GDPR Compliance Checklist

Use this interactive checklist to ensure your website or application is compliant with the General Data Protection Regulation (GDPR).

Need inspiration from other industries? Explore HabitForge - Habit formation and behavior change platform to see how teams in adjacent fields manage their GDPR obligations.

Compliance Progress0 / 24 completed

0% complete

1. Lawful Basis for Processing

Identified lawful basis for each processing activity

Determine if you process data based on consent, contract, legal obligation, vital interests, public task, or legitimate interests.

Documented the lawful basis in your records

Keep internal records showing which lawful basis applies to each type of processing.

Obtained explicit consent where required

If relying on consent, ensure it's freely given, specific, informed, and unambiguous.

2. Privacy Policy

Created a comprehensive privacy policy

Your policy should explain what data you collect, why, how you use it, and who you share it with.

Link to your privacy policy in your website footer and during account registration.

Written in clear, plain language

Avoid legal jargon. Users should understand their rights and how their data is used.

3. Data Subject Rights

Provide right to access (Data Portability)

Users can request a copy of their personal data in a machine-readable format.

Provide right to rectification

Users can request corrections to inaccurate or incomplete data.

Provide right to erasure ('Right to be Forgotten')

Users can request deletion of their personal data under certain conditions.

Provide right to restrict processing

Users can limit how you process their data in certain situations.

Provide right to object

Users can object to processing based on legitimate interests or direct marketing.

4. Data Security

Use encryption for data in transit and at rest

Implement HTTPS/TLS for data transmission and encrypt sensitive data in storage.

Implement access controls

Limit data access to authorized personnel only using role-based permissions.

Have a data breach response procedure

Plan for detecting, reporting, and investigating data breaches within 72 hours.

Conduct regular security audits

Periodically review and test your security measures and update them as needed.

5. Third-Party Data Processors

Data Processing Agreements (DPAs) with all processors

Ensure written contracts with vendors who process data on your behalf.

Verified vendor GDPR compliance

Check that third-party services you use are also GDPR compliant.

Proper mechanisms for international data transfers

Use Standard Contractual Clauses (SCCs) or adequacy decisions for data transfers outside the EU.

6. Documentation & Records

Maintain Record of Processing Activities (ROPA)

Document what data you process, purposes, categories of data subjects, and retention periods.

Conduct Data Protection Impact Assessments (DPIA) where needed

Required for high-risk processing activities that could impact users' rights and freedoms.

Keep records of consent

Track when and how users gave consent, and what they consented to.

7. Data Retention & Deletion

Defined data retention periods

Determine how long you need to keep different types of data and document this.

Implement automatic data deletion

Set up processes to automatically delete data after retention periods expire.

Regularly review and delete unnecessary data

Periodically audit stored data and remove what's no longer needed.

Next Steps

Generate Your Privacy Policy

Use our free generator to create a GDPR-compliant privacy policy.

Go to Privacy Policy Generator →

Learn More About GDPR

Visit our legal resources page for guides and best practices.

Browse Legal Resources →

Download This Checklist

Save your progress as a PDF for your records.

Disclaimer: This checklist is for informational purposes only and does not constitute legal advice. GDPR compliance requirements may vary based on your specific situation. We recommend consulting with a qualified data protection officer or attorney for personalized guidance.