GDPR compliance checklist: 12 steps

Since its inception in 2018, The General Data Protection Regulation (GDPR) has been the benchmark for data protection worldwide. However, the terrain has become more challenging. In 2025, TikTok faced a hefty €530 million fine for transferring European user data to China without adequate safeguards. Similarly, LinkedIn was penalized €310 million for processing personal data without a proper legal basis. These aren’t isolated incidents; they’re cautionary tales highlighting the importance of compliance.

But the landscape isn’t static. In 2024, the European Data Protection Board introduced new guidelines on legitimate interest and data transfers to third countries. Additionally, the Council of the European Union agreed on enhanced cooperation procedures between national data protection authorities to streamline enforcement. These changes aim to make GDPR enforcement more consistent and efficient across the EU.

For organizations, this means the path to compliance requires continuous vigilance. It’s not just about avoiding fines; it’s about building trust and demonstrating a commitment to data protection. In the following sections, we’ll provide a comprehensive checklist to help you navigate the complexities of GDPR and ensure your organization remains on the right track.

What is GDPR?

GDPR compliance means following the rules set by the European Union’s General Data Protection Regulation. It applies to any organization that collects or processes the personal data of individuals located in the European Economic Area (EEA), including citizens, residents, and even temporary visitors, regardless of the organization’s location.

GDPR applies to more than just EU-based companies. It covers any business that handles the personal data of individuals in EEA, which includes 30 countries — the 27 EU members, plus Norway, Iceland, and Liechtenstein.

The regulation protects “data subjects” by giving them control over their personal data and holding organizations accountable. Each EU member state has a supervisory authority that enforces these rules and issues penalties for non-compliance. Fines can reach up to €20 million or 4 percent of global revenue, whichever is higher.

GDPR outlines key principles like lawfulness, transparency, and data minimization. It also includes specific requirements in Articles such as Article 32, which mandates security measures like end-to-end encryption to protect data.

A GDPR checklist helps you meet these expectations in a clear, structured way. It ensures you don’t miss critical steps like consent management, data access requests, or breach notifications.

Who needs GDPR and why?

If your organization handles the personal data of individuals in the EEA, GDPR isn’t optional — it’s your operational playbook.

You are required to comply with GDPR if:

• You offer goods or services to people in the EEA, even without charging money
• You monitor the behavior of EEA residents, such as through tracking cookies
• You process data on behalf of a company based in the EEA

If your business interacts with EEA data in any of these ways, GDPR compliance is not optional.

The regulation defines two main roles:

• Data controllers, who decide why and how personal data is processed. For example, a company collecting user emails for a product launch is acting as the controller.
  
• Data processors, who carry out processing on the controller’s behalf, such as cloud service providers or payroll vendors.

Both roles carry responsibilities. Controllers must ensure lawful processing, obtain valid consent, and honor data subject rights. Processors are expected to protect the data they handle, follow documented instructions, and alert controllers to any breaches.

In short, GDPR doesn’t just follow the business — it follows the data. Whether you’re a startup, a global enterprise, a service provider, or anything in between, if you interact with EEA personal data, you’re part of the GDPR equation. And the stakes are too high to treat it like an afterthought.

What are the key components of GDPR compliance?

Think of these components as the pillars that hold up your GDPR compliance program. They’re not just theoretical ideas; they form the foundation of every practical checklist. If you’re building a roadmap to stay on the right side of the law, this is where the journey begins.

Each component maps back to specific GDPR Articles and requirements, helping you turn legal text into real-world action. Here’s what makes up the core:

• Lawful basis for processing

You must have a valid legal reason for collecting and using personal data — consent, contract, legal obligation, vital interests, public task, or legitimate interest (Article 6). No legal basis, no processing.

• Transparency and communication

Data subjects have the right to know how their data is being used. Your privacy notices must be clear, accessible, and honest about what you collect, why, and how long you keep it (Articles 12–14).

• Data subject rights

GDPR gives individuals strong rights, including the right to access, correct, delete, restrict, or move their data (Articles 15–22). You need processes to handle these requests promptly.

• Security of processing

Article 32 requires technical and organizational measures to keep personal data safe. This includes everything from role-based access controls to end-to-end encryption and breach detection systems.

• Accountability and documentation

You must be able to prove you’re complying. That means keeping records of processing activities (Article 30), conducting Data Protection Impact Assessments (Article 35), and appointing a Data Protection Officer if required.

• Third-party and processor management

If others process data on your behalf, you’re responsible for ensuring they meet GDPR standards too. This requires clear contracts and ongoing oversight (Article 28).

• Breach notification

If a data breach occurs, you may need to report it to the supervisory authority within 72 hours, and possibly inform affected individuals too (Articles 33 and 34).

Each of these isn’t just a checkbox, it’s part of a larger choreography. Together, they help you treat personal data not as a commodity, but as a responsibility. And that mindset is the difference between surface-level compliance and true data stewardship.

What does a GDPR compliance checklist consist of?

