GDPR Compliance Checklist 2026: Step-by-Step Guide

GDPR compliance under Regulation (EU) 2016/679 requires organisations to take documented action across fourteen interlocking areas, from data mapping and lawful basis identification to breach response and ongoing staff training. The accountability principle in Article 5(2) requires controllers to demonstrate compliance at any time, making a systematic, evidence-based approach the baseline obligation.

GDPR compliance is not a one-time project. The General Data Protection Regulation (Regulation (EU) 2016/679) demands documented evidence of compliance, and every change to your processing activities can trigger new obligations. This checklist covers every core compliance area, with references to the relevant GDPR articles, official EDPB guidance, and the most significant recent developments.

Information last verified on 2026-05-19. This article presents general legal information and does not constitute legal advice. Consult a qualified data protection attorney or privacy professional for guidance specific to your organisation.

Jurisdiction scope: This checklist addresses compliance with the EU General Data Protection Regulation (Regulation (EU) 2016/679) as it applies in EU and EEA member states. It does not address the UK GDPR (which diverged from EU GDPR after Brexit) or national implementation laws. For a comparison, see GDPR vs UK GDPR. For a foundational overview of the regulation, see What Is GDPR.

The GDPR compliance checklist: an overview

GDPR compliance requires action across fourteen interlocking areas. The sections below address each in turn. Start with data mapping, because every other step depends on knowing what data you hold and why.

Step 1: Data mapping and records of processing activities (Article 30)

Before your organisation can comply with the GDPR, it must know what personal data it collects, where that data comes from, where it goes, and why it is processed. Data mapping is the foundation of every other compliance activity. Article 30 then requires this knowledge to be formalised in written records of processing activities (RoPA).

What to document in your data inventory

For each processing activity, record:

• Categories of personal data (names, email addresses, IP addresses, health data, financial records, biometric data)
• Categories of data subjects (customers, employees, website visitors, job applicants)
• Purpose of each processing activity
• Legal basis for processing (see Step 2)
• Storage locations and systems
• Who has access (internal roles and external recipients)
• Retention periods or the criteria for determining them
• Whether data leaves the EU/EEA, and if so, by what transfer mechanism

What controllers must record under Article 30(1)

Article 30(1) requires controllers to maintain written records containing:

• The controller name and contact details (and the DPO contact details, where applicable)
• Purposes of processing
• Categories of data subjects and personal data
• Categories of recipients, including third countries
• Details of international transfers and the legal mechanism
• Envisaged retention periods
• A general description of technical and organisational security measures

Processors have a parallel obligation under Article 30(2): they must record the categories of processing carried out on behalf of each controller.

The SME exemption and the proposed Digital Omnibus change

Article 30(5) currently excuses organisations with fewer than 250 employees from maintaining a full RoPA, provided the processing is not likely to result in risk to individuals, is only occasional, and does not include special category data. In practice, most organisations process data regularly enough that this exemption rarely applies in full.

The November 2025 Digital Omnibus proposal would raise this threshold to fewer than 750 employees (with financial criteria), subject to the same high-risk carve-out. The EDPB and EDPS, in their Joint Opinion 2/2026, welcomed the simplification objective while recommending that the exemption be tied to the statutory SME and SMC definitions for clarity. This proposal has not entered into force as of the date of this article.

Step 2: Identify the lawful basis for each processing activity (Article 6)

Article 6 of the GDPR requires every processing activity to rest on one of six lawful bases. The basis must be identified before processing begins; switching bases after the fact is not permitted.

The six lawful bases

For special categories of data under Article 9 (health, biometric, genetic, racial or ethnic origin, political opinions, religious beliefs, trade union membership, criminal convictions), both an Article 6 lawful basis and a separate Article 9 condition are required.

Many organisations default to consent when legitimate interests or contractual necessity would be more appropriate. Consent creates ongoing management obligations, including tracking, withdrawal mechanisms, and potentially re-consent. For detailed guidance, see GDPR consent requirements.

Step 3: Write clear privacy notices (Articles 12, 13, 14)

Articles 13 and 14 require organisations to provide transparent information to data subjects. The EDPB CEF 2026 enforcement action focuses specifically on transparency and information obligations under Articles 12, 13 and 14, meaning DPAs across all EU member states are actively auditing privacy notices this year.

