GDPR Compliance Checklist

Walk through every system that touches personal data — application databases, analytics warehouses, log aggregators, customer support tools, marketing platforms. Engineering teams typically miss the implicit ones: Sentry error payloads with user context, Datadog APM tags carrying email, Slack notifications that include customer identifiers. Update the ROPA in your privacy tool (OneTrust, Vanta, Drata) and attach the export below.

For each ROPA entry, name one of the six Article 6 bases — typically contract, legitimate interest, or consent. Marketing analytics under legitimate interest needs a balancing test on file; consent-based processing needs the consent record retrievable per user. Flag any special-category data under Article 9 that requires an additional condition.

Review signup forms, API payloads, and event tracking schemas for fields collected but never used. Common offenders: full date of birth when only age range is needed, full address when only country is needed, free-text notes that capture more than the form intended. Open tickets to drop or hash unnecessary fields.

Submit a synthetic data subject access request through your privacy@ inbox or dedicated form. Time the round-trip: Article 12 requires response within one month. Confirm the export pulls data from every system listed in the ROPA — not just the primary application database.

Run an erasure request against a test account and confirm the data is gone from production, read replicas, analytics warehouse, and any caches. Document the backup retention window and the policy for purging deleted users from rotated backups; "we'll get to it eventually" is not a defensible position with regulators.

Toggle marketing consent off for a test user and verify the change reaches the email platform (Customer.io, Braze, Marketo), ad audiences (Google, Meta CAPI), and any reverse-ETL pipelines. Lag here is the most common GDPR complaint engineering teams generate.

Pull the current sub-processor list (AWS, GCP, Datadog, Stripe, Twilio, etc.) and confirm a signed DPA is on file for each. Flag any new vendor added since last review without one — common when Eng pulls in tools self-serve. Update the public sub-processor page if customers subscribe to changes.

Confirm all RDS/Aurora instances have encryption at rest enabled, S3 buckets have default encryption set, and TLS 1.2+ is enforced at every public endpoint. Spot-check internal service-to-service calls; legacy gaps inside the VPC are a frequent finding.

Article 37 requires a DPO when core activities involve large-scale monitoring of data subjects or processing of special categories. Document the analysis even if the conclusion is no DPO required — supervisory authorities ask for the reasoning during inquiries.

Publish the DPO contact in the privacy notice and register them with the supervisory authority. The DPO must report to the highest management level and have no conflicting duties — a CTO or General Counsel acting as DPO is a frequent regulator challenge.

Walk a SEV1-style scenario through the playbook with the incident commander, comms lead, and DPO present. Common gaps surfaced: who decides whether confirmed exfiltration meets the GDPR breach threshold, how the 72-hour clock starts (awareness, not occurrence), and whether the on-call engineer knows to page the DPO.

Use your breach severity rubric to score the tabletop scenario. The classification drives whether data subject notification is required — Article 34 obliges notification only when the breach is likely to result in high risk to rights and freedoms.

Use the lead supervisory authority's template (the ICO's online form for UK, CNIL for France, etc.). Even for a tabletop, populate the categories of data, approximate number of records, likely consequences, and mitigation steps. Save the draft to the breach response folder.

Article 34 requires notification in clear and plain language without undue delay. Coordinate with comms and customer support so the message lands consistently across email, in-app, and the status page. Pre-approved templates cut hours off real-incident response.

DPIAs are required under Article 35 for systematic monitoring, large-scale special-category processing, or innovative tech such as new ML models trained on user data. Use the supervisory authority's template or your privacy tool's workflow; document the consultation with the DPO.

List the technical and organizational measures applied — pseudonymization, access controls, logging, retention limits — and score the residual risk. If residual risk remains high, Article 36 requires consulting the supervisory authority before processing begins.

File a prior consultation with your lead supervisory authority and pause the processing change until you receive a response. Authorities have up to 8 weeks (extendable to 14) to reply; build the timeline into the product roadmap rather than discovering it at launch.

Confirm the 2021 SCC modules are in place for every transfer to a third country without an adequacy decision — typically US sub-processors post-Schrems II. A transfer impact assessment (TIA) needs to be on file alongside each SCC describing the destination's surveillance regime and supplementary measures.

Check the European Commission's current adequacy list — it changes (UK, Japan, South Korea added in recent years; the EU-US Data Privacy Framework replaced Privacy Shield). Update the data flow map if a destination's status has changed since last review.

For intra-group transfers, confirm Binding Corporate Rules are approved and current. For one-off transfers, document the Article 49 derogation relied on — explicit consent or contract performance — and keep the reasoning on file for the supervisory authority.

Run a 30-minute session covering recent enforcement decisions, changes to your ROPA, and the breach playbook. Engineers are the most common source of accidental personal-data exposure — debug logs, support screenshots, ad-hoc SQL exports — so keep examples concrete and team-specific.

Attach the LMS export or sign-in sheet showing who completed the session. Auditors (SOC 2, ISO 27001, GDPR supervisory authorities) all ask for evidence of training delivery, not just that training exists.

Reflect any new sub-processors, retention changes, or processing activities introduced this quarter. Date the update and link to the changelog so customers exercising their right to information can see what changed and when.