Data Privacy Compliance Checklist

The sysadmin walks the inventory: M365 / Google Workspace, Salesforce, HubSpot, the HRIS, on-prem file shares, and any shadow-IT SaaS surfaced by the CASB. Reconcile against last quarter's Record of Processing Activities (RoPA) — new tools added since the last review are the typical gap.

Apply Microsoft Purview or Google DLP labels (Public, Internal, Confidential, Restricted-PII) to the locations identified in the inventory. Restricted labels should auto-trigger encryption and download blocking — verify the policy fires on a test document.

Confirm BitLocker on file servers, Azure Storage Service Encryption on blob accounts, RDS storage encryption, and customer-managed keys for restricted-tier datasets. Flag any database, snapshot, or backup target that is not encrypted.

Walk the marketing site forms, support intake, HR onboarding, and any vendor portals. Common over-collection: date of birth on a newsletter sign-up, full SSN on a benefits form when last-four would do. GDPR Article 5(1)(c) requires only what is adequate, relevant, and necessary.

Run an SSL Labs scan on every public endpoint and check internal load balancers. Disable TLS 1.0/1.1 and weak ciphers. Verify ACME automation is renewing certs — expired internal certs are the most common cause of users learning to ignore browser warnings.

The IAM administrator pulls every Entra ID / Okta group with access to restricted data and reconciles against the HRIS. Look for terminated users still active, role changes that didn't trigger group removal, and security groups bloated with users from prior projects.

Confirm the Entra ID conditional access policy blocks IMAP, POP, SMTP-AUTH, and other basic-auth protocols org-wide. Password-spray attacks against legacy auth bypass MFA entirely; this is the single highest-leverage privacy control on a Microsoft tenant.

Pull the Entra ID / Okta report of admin-role members and confirm 100% have phishing-resistant MFA (FIDO2 / Windows Hello / number-matching). Service accounts should use managed identities or certificates — never shared passwords.

Confirm Microsoft 365 Unified Audit Log, Salesforce event monitoring, and database audit logs are flowing into Sentinel / Splunk with at least 90-day retention (longer where regulation requires). Spot-check that a test access event appears within 15 minutes.

Pull the SaaS spend report from finance and the SSO app catalog from Okta / Entra ID; reconcile. Every vendor that touches personal data is a processor (GDPR) or service provider (CCPA) and needs to be on this list before any other vendor work.

Every processor needs a Data Processing Agreement on file with current Standard Contractual Clauses for EU transfers. Upload the executed PDFs here so the audit evidence is in one place.

Pull current SOC 2 Type II reports (issued within 12 months) for any processor handling restricted data. Read the exceptions section, not just the cover page — exceptions in change management or access provisioning are the privacy-relevant red flags.

Confirm BI exports to vendors (analytics, marketing automation, AI vendors) drop direct identifiers and use hashed surrogate keys. Pseudonymization isn't anonymization — true anonymization means re-identification is infeasible even with auxiliary data.

Review last quarter's noisy detections and tune. Specific patterns to keep sharp: bulk OneDrive / SharePoint downloads, Salesforce report exports above threshold, new external email forwarding rules, and anomalous service-account activity outside business hours.

Walk the IR playbook with IT, security, legal, and comms in the room. Test the immutable-backup assumption — actual ransomware days frequently discover the backups were also encrypted because the backup target was writable from production.

Review IR tickets, SIEM incidents, and DLP alerts from the period. A reportable breach under GDPR Article 33 means a personal data breach that is not unlikely to result in risk to data subjects — different from any security incident. If yes, the 72-hour notification clock has likely started.

File the GDPR Article 33 notification with the lead supervisory authority and any applicable state attorneys general (CCPA, NYDFS Part 500, HHS for HIPAA). Late notification is itself a violation; if details are still being investigated, file the initial notification and supplement later.

Identify the affected data subjects from the audit logs, document the categories of data exposed, and record outbound notifications. Article 34 requires direct notification to data subjects when the breach is high-risk; the documentation here is the evidence the regulator will request.

Whether or not anything was reportable, write up the period's incidents with timeline, root cause, and remediation tasks tracked to ticket IDs. Repeat root causes (the same misconfigured S3 bucket pattern, the same phishing template clicking through) signal a control failure rather than user error.

The RoPA required by GDPR Article 30 covers purpose, categories of data subjects, recipients, transfer destinations, retention periods, and security measures. Reconcile against this quarter's vendor inventory and data-source mapping; gaps here are what auditors find first.

GDPR Article 37 requires a Data Protection Officer when core activities require large-scale systematic monitoring or large-scale processing of special-category data. Public authorities always need one. Reassess if processing has materially expanded since the last review.

Verify the DPO's name, contact details, and registration are current with the supervisory authority and published in the privacy policy. The DPO must report to the highest level of management and cannot hold a conflicting role (CISO is the most common conflict).

Review the public privacy notice against this quarter's processing activities — new vendors, new categories of data, new transfer destinations. Open a Data Protection Impact Assessment for any new high-risk processing (biometrics, AI inference on personal data, large-scale monitoring).

The privacy lead and IT manager record the review outcome, attach any open remediation items, and sign off. The signed record is the evidence shown to SOC 2 auditors and supervisory authorities that the program runs on a defined cadence.