GDPR Compliance Checklist 2026: 15 Steps to Get (and Stay) Compliant

If your organization collects, stores, or processes personal data from anyone in the European Union, GDPR applies to you — regardless of where your company is based. That includes a SaaS startup in Austin, an e-commerce brand in Singapore, and a consultancy in London. Non-compliance isn’t a technicality risk; fines can reach €20 million or 4% of global annual revenue, whichever is higher.

This GDPR compliance checklist breaks down the 15 concrete steps you need to take in 2026. Each item is an action, not a principle. Work through them in order, or use them as an audit against what you already have in place.

Data Inventory & Governance

Before you can protect personal data, you need to know exactly what you hold and why.

1. Map all personal data you collect

Document every category of personal data your organization processes — names, email addresses, IP addresses, payment details, behavioral data, health records. For each category, record: where it’s stored (database, CRM, spreadsheet, third-party SaaS), who has access, how long you retain it, and where it flows. This is called a Record of Processing Activities (ROPA) and is a legal requirement under Article 30 for organizations with more than 250 employees. Even if you’re below that threshold, maintaining one is considered best practice and will save you hours if a supervisory authority ever asks questions.

2. Document your lawful basis for each data processing activity

Every processing activity requires a lawful basis under Article 6. The six options are: consent, contract, legal obligation, vital interests, public task, and legitimate interests. Pick one per activity and document it. For example, sending a transactional order confirmation email is covered by contract; sending a marketing newsletter requires consent. If you can’t identify a lawful basis for something you’re currently doing, stop doing it until you can.

3. Appoint a Data Protection Officer (DPO) if required

A DPO is mandatory if you’re a public authority, if your core activities involve large-scale systematic monitoring of individuals (think behavioral advertising at scale), or if you process special categories of data (health, biometric, criminal) at large scale. If you’re required to have one, the DPO must be registered with your supervisory authority. If a DPO isn’t mandatory, consider designating a privacy lead internally anyway — someone needs to own this.

4. Review contracts with all third-party data processors

Any vendor who processes personal data on your behalf — your email platform, your cloud hosting provider, your analytics tool — is a data processor. GDPR requires a written Data Processing Agreement (DPA) with each of them. Review existing contracts and add DPAs where missing. Check that each DPA covers: the subject matter of processing, the duration, the nature and purpose of processing, the type of personal data, and the obligations and rights of your organization as the controller.

Your users need to know what you’re doing with their data — and they need to have genuinely agreed to it.

5. Update your Privacy Policy

Your Privacy Policy must clearly explain: what personal data you collect, the lawful basis for each type of processing, how long you retain data, who you share it with, and how users can exercise their rights. Write it in plain language — “we use your email to send marketing messages, which you can unsubscribe from at any time” is better than legal boilerplate. Make it easily accessible; a link in the footer is standard, but a link at the point of data collection (sign-up forms, checkout pages) is better.

Non-essential cookies — analytics, advertising, personalization — cannot run until a user explicitly consents. That means your Google Analytics tag, your Facebook Pixel, and your heat-mapping tool need to be blocked by default and only fire after the user clicks “Accept.” A CMP handles this technically. It presents a consent banner, records the user’s choice, and controls which scripts load. Pre-ticked “I agree to all cookies” checkboxes don’t satisfy GDPR; neither does a banner that makes “Reject” harder to find than “Accept.”

Valid consent under GDPR must be freely given (no coercion or bundling), specific (separate consent for separate purposes), informed (the user knows exactly what they’re agreeing to), and unambiguous (an affirmative action, not silence or inactivity). Check your sign-up flows: are you bundling marketing consent into your terms of service acceptance? Are you using pre-ticked boxes? Both are invalid. Fix them.

Knowing that a user consented isn’t enough — you need to be able to prove it. Your system should log: who consented, when they consented, what they were shown (the version of the consent form or cookie banner), and what they agreed to. If a user withdraws consent later, that should be logged too. This is your audit trail if a supervisory authority investigates a complaint.

Individual Rights Management

GDPR gives individuals eight rights. Your processes need to handle at least four of them routinely.

9. Create a process for Subject Access Requests (SARs)

Any EU resident can ask you to tell them what personal data you hold about them. You have 30 days to respond (extendable by two more months for complex requests, but you must notify the requester). Build a process: a dedicated email address or form for receiving SARs, a workflow for pulling data from all your systems, and a template response. Test it before you need it. Many organizations discover during their first SAR that they can’t actually locate all the data they hold on a person.

