GDPR Compliance Checklist

Walk through a structured set of questions covering data collection, lawful basis, user rights, third-party processors, breach response, and data-protection-officer obligations. The checklist tracks which items pass, fail, or need review, and gives a rough compliance score at the end.

Use it as a self-audit before a privacy review, or as the starting framework when scoping a real GDPR engagement. The questions are written in plain English with the underlying article references in parentheses, so you can dig into the source text where it matters.

This is a starting point, not a legal opinion. Real GDPR compliance for anything beyond a marketing site needs counsel familiar with your specific data flows and risk profile.

The checklist walks through the operationally relevant articles of the GDPR: Article 6 (lawful basis for processing), Article 7 (consent), Articles 13-14 (notice obligations), Articles 15-22 (data subject rights), Article 28 (processor obligations), Articles 33-34 (breach notification), Articles 35-36 (DPIA), Article 37 (DPO requirement). Each section asks structured yes/no questions and flags the answer that creates a compliance gap. The output is a triaged list: must-fix, should-fix, optional improvement.

Worked example. A SaaS company runs through the checklist. Section 1 (lawful basis): they rely on legitimate interest for analytics. Article 6(1)(f) requires a documented balancing test — the checklist asks whether one exists, and if not, flags it as a gap. Section 4 (data subject rights): the company offers a delete-my-account button but doesn't have a documented process for the right of data portability (Article 20). Flagged. Section 6 (sub-processors): they use AWS, Stripe, and Resend. Each is a processor under Article 28. Are DPAs in place with each? The checklist asks. The output ends with a prioritized punch list and a self-scored compliance percentage based on weighted gaps.

What the checklist explicitly does not do. It doesn't render legal opinions. It doesn't review your specific data flows for GDPR-specific risk (international transfers under Schrems II, DPIAs for high-risk processing, sectoral overlays like ePrivacy). It doesn't substitute for a Data Protection Officer's judgment on edge cases. For a regulated entity, anything more than a marketing site, or anything handling sensitive categories of data (health, biometric, political opinion), real legal review is non-optional.

A practical opinion: most GDPR exposure for small-to-mid SaaS comes from three areas. First, missing or misleading privacy notices — Article 13 requires specific information at the point of collection, and most notices either omit required elements or bury them in dense legalese. Second, sub-processor management — if you use a vendor that processes EU resident data, you need a DPA, you need to disclose them, and you need to verify their compliance posture. Third, consent management for cookies and tracking — if you use anything beyond strictly necessary cookies, you need real prior consent, not implied consent or a pre-checked box. Fix those three and you've handled 80% of the practical risk.

GDPR also applies to non-EU companies that target EU residents (Article 3, extraterritorial scope). If you have any EU customers or visible EU marketing, you're in scope regardless of where your servers live. The checklist's questions are written assuming this — if you've decided you're "not in scope" because you don't have an EU office, double-check your customer base and traffic sources before believing that conclusion.