A GDPR compliance checklist helps you turn legal requirements into actionable steps. Whether you’re preparing for a GDPR audit checklist or building a baseline for your organization, this checklist helps you break down complex rules into bite-sized, manageable tasks.

It brings together the key requirements from the data privacy act and helps you stay aligned with data protection expectations across systems, processes, and teams. If your website collects user data or if your SaaS tool has users from the EU, consider this your essential toolkit for GDPR website compliance, email compliance, and more.

Here’s what to include in your checklist:

1. Identify your lawful basis for processing

Determine the reason you’re collecting and using personal data. Make sure this is documented and mapped to Article 6. No basis, no business.

2. Update your privacy policy

Draft a GDPR privacy policy that’s clear, jargon-free, and honest about how you collect, use, and store data. It should reflect your actual practices and cover everything required under Articles 12–14.

3. Document all data flows

Maintain a record of processing activities (ROPA) to know what data you collect, where it comes from, who accesses it, and where it’s stored. This supports both privacy compliance and audit readiness.

4. Review your data subject rights process

Have workflows to handle data subject requests like access, deletion, and correction. These are core GDPR controls that demonstrate your respect for user rights.

5. Embed privacy by design

Integrate privacy by design GDPR principles into your development cycle. This means considering privacy from day one, not as an afterthought.

6. Conduct a GDPR assessment

Run internal reviews to evaluate your organization’s level of compliance. This includes everything from consent management to breach response readiness.

7. Implement security controls

Article 32 calls for technical and organizational safeguards. Use end-to-end encryption, strong access control, and monitoring. Also, schedule regular GDPR testing or audits to detect weak links.

8. Review third-party contracts

Ensure every vendor or processor handling personal data has GDPR-aligned terms in place. This protects your organization and supports privacy compliance.

9. Train your employees

Make GDPR training part of onboarding and continuous education. Everyone handling data should understand their responsibilities under the data privacy act.

10. Check your email practices

Align with GDPR email compliance. This includes getting proper consent for marketing emails, maintaining unsubscribe options, and not storing email addresses longer than necessary.

11. Prepare for breach response

Have an incident response plan in place. You must notify the supervisory authority within 72 hours of a breach, and possibly inform data subjects too.

12. Run a GDPR vulnerability assessment

Look for technical gaps or policy blind spots. Regular assessments ensure you aren’t caught off guard during a GDPR audit or penetration test.

A well-built checklist isn’t just for passing an audit, it’s how you stay ahead of risk. Use it to guide your GDPR testing, sharpen your privacy controls, and ensure data protection isn’t a siloed effort. In the end, compliance is less about paperwork and more about earning trust — one checkbox at a time.

Can the same GDPR checklist be followed for companies in the US?

Yes — US companies can and should follow the same GDPR checklist, but with one caveat: context matters. Contrary to the popular myth, GDPR isn’t bound by borders. It follows the data.

The core requirements don’t change based on geography. Whether you’re in San Francisco or Stockholm, if you’re processing personal data of individuals in the EEA, you’re expected to meet the same privacy compliance standards, including lawful processing, data subject rights, a GDPR-compliant privacy policy, and privacy by design.

What are the GDPR compliance requirements for US companies?

When it comes to GDPR, geography doesn’t offer immunity. US companies that handle the personal data of individuals in the EEA are just as accountable as their EU-based counterparts. Whether you’re selling products, offering free services, or simply running analytics on your website, GDPR kicks in the moment you interact with EU personal data.

For US companies, meeting GDPR compliance requirements isn’t just about avoiding fines. It’s about showing international partners and customers that data protection is built into your business, not bolted on as an afterthought.

Here’s what you need to cover:

1. Determine if GDPR applies to you
2. Appoint an EU representative (if required)
3. Establish a lawful basis for processing
4. Update your privacy policy
5. Enable and honor data subject rights
6. Implement privacy by design
7. Ensure data security
8. Review third-party contracts
9. Prepare for breach notification
10. Conduct regular GDPR assessments

What are some best practices for GDPR compliance?

Following the rulebook is good. But adopting best practices? That’s how you move from reactive to proactive. These aren’t just compliance checks — they’re the habits that help organizations build trust, reduce risk, and stay ahead of audits, assessments, and privacy pitfalls.

Here are some tried-and-tested best practices to keep your GDPR program healthy and evolving:

1. Treat privacy as a team sport

Make data protection everyone’s responsibility — not just legal or IT. Bring product, marketing, HR, and operations into the loop. Use GDPR training to build awareness across roles.

2. Make your privacy policy readable

Skip the legalese. A clear, concise, and honest GDPR privacy policy builds user trust and reduces complaints. Add visuals or FAQs if it helps people understand how their data is used.

3. Embed privacy by design

Bake privacy into product development from day one. If your dev team is pushing code, make sure privacy considerations are part of every sprint and release cycle.

4. Keep a real-time data inventory

Know what personal data you collect, why you collect it, where it lives, and who has access. Update your data maps regularly, especially when adding new tools or vendors.