10. Build a data deletion mechanism

The “right to be forgotten” (Article 17) lets users request erasure of their data when it’s no longer necessary for the original purpose, when they withdraw consent, or when there’s no legitimate basis for retention. You need a process to handle these requests within 30 days. Critically, deletion must cascade — if you’ve shared that person’s data with third-party processors, you must notify them to delete it too. Document every deletion request and what action you took.

11. Support data portability

Under Article 20, users whose data you process based on consent or contract have the right to receive that data in a structured, commonly-used, machine-readable format (CSV or JSON, for example) and to transmit it to another controller. Build an export function into your product or admin tools so you can fulfill these requests without manual database exports.

If a user gave consent, they can revoke it at any time, and the withdrawal must be as easy as giving consent was. If it took one click to subscribe to your newsletter, it must take one click to unsubscribe — not a multi-step form with a 10-business-day processing time. When consent is withdrawn, you must stop the processing that depended on it promptly.

Security & Breach Response

GDPR requires “appropriate technical and organizational measures” to protect personal data — and a defined process when things go wrong.

13. Implement appropriate technical security controls

“Appropriate” is context-dependent: the security controls for a health data platform differ from those for a B2B email list. At minimum, encrypt personal data at rest and in transit (TLS 1.2 or higher, AES-256 for stored data), enforce role-based access controls so staff only access data they need, require multi-factor authentication (MFA) for admin accounts and any system holding personal data, and conduct regular penetration testing. Pseudonymization — replacing identifying data with tokens — reduces your risk profile for certain datasets.

14. Create a data breach response plan

Under Article 33, you must report a personal data breach to your supervisory authority within 72 hours of becoming aware of it (where the breach is likely to result in a risk to individuals’ rights). That clock starts the moment you discover the breach, not when you finish investigating it. Your breach response plan should define: who is the incident response lead, how to assess the scope and risk of a breach, what information to include in a supervisory authority notification, and when to notify affected individuals directly (required when the breach is high-risk to individuals). Run a tabletop exercise annually so your team knows the plan before an incident happens.

15. Conduct a Data Protection Impact Assessment (DPIA) before high-risk processing

A DPIA is required before you start any processing that’s “likely to result in a high risk” to individuals — this includes large-scale profiling, systematic monitoring of public spaces, processing special categories of data, or using new technologies. A DPIA documents the nature of the processing, the necessity and proportionality of the activity, the risks to individuals, and the measures you’ll take to mitigate those risks. If a DPIA reveals high residual risk, you must consult your supervisory authority before proceeding.

Common Mistakes

Even organizations with good intentions get these wrong.

GDPR compliance is ongoing. Your data map becomes outdated every time you add a new tool, launch a new product feature, or hire a new vendor. Schedule quarterly reviews of your ROPA and annual reviews of your full compliance posture.

Accepting vendor DPAs without reading them

Many vendors have DPA templates that don’t fully satisfy GDPR requirements — for example, they may allow sub-processors in countries without adequate data protection, or they may lack sufficient breach notification timelines. Read the DPA, not just the vendor’s compliance page.

Relying on legitimate interests for everything

Legitimate interests (Article 6(1)(f)) is a flexible basis, but it requires a Legitimate Interests Assessment (LIA) and can be overridden by individual rights. It’s not a fallback for situations where you don’t want to ask for consent. Using it incorrectly is a common reason organizations fail audits.

It’s easy to document your lawful bases and update your privacy policy while your website is still firing Google Analytics before consent is given. Your cookie CMP must be technically enforced, not just described in policy.

Not training staff

A well-documented GDPR program fails if the people handling personal data don’t know the rules. Phishing attacks, accidental data sharing, and improper handling of SARs often stem from lack of training, not lack of policy. Annual training for all staff who handle personal data is a baseline requirement.

Working through this checklist manually is possible for very small teams, but software significantly reduces the time, risk, and ongoing maintenance burden. Here are six tools worth evaluating. For a full comparison, see our best GDPR compliance software guide for 2026.

iubenda

iubenda generates GDPR-compliant privacy policies, cookie policies, and terms of service from a questionnaire-style setup. Its cookie solution blocks non-essential scripts until consent is given and maintains a consent log. It’s designed for small to mid-size businesses that need working compliance documents quickly without hiring a lawyer.

Best for: SMBs needing privacy policy generation and cookie consent management

View iubenda on Spotsaas →

OneTrust

OneTrust is a full privacy operations platform covering consent management, data mapping, DSAR automation, vendor risk management, and DPIA workflows. It’s used by many Fortune 500 companies and supports compliance across GDPR, CCPA, LGPD, and other frameworks simultaneously. Implementation is complex and pricing reflects enterprise scale.