Required content of a GDPR privacy notice

A compliant privacy notice must include:

• The controller identity and contact details, and the DPO contact details where applicable
• The purposes and lawful basis for each processing activity
• Categories of personal data collected
• Recipients or categories of recipients
• Details of any international data transfers and the safeguards in place
• Retention periods, or the criteria used to determine them
• All eight data subject rights
• The right to lodge a complaint with a supervisory authority
• Whether providing data is a statutory or contractual requirement
• Information about automated decision-making, including profiling, and the logic involved

Where data is collected directly from the individual (Article 13), the notice must be provided at the time of collection. Where data is obtained from a third party (Article 14), notice must be provided within one month. Article 12 requires clear, plain language that is concise, transparent, and easily accessible; a layered approach (short summary with links to detailed sections) works well.

Step 4: Establish a consent management process (Articles 7, 8)

Where consent is the chosen lawful basis, Article 7 imposes specific requirements. Consent that does not meet these requirements is invalid and the processing lacks a lawful basis.

Requirements for valid GDPR consent

"The controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data." (GDPR, Article 7(1))

Valid consent under Article 7 must be:

• Freely given: no conditioning of a service on consent to unnecessary processing; no power imbalance preventing genuine choice
• Specific: separate consent for each distinct processing purpose; bundled consent is not valid
• Informed: the individual must know who collects the data, for what purpose, and that they can withdraw
• Unambiguous: a clear affirmative act is required; pre-ticked boxes, silence, and inactivity do not constitute consent
• Withdrawable: withdrawal must be as easy as giving consent; continued processing after withdrawal is not permitted

For processing children's personal data, Article 8 requires parental consent for children under 16; member states may lower this to 13.

Consent management infrastructure requirements

• Record the time, mechanism, and text shown at the point of consent for each individual
• Enable withdrawal of consent and trigger downstream suppression in all systems
• Flag when consent was obtained and whether it remains current
• Support re-consent workflows where processing purposes change
• Store consent records in a format accessible to the supervisory authority on request

Step 5: Build data subject rights procedures (Articles 15-22)

The GDPR grants individuals eight rights over their personal data. For a detailed breakdown of each right, see GDPR data subject rights.

The eight rights at a glance

Operational checklist for rights procedures

• Assign a team or individual to handle data subject access requests
• Create intake channels and acknowledge receipt promptly
• Build identity verification procedures to prevent unauthorised disclosure
• Map all systems containing personal data so data can be located and compiled quickly
• Document how each right type is handled, including partial responses and refusals
• Track deadlines: standard period is one calendar month; extension to three months is permitted for complex requests, but the individual must be notified within the first month
• Train customer-facing staff to recognise rights requests even when the individual does not use legal terminology

Step 6: Appoint a Data Protection Officer where required (Article 37)

Article 37 of the GDPR makes DPO appointment mandatory in three circumstances.

When a DPO is mandatory

A DPO must be appointed when:

• The controller or processor is a public authority or body (courts acting in a judicial capacity are excluded)
• The core activities require large-scale, regular, and systematic monitoring of individuals
• The core activities involve large-scale processing of special categories of data (Article 9) or criminal conviction data (Article 10)

"Core activities" means the principal activities of the organisation, not ancillary HR or IT processing common to all employers. "Large-scale" has no fixed numerical threshold; the EDPB's DPO Guidelines consider the number of data subjects, volume of data, geographical extent, and duration of processing.

DPO requirements under Articles 38-39

The DPO must possess expert knowledge of data protection law, report directly to the highest level of management, operate independently without receiving instructions on how to perform tasks, and be provided with adequate resources and access to processing operations. The DPO may not be dismissed or penalised for performing their duties. The DPO's contact details must be published and communicated to the supervisory authority.

The EDPB 2023 Coordinated Enforcement report on DPOs found that many organisations still fail to give DPOs genuine independence and adequate resources, and assign conflicting tasks that create conflicts of interest.

