Skip to main content

GDPR compliance checklist

Work through notice, consent, vendor, and incident-response tasks to check your GDPR compliance posture. Each task has an optional note field for a date, an owner, or a link — check items off as you complete them, then export the whole checklist (with your notes) to a branded PDF or a CSV for your records or legal counsel.

Frequently asked questions

What makes a cookie consent banner actually compliant, versus just an accept button?

GDPR (and the ePrivacy Directive it works alongside) requires consent to be freely given, specific, and as easy to refuse as to accept — a banner with only an "Accept" button and no equally prominent reject option doesn't meet that bar, because refusing requires more effort than accepting. A compliant banner lets a user reject non-essential cookies in the same number of clicks as accepting them, and doesn't pre-tick consent boxes for anything beyond strictly necessary cookies.

Do we actually need a Data Protection Officer?

Article 37 requires a DPO if your core activities involve large-scale, regular and systematic monitoring of individuals, or large-scale processing of special category data (health, biometric, etc.) — most small SaaS or ecommerce businesses processing ordinary customer data at moderate scale don't strictly require one, but many appoint someone as a compliance point of contact anyway as a practical safeguard. If you're unsure whether your processing counts as "large-scale" or "systematic monitoring," that's a question for legal counsel rather than a judgment call to make internally.

What has to be in a data processing agreement with a vendor?

A DPA needs to specify what personal data the vendor processes, for what purpose, for how long, and what security measures they apply — plus confirm the vendor will only process data on your documented instructions and will assist with data subject requests and breach notifications. Most established SaaS vendors (payment processors, email platforms, analytics tools) publish a standard DPA you can countersign; the gap most businesses miss is smaller or newer vendors who don't have one ready, which puts the compliance burden on you to request one before sending them any customer data.

Share this tool