GDPR Compliance Review Checklist

Walk each service line — tax prep, bookkeeping, payroll, audit — and document what personal data is collected, where it is stored (TaxDome, SmartVault, QBO, Gusto, local files), and which staff have access. Attach the updated flow map; this is the input to the Article 30 record and the DPIA scoping.

The ROPA must list each processing activity, purpose, lawful basis, data categories, recipients, retention period, and transfer safeguards. Pull last year's ROPA and reconcile against the new data flow map — new clients in EU jurisdictions and new sub-processors are the usual additions.

High-risk triggers under Article 35: large-scale processing of special-category data (health, biometric), systematic monitoring, automated decisioning, or new cross-border transfers without an adequacy decision. Forensic-accounting and litigation-support engagements often trip the threshold.

Document the necessity and proportionality assessment, the risks to data subjects, and the mitigations applied. Where residual risk remains high after mitigation, Article 36 prior consultation with the supervisory authority is required before processing begins.

New software (e.g., switching from Lacerte to UltraTax), a new sub-processor, or a change in retention period each warrant re-running the affected DPIA. Note the trigger and the conclusion in the DPIA register.

The policy should cross-reference the WISP required by IRS Pub 4557 — many firms keep one document covering both. Confirm the controller/processor designation, named DPO or privacy lead, and the breach-notification escalation chain.

Most engagement work runs on contract (Article 6(1)(b)) or legal obligation (6(1)(c)) for tax filings. Marketing lists run on legitimate interests or consent — get this distinction right before sending the next newsletter.

Reconcile GDPR storage-limitation against IRS / state record-retention rules. Tax workpapers commonly held 7 years; audit workpapers 7 years under SSARS / SAS 103; payroll 4 years under FLSA. Align deletion runs in TaxDome / SmartVault to the schedule.

Privacy notice must list controller identity, processing purposes and lawful bases, recipients (including sub-processors), retention periods, data subject rights, and the right to lodge a complaint with the supervisory authority. Date-stamp the version.

Submit a dummy access request through the public channel (web form, privacy@ inbox) and confirm it lands with the privacy lead, not a generic admin queue. The 30-day clock starts on receipt — silent inbox routing is the most common SLA breach.

Article 12(6) allows the controller to request additional information to confirm identity. For client-record requests, confirm engagement-letter signatory match; for employee requests, confirm against HRIS. Don't accept a bare email claim.

Erasure has carve-outs — Article 17(3)(b) preserves data needed for legal obligations such as tax record retention. Document the carve-out reasoning so a refusal can be defended. Portability applies only to data the subject provided, in a machine-readable format.

Pull the prior-year DSAR log and confirm every request closed within one month, or that an Article 12(3) extension was issued in writing within the first month with reasons. Late responses without an extension are a reportable failure.

Confirm TLS in transit and AES-256 at rest from the vendor's SOC 2 report (TaxDome, SmartVault, ShareFile, Liscio all publish these). Pull the most recent report into the workpaper rather than relying on the marketing page.

Pull the user list from UltraTax / Lacerte / QBO Accountant and confirm every active user is still employed and assigned to engagements that need access. Departed-staff accounts and shared logins are the recurring findings.

Walk through a stolen-laptop scenario and a phishing-compromise scenario. Test the 72-hour Article 33 notification timeline to the supervisory authority and the Article 34 notification to data subjects when the breach is high-risk.

Pull the MDM report (Jamf, Intune) and confirm BitLocker / FileVault enabled on every endpoint with client data. MFA must be enforced on email, the client portal, and the GL — not just opt-in.

Cover the named cases from the past year — phishing attempts, mis-sent tax returns, unauthorized portal access. Concrete incidents land better than abstract principles. New hires get this within their first week, not at the annual cycle.

Reconcile the LMS roster against the active-employee list from HR. Contractors and seasonal tax-season hires are the usual gap — their access to client data is the same, the training requirement is the same.

Suspend portal and tax-software access until training is complete. The HR escalation path applies if a staff member misses the second deadline. Document the suspension and reinstatement so the audit trail is intact.

Includes the obvious (TaxDome, QBO, Gusto, Bill.com, Avalara) and the easy-to-miss (Hubdoc, DocuSign, the email-marketing platform, the shred-bin vendor). Each entry needs purpose, data categories, and processing location.

The DPA must include the Article 28(3) clauses — purpose, duration, sub-processor authorization, confidentiality, security, audit rights. Most major vendors publish a standard DPA; small specialty vendors are where signed copies go missing.

Request the standard DPA from each gap vendor; if they will not sign, escalate to the partner for a replace-or-accept-the-risk decision. Suspend new data sharing with the vendor until the DPA is countersigned.

US sub-processors require the 2021 EU Standard Contractual Clauses (Module 2 controller-to-processor) plus a transfer impact assessment per Schrems II. Confirm the vendor is on the latest SCC version, not the pre-2021 form.