GDPR compliance checklist
Work through notice, consent, vendor, and incident-response tasks to check your GDPR compliance posture. Each task has an optional note field for a date, an owner, or a link — check items off as you complete them, then export the whole checklist (with your notes) to a branded PDF or a CSV for your records or legal counsel.
Frequently asked questions
What makes a cookie consent banner actually compliant, versus just an accept button?
GDPR (and the ePrivacy Directive it works alongside) requires consent to be freely given, specific, and as easy to refuse as to accept — a banner with only an "Accept" button and no equally prominent reject option doesn't meet that bar, because refusing requires more effort than accepting. A compliant banner lets a user reject non-essential cookies in the same number of clicks as accepting them, and doesn't pre-tick consent boxes for anything beyond strictly necessary cookies.
Do we actually need a Data Protection Officer?
Article 37 requires a DPO if your core activities involve large-scale, regular and systematic monitoring of individuals, or large-scale processing of special category data (health, biometric, etc.) — most small SaaS or ecommerce businesses processing ordinary customer data at moderate scale don't strictly require one, but many appoint someone as a compliance point of contact anyway as a practical safeguard. If you're unsure whether your processing counts as "large-scale" or "systematic monitoring," that's a question for legal counsel rather than a judgment call to make internally.
What has to be in a data processing agreement with a vendor?
A DPA needs to specify what personal data the vendor processes, for what purpose, for how long, and what security measures they apply — plus confirm the vendor will only process data on your documented instructions and will assist with data subject requests and breach notifications. Most established SaaS vendors (payment processors, email platforms, analytics tools) publish a standard DPA you can countersign; the gap most businesses miss is smaller or newer vendors who don't have one ready, which puts the compliance burden on you to request one before sending them any customer data.
Share this tool
Related checklists
- Security Security audit checklist → A security audit checklist covering authentication, application security, and infrastructure monitoring for an online business. Check items off, add notes, then export your progress to PDF or CSV.
- Security Data breach response checklist → A step-by-step checklist for responding to a data breach — covering containment, regulatory notification deadlines, and post-incident remediation. Check items off, add notes, then export your progress to PDF or CSV.
- SaaS Monthly SaaS health review checklist → A monthly review checklist covering MRR movement, cohort churn, customer sentiment, and unit economics for a SaaS business. Check items off, add notes, then export your progress to PDF or CSV.
- SaaS SaaS pricing change checklist → A checklist for rolling out a SaaS pricing change safely — covering existing customers, billing systems, public-facing pages, and a rollback plan. Check items off, add notes, then export your progress to PDF or CSV.