The General Data Protection Regulation (GDPR) applies to any organization that processes personal data of individuals in the EU and UK (post-Brexit, UK GDPR aligns closely). This guide provides a practical GDPR compliance checklist so you can build and maintain a defensible program.
GDPR Compliance Checklist
1. Lawful Basis for Processing
For each processing activity, identify a lawful basis: consent, contract, legal obligation, vital interests, public task, or legitimate interests. Document it. If you rely on consent, ensure it's specific, informed, and withdrawable. If you rely on legitimate interests, complete a Legitimate Interest Assessment (LIA) and document it.
2. Data Mapping (Records of Processing Activities)
You must maintain records of processing activities (Article 30): what data you process, for what purpose, categories of data subjects, retention, recipients, transfers, and safeguards. A data mapping exercise is the foundation. Keep it updated when you add new systems or purposes.
3. Data Protection Impact Assessments (DPIAs)
Where processing is likely to result in high risk to individuals (e.g. profiling, large-scale sensitive data, systematic monitoring), carry out a DPIA. Document the necessity, risks, and mitigating measures. Consult the supervisory authority if residual risk remains high.
4. Breach Notification
You must notify the supervisory authority of a personal data breach within 72 hours of becoming aware of it, where it poses a risk to individuals. Affected individuals must be informed without undue delay when the breach is likely to result in high risk. Have a breach procedure: detect, contain, assess, notify, document.
5. Privacy by Design and by Default
Implement technical and organizational measures (e.g. minimization, pseudonymization, access controls) so that by default only necessary data is processed and only by those who need it. Document how you've built privacy into projects and products.
6. Data Subject Rights
Processes to handle access, rectification, erasure, restriction, portability, objection, and automated decision-making. Define SLAs (e.g. one month for access requests) and document responses.
7. Vendors and Transfers
If processors (vendors) process personal data on your behalf, you need a contract (Article 28) and appropriate safeguards for transfers outside the EEA/UK (e.g. SCCs, adequacy). Maintain a vendor risk view that includes data protection.
How GRC Software Helps
Scattered policies and ad-hoc evidence make GDPR audits painful. A GRC platform helps you:
- Centralize policies (privacy policy, retention, breach procedure) with version control and attestation.
- Map controls to GDPR articles so you can demonstrate compliance and produce evidence for auditors.
- Maintain audit-ready evidence for processing records, DPIAs, breach logs, and data subject requests.
ActiveERM supports GDPR alongside ISO 27001, SOC 2, and other frameworks—one place for governance, risk, and compliance. See our GRC Cloud and Audit Management pages.