Step 7: Conduct Data Protection Impact Assessments (Article 35)

A DPIA is required before any processing likely to result in high risk to the rights and freedoms of natural persons. The obligation attaches before processing begins; retrospective DPIAs do not fulfil Article 35.

When a DPIA is always required

A DPIA is mandatory for:

• Systematic and extensive profiling with significant effects on individuals
• Large-scale processing of special category data or criminal conviction data
• Systematic monitoring of publicly accessible areas on a large scale

National supervisory authorities publish their own lists of processing operations that require a DPIA. Check the list published by your lead supervisory authority.

AI systems and DPIAs

The EU AI Act (Regulation (EU) 2024/1689), which entered into force on 1 August 2024, applies alongside the GDPR wherever AI systems process personal data. The CNIL and EDPB have confirmed that a DPIA under Article 35 GDPR should be presumed necessary for high-risk AI systems (listed in Annex III of the AI Act). The AI Act's technical documentation and data governance requirements under Articles 10 and 11 can feed into the DPIA, provided the DPIA contains all elements required by Article 35(7) GDPR.

What a DPIA must contain under Article 35(7)

• A systematic description of the processing operations and their purposes
• An assessment of the necessity and proportionality of the processing
• An assessment of the risks to data subjects' rights and freedoms
• The measures envisaged to address those risks

Where the DPIA reveals high residual risks that cannot be mitigated, the controller must consult the supervisory authority before proceeding (Article 36 prior consultation). DPIAs must be reviewed whenever there is a significant change to the processing.

Step 8: Put processor contracts in place (Article 28)

Where third-party service providers process personal data on your behalf, Article 28 requires a written data processing agreement before processing begins.

Mandatory provisions in an Article 28 DPA

Every processor contract must specify that the processor:

• Processes personal data only on documented instructions from the controller
• Ensures all authorised personnel are bound by confidentiality obligations
• Implements appropriate technical and organisational security measures (Article 32)
• Assists the controller in responding to data subject rights requests
• Assists with DPIAs, prior consultation, breach notification, and security obligations
• Deletes or returns all personal data at the end of the contract, at the controller's choice
• Makes available all information necessary to demonstrate Article 28 compliance and allows audits
• Engages sub-processors only with prior written authorisation from the controller

Vendor assessment checklist

• Audit all existing contracts with vendors that handle personal data
• Confirm DPAs are in place and include all Article 28 mandatory provisions
• Assess vendors' security measures through questionnaires, certifications (ISO 27001, SOC 2 Type II), or audit rights
• Verify whether the vendor transfers data outside the EU/EEA and confirm the legal transfer mechanism
• Review sub-processor lists and procedures for sub-processor changes
• Establish a regular vendor review cycle (at minimum annually, or on any material change)

Step 9: Implement technical and organisational security measures (Article 32)

Article 32 requires appropriate technical and organisational measures to ensure security appropriate to the risk. The measures must be calibrated to the state of the art, implementation costs, and the nature, scope, context, and purposes of the processing, as well as the varying likelihood and severity of risks to individuals.

Article 32 specifically mentions

• Pseudonymisation and encryption of personal data
• The ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems
• The ability to restore availability and access to personal data in a timely manner following an incident
• A process for regularly testing, assessing, and evaluating the effectiveness of security measures

Beyond these statutory examples, organisations commonly implement: role-based access controls and the principle of least privilege; multi-factor authentication; network segmentation; vulnerability management and patching schedules; endpoint protection; data loss prevention controls; physical security; and supplier security assessments.

Organisational measures include a documented information security policy, data classification scheme, clear roles and responsibilities, security incident management, and third-party risk management procedures.

Step 10: Build and test a breach response plan (Articles 33, 34)

The GDPR imposes strict timelines for breach notification. Failing to report on time can result in significant fines independent of any fine for the underlying security failure. For a detailed treatment of the notification requirements, see GDPR breach notification 72-hour rule.

The 72-hour notification obligation under Article 33

Under Article 33(1), a controller must notify the competent supervisory authority "without undue delay and, where feasible, not later than 72 hours after having become aware" of a personal data breach. The EDPB has interpreted "aware" as when the controller has a reasonable degree of certainty that a security incident has occurred affecting personal data.

