GDPR Compliance Checklist (2026)

What is GDPR and who does it apply to?

The General Data Protection Regulation (GDPR) is the European Union's comprehensive data privacy law, in force since May 25, 2018. It applies to any organisation — anywhere in the world — that collects, stores, or processes personal data belonging to EU or EEA residents. If your website is accessible from Europe and you collect email addresses, IP addresses, cookie identifiers, or any other personally identifiable information, GDPR applies to you. There is no minimum size exemption: a solo founder with a newsletter list of 100 EU subscribers is subject to GDPR.

The regulation defines two key roles: controllers (organisations that determine why and how personal data is processed) and processors (organisations that process data on behalf of controllers, such as cloud providers or email services). Both carry legal obligations under GDPR, and controllers must sign Data Processing Agreements (DPAs) with all processors under Article 28.

What are the consequences of GDPR non-compliance?

Fines are tiered under Article 83. Less serious violations — such as failing to maintain records of processing activities (Article 30) or not notifying a breach within 72 hours (Article 33) — can result in fines of up to €10 million or 2% of global annual revenue. More serious violations — such as processing data without a lawful basis (Article 6) or violating data subject rights (Articles 15–22) — can attract fines of up to €20 million or 4% of global annual revenue, whichever is higher. In 2023, total GDPR fines exceeded €2 billion for the first time. Notable recent penalties include Meta (€1.2 billion, 2023) and Amazon (€746 million, 2021).

Beyond financial penalties, supervisory authorities can issue warnings, reprimands, and orders to stop processing data entirely. A processing ban can halt business operations for any company dependent on EU customer data. The regulation is enforced by national Data Protection Authorities (DPAs) in each EU member state, coordinated by the European Data Protection Board (EDPB).

How to use this GDPR compliance checklist

Work through each category systematically. The checklist covers the seven GDPR principles from Article 5, the six lawful bases for processing from Article 6, and the eight data subject rights from Articles 15–22. Each item includes a reference to the specific GDPR article so you can verify the requirement directly in the official regulation text at gdpr-info.eu.

Start with your lawful basis for processing — you cannot lawfully process personal data without one, and this determines much of your compliance posture. Then work through data subject rights, which require internal processes to respond to requests within 30 days. If you also process health data, you may need to review our HIPAA checklist; if you serve California residents, review the CCPA checklist. Use the PDF export to share your progress with your Data Protection Officer, legal team, or external auditors.