GDPR Compliance Checklist: 50+ Actionable Items for 2026

Map each data processing activity to one of the six lawful bases: consent, contract, legal obligation, vital interests, public task, or legitimate interests. Document this mapping.

Consent must require a clear affirmative action. No pre-checked boxes, no bundled consent, no “by using this site you agree” banners. Each purpose requires separate consent.

Maintain timestamped records of who consented, when, how, what they were told, and what they consented to. This evidence must be retrievable on demand.

Withdrawing consent must be as easy as giving it. If consent was one click, withdrawal should be one click — not a 5-step process buried in account settings.

If relying on legitimate interest as a lawful basis, complete a documented three-part test: purpose, necessity, and balancing test against individuals' rights.

Full legal name, registered address, and email address of the data controller. Include DPO contact details if one is appointed.

List every category of personal data you collect (name, email, IP, device ID, location, etc.) and clearly state the purpose for each collection.

Don't just list the six lawful bases — specify which one applies to each specific purpose. “We process your email based on consent for marketing” not “we may rely on consent.”

Name every third party that receives personal data: analytics providers (Google Analytics, Mixpanel), payment processors (Stripe), hosting (AWS, Vercel), email services, ad networks.

State how long each category of data is kept and the criteria used to determine retention periods. “As long as necessary” is not sufficient.

Clearly explain each right and how to exercise it: access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making.

Build a process to provide individuals with a copy of all their personal data within 30 days. Include the purposes, categories, recipients, retention periods, and source of the data.

Allow users to correct inaccurate data and complete incomplete data. Implement self-service editing where possible and a manual request process for other data.

Implement a deletion process that removes personal data from all systems, including backups, within 30 days. Notify third parties who received the data to also delete it.

Enable marking data as “restricted” so it can be stored but not further processed. This applies when accuracy is contested, processing is unlawful, or processing is no longer needed but the individual needs it for legal claims.

Provide personal data in a structured, commonly used, machine-readable format (JSON, CSV, XML). Where technically feasible, enable direct transfer to another controller.

Allow individuals to object to processing based on legitimate interest or public task. For direct marketing, objection is absolute — you must stop processing immediately.

If you use automated profiling or decision-making with legal or significant effects, provide the right to human intervention, express a point of view, and contest the decision.

Create a complete list of every third party that processes personal data on your behalf. Include SaaS tools, cloud providers, analytics, marketing, support, and payment services.

Each DPA must define the subject matter, duration, nature and purpose of processing, data types, categories of data subjects, and the processor's obligations. Most major SaaS providers offer a standard DPA on request.

Processors must obtain your prior authorization before engaging sub-processors. Your DPA should include either general or specific authorization, with a notification mechanism for changes.

Confirm each processor implements appropriate technical and organizational measures: encryption, access controls, incident response, and regular security testing.

Scan every page for cookies set by your code, third-party scripts, and embedded content. Categorize each as strictly necessary, analytics, functional, or advertising.

Use a CMP that blocks non-essential cookies until consent is given, offers granular category-level control, and records consent for audit purposes.

The “Reject All” option must be as easy to find and click as “Accept All.” Dark patterns (hiding the reject option, using different colors) are a violation.

Publish a dedicated cookie policy listing every cookie: name, provider, purpose, type (session/persistent), and expiration. Link to it from your consent banner.

Provide a persistent link (e.g., in the footer) to re-open the cookie consent interface and modify choices at any time.

Identify every transfer of personal data outside the EEA, including transfers to cloud providers, CDNs, SaaS tools, and support teams in other countries.

Use adequacy decisions, SCCs (2021 version), Binding Corporate Rules, or the EU-US DPF as appropriate. The old Privacy Shield is invalid — ensure you're using current mechanisms.

For each transfer relying on SCCs, assess whether the destination country's laws provide essentially equivalent protection. Document supplementary measures if needed.

Tell data subjects which countries their data is transferred to, the transfer mechanism used, and where they can obtain a copy of the safeguards.

Document the step-by-step process: detection, containment, assessment, authority notification, individual notification (if required), and post-incident review. Assign roles and responsibilities.

Identify and document the correct supervisory authority for reporting. If you operate across multiple EU countries, determine your lead supervisory authority under the one-stop-shop mechanism.

Article 33(5) requires you to record all breaches, regardless of whether they are reportable. Document the facts, effects, and remedial action taken for every incident.

Draft templates for both authority and individual notifications in advance. Under the 72-hour deadline, you won't have time to start from scratch. Include the required information: nature of breach, categories and approximate number of data subjects, likely consequences, and measures taken.

Document all processing activities including: purposes, data categories, recipient categories, international transfers, retention periods, and a general description of security measures.

Article 35 requires a DPIA before processing that is likely to result in high risk. This includes systematic monitoring, large-scale processing of sensitive data, and automated decision-making with legal effects.

Only collect data you actually need (minimization). Define retention periods for each data category and implement automated deletion when retention periods expire. “Keep everything forever” is a compliance failure.

Article 32 requires appropriate technical and organizational measures: encryption at rest and in transit, access controls, regular testing, and the ability to restore data availability after an incident.

Consider the content, language, advertising, and visual design of your service. If children could reasonably use it, child-specific protections apply regardless of your terms of service age restrictions.

Use an age gate appropriate to your service. For consent-based processing of children's data, implement verifiable parental consent mechanisms.

If your service is used by children, provide privacy information in language they can understand. The ICO recommends a layered approach with age-appropriate versions.

Evaluate your processing against the three mandatory criteria. If you process health data, biometric data, or conduct large-scale behavioral tracking, a DPO is almost certainly required.

The DPO must not receive instructions regarding the exercise of their tasks, must not be dismissed or penalized for performing them, and must have direct access to senior management.

Include the DPO's contact details in your privacy policy and communicate them to your supervisory authority. Data subjects must be able to contact the DPO directly.