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to GDPR, UK GDPR, and related regulations, you should consult a licensed attorney.
Need compliance without the complexity?
SecureSlate automates ISO 27001, SOC 2, GDPR, HIPAA, and more. Built for growing teams. See it in action.
No credit card required