Notifications under Article 33(3) must include: the nature of the breach and approximate number of data subjects and records affected; the DPO contact details; the likely consequences of the breach; and the measures taken or proposed to address it.

The Article 34 obligation to notify affected individuals

Where a breach is likely to result in high risk to affected individuals, the controller must notify those individuals without undue delay. Article 34(3) provides limited exceptions where the data was encrypted or rendered unintelligible, subsequent measures have made high risk unlikely, or individual notification would require disproportionate effort (in which case a public communication may substitute).

Processors must notify the controller without undue delay after becoming aware of a breach (Article 33(2)). Processor contracts should specify a contractual timeframe, typically 24 to 48 hours.

Breach response operational checklist

• Implement technical detection controls: intrusion detection, log monitoring, and anomaly alerting
• Establish a breach response team with defined roles, an escalation path, and a clear definition of organisational "awareness"
• Create a breach assessment template to evaluate risk to data subjects
• Prepare notification templates for the supervisory authority and affected individuals
• Maintain a breach register documenting all incidents, including those below the notification threshold
• Test the breach response procedure through tabletop exercises at least annually

Step 11: Put international data transfer safeguards in place (Chapter V)

Transfers of personal data to countries outside the EU/EEA are only permitted where one of the Chapter V mechanisms is in place.

Transfer mechanisms

Transfer impact assessments

When relying on SCCs or BCRs, EDPB Recommendations 01/2020 require a transfer impact assessment to evaluate whether the recipient country's laws provide essentially equivalent protection to EU law. The assessment must consider surveillance laws, government access rights, available legal remedies, and the track record of public authorities in the destination country. Adequacy decisions should be monitored: the Court of Justice has previously invalidated adequacy decisions, and the EU-US Data Privacy Framework remains subject to ongoing legal challenges.

Step 12: Embed data protection by design and by default (Article 25)

Article 25 requires controllers to implement data protection principles from the earliest stages of any new processing activity or system (by design) and to ensure that only the minimum necessary data is processed for each purpose (by default).

Data protection by design in practice

• Include a data protection review as a mandatory gate in your project management or product development process
• Build access controls, encryption, and pseudonymisation into system architecture from the start
• Select technologies that minimise data exposure
• Document design decisions and the privacy trade-offs considered

Data protection by default in practice

Default settings must be the most privacy-protective available. Practical measures include: minimum-fields data collection forms; opt-in rather than opt-out defaults for non-essential processing; automatic deletion after the retention period; role-based access controls; and privacy-preserving defaults in analytics and tracking configurations.

Step 13: Staff training and accountability (Article 39(1)(b))

Article 39(1)(b) lists staff awareness training as one of the DPO's mandatory tasks. The accountability principle under Article 5(2) requires organisations without a mandatory DPO to demonstrate training as well. Enforcement decisions frequently cite inadequate staff training as an aggravating factor.

Training programme requirements

• Provide baseline GDPR training to all staff who handle personal data, before they begin processing and refreshed at least annually
• Deliver role-specific training for high-risk functions: HR, marketing, IT and development, customer service
• Train staff on your organisation's specific privacy notices, lawful bases, retention policies, and breach reporting procedures
• Document all training: who attended, date, format, and content
• Assess competency, not just attendance

Organisations that perform consistently well in regulatory audits embed data protection into their culture through visible leadership commitment, privacy champions in each department, clear escalation paths for privacy concerns, and regular internal communications reinforcing privacy expectations.

Step 14: Vendor management and ongoing review (Articles 24, 28)

Article 24 requires controllers to implement appropriate measures and to be able to demonstrate compliance on an ongoing basis. Compliance programmes need regular review cycles, not just initial implementation.

