Knowing GDPR’s requirements is one thing; working through them in a sensible order is another. This checklist turns the regulation into twelve concrete steps you can action and tick off — a practical route to demonstrable GDPR compliance rather than a wall of legal text.
Use the summary table and the sections below to assess where you stand, then download the full checklist to work through each item in detail.
How to use this checklist
GDPR compliance is broad, but it is not mysterious. This checklist breaks it into twelve practical steps that, worked through in order, will take most organisations from “where do we start?” to a defensible, demonstrable programme. The table below is the summary; the sections that follow explain each item.
| # | Checklist item |
|---|---|
| 1 | Map your data and build a Record of Processing Activities (RoPA) |
| 2 | Establish and document a lawful basis for each activity |
| 3 | Publish a clear, accurate privacy notice |
| 4 | Get consent and cookie banners right |
| 5 | Stand up a data subject rights workflow |
| 6 | Implement appropriate security (Article 32) |
| 7 | Put Data Processing Agreements in place with vendors |
| 8 | Identify transfers and apply a valid mechanism |
| 9 | Create a 72-hour breach response plan |
| 10 | Set retention periods and a deletion process |
| 11 | Run DPIAs for high-risk processing |
| 12 | Appoint a DPO/representative where required & train staff |
Free resource
GDPR Compliance Checklist
Download the full, ready-to-use GDPR compliance checklist spreadsheet.
1. Map your data and build a RoPA
Everything starts with knowing what you have. Map your data: for each system and activity, record what personal data you hold, where it comes from, why, who you share it with, and where it goes. Capture this in a Record of Processing Activities.
You cannot protect, justify or delete data you have never inventoried, so this step underpins every one that follows.
2. Establish a lawful basis
For each processing activity, identify and document one of the six lawful bases, and an Article 9 condition for any special category data. Treat consent as a last resort, used only where the activity is genuinely optional.
Recording your basis for each activity makes your privacy notice accurate and your processing defensible.
3. Publish a clear privacy notice
Tell people who you are, what data you collect, why, who you share it with, how long you keep it, and how to exercise their rights. Make the privacy notice clear and accessible, not buried in legalese.
Transparency is the gateway to every other right, so this is a high-value, visible step.
4. Get consent and cookies right
Where you rely on consent — for marketing or non-essential cookies — make it freely given, specific, informed and unambiguous, with easy withdrawal and proper records. Fix any pre-ticked boxes or imbalanced cookie banners.
Consent done badly invalidates the processing it was meant to authorise, so this step repays attention.
5. Stand up a rights workflow
Build a process to handle the eight data subject rights within a month: a way to receive requests, verify identity, find the data, review and redact, and respond. Train staff to recognise and route requests.
A reliable workflow turns rights handling from a fire drill into a routine.
6. Implement appropriate security
Apply Article 32 security proportionate to the risk: encryption, access controls, logging, backups, resilience and testing. Document your decisions so you can show they were deliberate and reasonable.
Good security reduces both the chance and the impact of breaches, feeding directly into your breach obligations.
7. Put DPAs in place with vendors
For every processor — cloud, SaaS, payroll — sign a Data Processing Agreement under Article 28. Check that vendors only use sub-processors with permission and support you on security, rights and breaches.
Operating without these contracts is itself a breach, so this is a quick win to close off.
8. Handle international transfers
Identify where personal data leaves the EU/EEA — often through global cloud services — and apply a valid transfer mechanism such as Standard Contractual Clauses or the EU–US Data Privacy Framework, with a transfer risk assessment where needed.
Most organisations have more transfers than they expect, so map them deliberately.
9. Create a breach response plan
Prepare to detect, assess and report breaches. Your plan should let you notify the supervisory authority within 72 hours, notify individuals where the risk is high, and record every incident — with clear roles and escalation.
The 72-hour clock means breach readiness must exist before an incident, not be improvised during one.
10. Set retention and deletion
Define retention periods tied to purpose and law, capture them in a retention schedule, and put a reliable — ideally automated — process to delete or anonymise data when its period ends.
This satisfies storage limitation and shrinks both your risk and your storage cost.
11. Run DPIAs for high-risk processing
For high-risk projects — large-scale special category data, extensive profiling, public monitoring — run a DPIA early to identify and reduce risk. Make a short screening step standard for new initiatives.
This is privacy by design in action, and strong evidence of a proactive approach.
12. Governance, roles and training
Appoint a DPO or representative where required, assign clear ownership for privacy, and train staff so everyone understands their part. Keep your documentation — records, policies, assessments — current as evidence of accountability.
People and process, not just paperwork, are what keep a programme alive.
Working through the list
Don’t try to do everything at once. Start with the data map and lawful bases — they unlock the rest — then work down the list, closing the highest-risk gaps first. Treat the checklist as a recurring review, not a one-time project, because processing and risks change.
ISpectra Technologies helps organisations work through exactly this checklist, prioritising the gaps that matter most and building a proportionate, demonstrable programme of GDPR compliance.
In one paragraph
A practical GDPR checklist has twelve steps: map your data and build a RoPA; establish a lawful basis for each activity; publish a clear privacy notice; fix consent and cookies; stand up a rights workflow; implement Article 32 security; sign DPAs with vendors; handle international transfers; create a 72-hour breach plan; set retention and deletion; run DPIAs for high-risk processing; and put governance, roles and training in place. Start with the data map and lawful bases, close the biggest gaps first, and treat the list as a recurring review rather than a one-off.
Turning the checklist into a plan
A checklist tells you what to do; a plan tells you when and who. To turn this list into action, score each item against two questions: how big is the risk if we get it wrong, and how far are we from done? Items that are high-risk and far from done — often lawful basis, security, vendor contracts and breach readiness — go to the top of the queue. Low-risk, nearly-complete items can wait.
Assign each item an owner and a target date, and review progress regularly. This converts a daunting twelve-point list into a manageable backlog that a team can actually work through, and it gives leadership a clear, honest view of where the organisation stands. The point is momentum: a programme that closes the two or three most dangerous gaps this quarter is far better off than one waiting for a perfect, all-at-once rollout that never arrives.
Free consultation
Need help with GDPR?
Talk to our data-protection specialists — we’ll map your fastest path to compliance.
Keep the checklist alive
Finally, do not file the checklist away once you have worked through it. Processing changes constantly — new tools, new campaigns, new markets, new staff — and each change can reopen items you thought were closed. The most effective organisations re-run the checklist on a regular cadence, often annually, and whenever they launch something significant.
Treating it as a living review rather than a one-time project is what separates organisations that stay compliant from those that drift back into risk a year after their initial push. The downloadable version of this checklist is designed for exactly that — a reusable working document you can revisit, update and use to evidence your ongoing diligence.