GDPR Compliance Checklist

Walk through every system that touches personal data — application databases, analytics warehouses, log aggregators, customer support tools, marketing platforms. Engineering teams typically miss the implicit ones: Sentry error payloads with user context, Datadog APM tags carrying email, Slack notifications that include customer identifiers. Update the ROPA in your privacy tool (OneTrust, Vanta, Drata) and attach the export below.

For each ROPA entry, name one of the six Article 6 bases — typically contract, legitimate interest, or consent. Marketing analytics under legitimate interest needs a balancing test on file; consent-based processing needs the consent record retrievable per user. Flag any special-category data under Article 9 that requires an additional condition.

Submit a synthetic data subject access request through your privacy@ inbox or dedicated form. Time the round-trip: Article 12 requires response within one month. Confirm the export pulls data from every system listed in the ROPA — not just the primary application database.

Run an erasure request against a test account and confirm the data is gone from production, read replicas, analytics warehouse, and any caches. Document the backup retention window and the policy for purging deleted users from rotated backups; "we'll get to it eventually" is not a defensible position with regulators.

Pull the current sub-processor list (AWS, GCP, Datadog, Stripe, Twilio, etc.) and confirm a signed DPA is on file for each. Flag any new vendor added since last review without one — common when Eng pulls in tools self-serve. Update the public sub-processor page if customers subscribe to changes.

Confirm all RDS/Aurora instances have encryption at rest enabled, S3 buckets have default encryption set, and TLS 1.2+ is enforced at every public endpoint. Spot-check internal service-to-service calls; legacy gaps inside the VPC are a frequent finding.

Article 37 requires a DPO when core activities involve large-scale monitoring of data subjects or processing of special categories. Document the analysis even if the conclusion is no DPO required — supervisory authorities ask for the reasoning during inquiries.

Walk a SEV1-style scenario through the playbook with the incident commander, comms lead, and DPO present. Common gaps surfaced: who decides whether confirmed exfiltration meets the GDPR breach threshold, how the 72-hour clock starts (awareness, not occurrence), and whether the on-call engineer knows to page the DPO.

Use your breach severity rubric to score the tabletop scenario. The classification drives whether data subject notification is required — Article 34 obliges notification only when the breach is likely to result in high risk to rights and freedoms.

Use the lead supervisory authority's template (the ICO's online form for UK, CNIL for France, etc.). Even for a tabletop, populate the categories of data, approximate number of records, likely consequences, and mitigation steps. Save the draft to the breach response folder.

DPIAs are required under Article 35 for systematic monitoring, large-scale special-category processing, or innovative tech such as new ML models trained on user data. Use the supervisory authority's template or your privacy tool's workflow; document the consultation with the DPO.

List the technical and organizational measures applied — pseudonymization, access controls, logging, retention limits — and score the residual risk. If residual risk remains high, Article 36 requires consulting the supervisory authority before processing begins.

Confirm the 2021 SCC modules are in place for every transfer to a third country without an adequacy decision — typically US sub-processors post-Schrems II. A transfer impact assessment (TIA) needs to be on file alongside each SCC describing the destination's surveillance regime and supplementary measures.

Check the European Commission's current adequacy list — it changes (UK, Japan, South Korea added in recent years; the EU-US Data Privacy Framework replaced Privacy Shield). Update the data flow map if a destination's status has changed since last review.

Run a 30-minute session covering recent enforcement decisions, changes to your ROPA, and the breach playbook. Engineers are the most common source of accidental personal-data exposure — debug logs, support screenshots, ad-hoc SQL exports — so keep examples concrete and team-specific.

Attach the LMS export or sign-in sheet showing who completed the session. Auditors (SOC 2, ISO 27001, GDPR supervisory authorities) all ask for evidence of training delivery, not just that training exists.