5. Run periodic GDPR assessments

Don’t wait for an audit to find gaps. Schedule internal GDPR testing, policy reviews, and vulnerability assessments at least once a year, and more often if you’re scaling quickly.

6. Review your third-party ecosystem

Vendors, plugins, and processors can be weak links. Perform due diligence before onboarding and make sure contracts include clear GDPR controls and breach notification terms.

7. Build for consent and choice

Whether it’s cookies, sign-ups, or marketing emails, make consent explicit and easy to manage. Review your opt-ins and align them with GDPR email compliance guidelines.

Which industries or professions fall under GDPR compliance?

If your work involves collecting, storing, or using personal data from individuals in the EEA, then GDPR has a seat saved for you, regardless of your industry or size.

It’s not just tech giants or financial institutions that need to pay attention. GDPR applies across the board, because personal data flows through nearly every profession today. Here’s a glimpse of who’s in scope:

• Software providers and SaaS platforms — who collect user sign-ups, track in-app behavior, or manage client data
• Marketers and advertisers — who use analytics, cookies, or email campaigns to reach audiences in the EEA
• Accountants and financial consultants — who handle personal and financial records on behalf of clients
• Schools and universities — who manage student records, health data, and emergency contacts
• Hospitals and healthcare providers — who process highly sensitive health information
• E-commerce businesses — who collect shipping addresses, payment details, and browsing history
• HR departments and recruiters — who handle employee records, background checks, and internal systems
• Small businesses and nonprofits — who might collect data through forms, donations, or mailing lists

In short, if you collect names, emails, photos, IP addresses, or even behavioral data from EEA residents, GDPR applies to you. It doesn’t matter if you’re a multinational corporation or a three-person startup. Data is data — and GDPR is watching.

How can Scrut help you in GDPR compliance?

Scrut simplifies GDPR implementation by turning complex requirements into clear, manageable steps. Whether you’re building a GDPR compliance plan from scratch or fine-tuning an existing one, Scrut brings structure, automation, and visibility to your entire privacy program.

With Scrut, you get:

• A complete library of 1400+ pre-mapped GDPR controls
• Automated evidence collection through 100+ integrations
• Ready-to-use policy templates and assessment workflows
• Centralized dashboards to manage and track compliance progress
• Data subject request workflows built for speed and accuracy
• Real-time risk monitoring and audit logs that keep you ready, always

Scrut transforms GDPR compliance from a checklist exercise into an ongoing, operational practice. It’s how fast-growing teams move from reactive to resilient — without the manual overhead.

Ready to simplify GDPR compliance?

Scrut helps you build, manage, and scale your GDPR compliance plan — with automated workflows, pre-mapped controls, and real-time monitoring.

FAQs

What is the GDPR summary of requirements?

GDPR requires organizations to collect data lawfully, be transparent, protect personal data, honor user rights, report breaches within 72 hours, and document their compliance efforts. It also mandates privacy by design and proper oversight of third-party vendors.

Does GDPR fall under EU privacy laws?

Yes, GDPR is a central part of EU privacy laws. It was introduced by the European Union in 2016 and has been enforceable since May 25, 2018. The regulation sets the standard for how personal data must be collected, processed, and protected within the European Economic Area (EEA), making it one of the most comprehensive privacy laws in the world.

Does two-factor authentication fall under GDPR compliance?

Yes, 2FA supports GDPR compliance by strengthening data security. While not mandatory, it aligns with Article 32, which requires appropriate measures to protect personal data from unauthorized access.

Does the GDPR apply to the US & its businesses?

Yes, GDPR applies to US businesses if they offer goods or services to individuals in the European Economic Area (EEA) or monitor their behavior. The regulation has extraterritorial scope, meaning it applies regardless of where the business is located.

What kind of business needs to comply with GDPR?

Any business that processes personal data of individuals in the European Economic Area (EEA) must comply with GDPR. This includes companies offering products or services to EEA residents or tracking their online behavior — regardless of the business’s location or size.

Are there different GDPR compliance checklists for different industries?

Yes, while the core GDPR principles remain the same, checklists may vary slightly across industries. Sectors like software, marketing, accounting, education, e-commerce, HR, and nonprofits handle different types of personal data and risks, so their GDPR compliance checklists are often tailored to reflect specific data practices and obligations.

What is considered personal data under GDPR?

Personal data under GDPR includes any information that can identify an individual directly or indirectly. This covers names, email addresses, phone numbers, IP addresses, location data, photos, health records, financial details, and even online behavior like cookies or device IDs.

What are the 7 core principles of GDPR?

1. Lawfulness, fairness, and transparency – Process data legally, fairly, and clearly.

2. Purpose limitation – Collect data only for specific, explicit purposes.

3. Data minimization – Collect only the data you actually need.

4. Accuracy – Keep personal data accurate and up to date.

5. Storage limitation – Don’t keep data longer than necessary.

6. Integrity and confidentiality – Protect data with proper security measures.

7. Accountability – Be able to show how you comply with all GDPR principles.