Ongoing compliance review framework

• Annual compliance audit: review your RoPA, privacy notices, consent records, DPAs, and security measures at least once per year, or when any material change in processing occurs
• DPIA reviews: revisit DPIAs whenever the nature, scope, context, or purpose of the processing changes significantly
• Vendor reviews: reassess processors at regular intervals; review sub-processor lists, certifications, and transfer mechanisms; monitor for vendor security incidents
• Legislative monitoring: track EDPB guidelines, national DPA guidance, CJEU judgments, and developments including the Digital Omnibus legislative process
• Incident reviews: after any security incident, conduct a post-incident review and update procedures, controls, and training accordingly

Accountability documentation

Maintain a compliance file containing: your RoPA; DPIAs and their review history; DPA contracts; consent records and withdrawal logs; staff training records; security assessments; breach register; and DPO appointment documentation. These records form the evidence base if a supervisory authority initiates an investigation.

Recent developments: the EU AI Act and the November 2025 Digital Omnibus

The EU AI Act and GDPR compliance

The EU AI Act (Regulation (EU) 2024/1689) entered into force on 1 August 2024 and applies in phases. Prohibitions on unacceptable-risk AI systems applied from 2 February 2025. Obligations for general-purpose AI model providers applied from 2 August 2025. Most obligations for high-risk AI systems apply from 2 August 2026.

Article 2(7) of the AI Act expressly confirms that EU data protection law remains fully applicable to all processing of personal data in the lifecycle of AI systems. The EDPB, in Statement 3/2024, confirmed that data protection authorities retain their full supervisory role under the GDPR even where the AI Act creates parallel obligations.

For organisations developing or deploying AI systems that process personal data:

• Processing personal data to train AI models requires a lawful basis under Article 6 GDPR (and Article 9 for special category data)
• High-risk AI systems (Annex III of the AI Act) that process personal data should be treated as requiring a DPIA under Article 35 GDPR; the AI Act's technical documentation can feed into the DPIA provided all Article 35(7) elements are present
• AI Act Article 10 data governance requirements for high-risk AI systems, which address data quality and bias examination, are complementary to the GDPR's data minimisation and accuracy principles

The CNIL has published detailed recommendations on GDPR compliance for AI system development, covering lawful bases for training data, data minimisation in model development, data subject rights for individuals whose data is used in training, and privacy by design in model architecture.

The November 2025 Digital Omnibus proposal

On 19 November 2025, the European Commission published the Digital Omnibus package, proposing amendments to the GDPR, ePrivacy Directive, NIS2 Directive, Data Act, and EU AI Act. The proposed GDPR amendments are in the EU legislative process and are not yet in force.

Key proposed GDPR changes in the Digital Omnibus include:

• Raised Article 30(5) threshold: the SME RoPA exemption would rise from fewer than 250 to fewer than 750 employees (with financial criteria), conditional on the processing not posing high risk
• AI training as legitimate interest: a clarification that processing personal data for the development and deployment of AI systems can constitute a legitimate interest under Article 6(1)(f), subject to necessity, proportionality, and appropriate safeguards
• Revised definition of personal data: information would not constitute personal data for an entity that does not have means reasonably likely to be used to identify the individual, or where identification is legally prohibited or would require disproportionate effort
• Cookie and tracking rule changes: amendments to ePrivacy rules to reduce consent-fatigue from cookie banners

The EDPB and EDPS issued Joint Opinion 2/2026 welcoming the record-keeping simplification while raising concerns about the personal data redefinition and its compatibility with the EU Charter of Fundamental Rights. Privacy advocacy organisations have criticised several provisions. Organisations should monitor the process but not adjust compliance programmes on the basis of the proposal until it is enacted.

Disclaimer

This article presents general legal information about the General Data Protection Regulation (Regulation (EU) 2016/679) and related EU legislation as it stood on 2026-05-19. It does not constitute legal advice and does not create a lawyer-client relationship. Compliance requirements depend on your specific processing activities, sector, size, and the member states in which you operate. Consult a qualified data protection lawyer or certified privacy professional licensed in the relevant jurisdiction before making compliance decisions. The November 2025 Digital Omnibus proposals referenced in this article are legislative proposals and have not entered into force.