Best for: Large enterprises needing a complete privacy operations platform

View OneTrust on Spotsaas →

Didomi

Didomi specializes in consent and preference management at scale, with strong support for multi-jurisdiction deployments and high-traffic websites. It offers a consent management platform (CMP) with a visual editor, detailed analytics on consent rates, and API-level integration for headless and mobile environments.

Best for: Enterprises needing advanced consent management at scale

View Didomi on Spotsaas →

ECOMPLY

ECOMPLY is built specifically for DPOs and privacy teams managing GDPR compliance end-to-end. It covers data mapping (ROPA), risk assessments, vendor management with DPA tracking, DSAR management, and audit trails. The interface is structured around GDPR’s specific requirements rather than generic compliance frameworks.

Best for: DPOs needing a complete GDPR management system with data mapping

View ECOMPLY on Spotsaas →

Termly

Termly offers a quick-start path to GDPR compliance for small businesses: generate a privacy policy, cookie policy, and terms of service, then add a cookie consent banner to your site via a code snippet. It’s not as feature-rich as enterprise platforms, but it handles the core requirements for organizations with relatively simple data practices.

Best for: SMBs wanting a quick-start privacy policy and cookie banner

View Termly on Spotsaas →

VComply

VComply is a governance, risk, and compliance (GRC) platform that manages GDPR alongside other regulatory frameworks — SOC 2, ISO 27001, HIPAA, and others. If your team is managing multiple compliance obligations and needs a unified dashboard for tracking requirements, evidence collection, and audit readiness, VComply consolidates that work.

Best for: Compliance teams managing GDPR alongside other regulatory frameworks

View VComply on Spotsaas →

Frequently Asked Questions

GDPR applies to any organization that processes personal data of individuals located in the EU or EEA — regardless of where the organization itself is based. If you operate a website accessible to EU residents and collect their email addresses, you’re in scope. It covers both controllers (organizations that determine why and how data is processed) and processors (organizations that process data on a controller’s behalf).

There are two tiers. Less serious violations — such as failing to maintain proper records of processing — can result in fines up to €10 million or 2% of global annual revenue. More serious violations — such as processing data without a lawful basis or ignoring individuals’ rights — can result in fines up to €20 million or 4% of global annual revenue. Supervisory authorities also have the power to issue warnings, reprimands, and temporary or permanent bans on processing.

Yes, if they process personal data of EU residents. The EU-U.S. Data Privacy Framework (DPF), adopted in 2023, provides a legal mechanism for US companies to receive data transfers from the EU. Companies that aren’t DPF-certified must rely on Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) to legitimize transatlantic data flows.

What is a Data Processing Agreement (DPA)?

A DPA is a contract between a data controller and a data processor that governs how the processor handles personal data on the controller’s behalf. Under Article 28 of GDPR, a DPA is mandatory whenever you use a third party to process personal data — that includes your CRM, your email marketing platform, your cloud storage provider, and your analytics tool. A valid DPA must specify the subject matter, duration, nature and purpose of processing, and the obligations of both parties.

How long do you have to respond to a Subject Access Request?

You have one calendar month from the date of receiving the request. If the request is complex or you’ve received multiple requests from the same person, you can extend this by a further two months — but you must notify the person within the first month that you’re extending and explain why. You cannot charge a fee for a SAR unless it’s “manifestly unfounded or excessive.”

GDPR itself doesn’t offer a single official certification, but Article 42 provides for certification mechanisms approved by supervisory authorities. Some EU member states have developed national certification schemes. More commonly, organizations demonstrate GDPR compliance through ISO 27001 (information security management), SOC 2 Type II reports, or formal audits by privacy consultancies — none of which are GDPR certifications per se, but they’re recognized indicators of a mature data protection program.

Conclusion

GDPR compliance isn’t a checkbox you tick once — it’s a set of ongoing practices that need to be embedded into how your organization handles data. The 15 items on this checklist cover the core legal requirements: knowing what data you hold, having a lawful basis for processing it, respecting individual rights, and being prepared to respond when something goes wrong.

Start with your data map (item 1), because everything else depends on knowing what you actually have. Then work through consent, rights management, and security in parallel with the right tools in place.

Compare all GDPR compliance tools on Spotsaas to find the right fit for your team’s size, budget, and compliance scope.

GDPR Compliance Checklist 2026: 15 Steps to Get (and Stay) Compliant

Data Inventory & Governance

1. Map all personal data you collect

2. Document your lawful basis for each data processing activity

3. Appoint a Data Protection Officer (DPO) if required

4. Review contracts with all third-party data processors

Consent & Transparency

5. Update your Privacy Policy

6. Implement a Cookie Consent Management Platform (CMP)

7. Ensure consent meets GDPR’s standard

8. Keep records of consent