About the author

[PLACEHOLDER: author roster pending]

Authorities cited

1. General Data Protection Regulation, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016. https://eur-lex.europa.eu/eli/reg/2016/679/oj
2. European Data Protection Board (EDPB). https://edpb.europa.eu/edpb_en
3. European Commission, Data Protection in the EU. https://commission.europa.eu/law/law-topic/data-protection/data-protection-eu_en
4. European Commission, When Is a DPIA Required? https://commission.europa.eu/law/law-topic/data-protection/rules-business-and-organisations/obligations/when-data-protection-impact-assessment-dpia-required_en
5. European Commission, DPO Requirements. https://commission.europa.eu/law/law-topic/data-protection/rules-business-and-organisations/obligations/data-protection-officers/does-my-companyorganisation-need-have-data-protection-officer-dpo_en
6. EDPB, Guidelines on DPIAs and High-Risk Processing. https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/data-protection-impact-assessments-high-risk-processing_en
7. EDPB, Article 30 Records of Processing Activities. https://www.edpb.europa.eu/gdpr-articles/article-30-records-processing-activities_en
8. EDPB, Article 33 Breach Notification to Supervisory Authority. https://www.edpb.europa.eu/gdpr-articles/article-33-notification-personal-data-breach-supervisory-authority_en
9. EDPB, Coordinated Enforcement Report: DPOs (January 2024). https://www.edpb.europa.eu/system/files/2024-01/edpb_report_20240116_cef_dpo_en.pdf
10. European Commission, What Is a Personal Data Breach? https://commission.europa.eu/law/law-topic/data-protection/rules-business-and-organisations/obligations/what-data-breach-and-what-do-we-have-do-case-data-breach_en
11. ICO, When Do We Need to Do a DPIA? https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/data-protection-impact-assessments-dpias/when-do-we-need-to-do-a-dpia/
12. ICO, How Do We Document Our Processing Activities? https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/documentation/how-do-we-document-our-processing-activities/
13. European Commission, Principles of the GDPR. https://commission.europa.eu/law/law-topic/data-protection/rules-business-and-organisations/principles-gdpr_en
14. EU AI Act, Regulation (EU) 2024/1689. https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng
15. European Commission, AI Act Enters Into Force (1 August 2024). https://commission.europa.eu/news-and-media/news/ai-act-enters-force-2024-08-01_en
16. EDPB Statement 3/2024 on DPA Role in AI Act Framework. https://www.edpb.europa.eu/news/news/2024/edpb-adopts-statement-dpas-role-ai-act-framework-eu-us-data-privacy-framework-faq_en
17. European Commission, Digital Omnibus Regulation Proposal (19 November 2025). https://digital-strategy.ec.europa.eu/en/library/digital-omnibus-regulation-proposal
18. EDPB and EDPS, Joint Opinion 2/2026 on the Digital Omnibus. https://www.edpb.europa.eu/news/news/2026/digital-omnibus-edpb-and-edps-support-simplification-and-competitiveness-while_en
19. EDPB and EDPS, Targeted Modifications of the GDPR: Record-Keeping Simplification. https://www.edpb.europa.eu/news/news/2025/targeted-modifications-gdpr-edpb-edps-welcome-simplification-record-keeping_en
20. EDPB, CEF 2026: Coordinated Enforcement on Transparency and Information Obligations. https://www.edpb.europa.eu/news/news/2026/cef-2026-edpb-launches-coordinated-enforcement-action-transparency-and-information_en
21. CNIL, AI System Development: Recommendations to Comply with the GDPR. https://www.cnil.fr/en/ai-system-development-cnils-recommendations-to-comply-gdpr
22. EDPB, Guidelines on the Interplay Between the DSA and the GDPR. https://www.edpb.europa.eu/news/news/2025/interplay-between-dsa-and-gdpr-edpb-adopts-guidelines_en

Related articles

• What Is GDPR: a comprehensive overview of the regulation
• GDPR Data Subject Rights: detailed guidance on all eight individual rights
• GDPR Consent Requirements: valid consent standards and management obligations
• GDPR Breach Notification 72-Hour Rule: breach reporting requirements in full
• GDPR for Small Businesses: SME-specific guidance including the proposed Digital Omnibus changes
• EU Data Privacy Laws: the complete EU data protection hub

---

Last updated: 2026-05-19. Statutes and guidance cited reflect their in-force version as of 2026-05-19. The Digital Omnibus proposals referenced are legislative proposals as of 19 November 2025 and have not yet entered into force.