Compliance Checklist
GDPR Compliance Checklist (2026)
This checklist covers the core operational requirements of the General Data Protection Regulation (GDPR) for organisations that collect or process personal data from EU or EEA residents. Each item cites the specific Article so you can verify the requirement directly in the official text at gdpr-info.eu. This checklist is a self-assessment starting point, not a substitute for legal advice.
Want to see how your website scores on GDPR? Run a free PrivacyGrader scan.
Grade my siteLawful Basis for Processing
Privacy Notice & Transparency
Data Subject Rights
Data Protection by Design
Records & Documentation
Data Breaches
Third Parties & Transfers
Data Protection Officer (DPO)
What is GDPR and who does it apply to?
The General Data Protection Regulation (GDPR) is the European Union's comprehensive data privacy law, in force since May 25, 2018. It applies to any organisation — anywhere in the world — that collects, stores, or processes personal data belonging to EU or EEA residents. If your website is accessible from Europe and you collect email addresses, IP addresses, cookie identifiers, or any other personally identifiable information, GDPR applies to you. There is no minimum size exemption: a solo founder with a newsletter list of 100 EU subscribers is subject to GDPR.
The regulation defines two key roles: controllers (organisations that determine why and how personal data is processed) and processors (organisations that process data on behalf of controllers, such as cloud providers or email services). Both carry legal obligations under GDPR, and controllers must sign Data Processing Agreements (DPAs) with all processors under Article 28.
What are the consequences of GDPR non-compliance?
Fines are tiered under Article 83. Less serious violations — such as failing to maintain records of processing activities (Article 30) or not notifying a breach within 72 hours (Article 33) — can result in fines of up to €10 million or 2% of global annual revenue. More serious violations — such as processing data without a lawful basis (Article 6) or violating data subject rights (Articles 15–22) — can attract fines of up to €20 million or 4% of global annual revenue, whichever is higher. In 2023, total GDPR fines exceeded €2 billion for the first time.
Beyond financial penalties, supervisory authorities can issue warnings, reprimands, and orders to stop processing data entirely. The regulation is enforced by national Data Protection Authorities (DPAs) in each EU member state, coordinated by the European Data Protection Board (EDPB).
How to use this GDPR compliance checklist
Work through each category systematically. The checklist covers the seven GDPR principles from Article 5, the six lawful bases for processing from Article 6, and the eight data subject rights from Articles 15–22. Each item includes a reference to the specific GDPR article so you can verify the requirement directly in the official regulation text at gdpr-info.eu.
Start with your lawful basis for processing — you cannot lawfully process personal data without one, and this determines much of your compliance posture. Then work through data subject rights, which require internal processes to respond to requests within 30 days. If you also process health data, review our HIPAA checklist; if you serve California residents, review the CCPA checklist.
What this checklist is for, and what it is not
This checklist is for any organisation that collects or processes personal data from EU or EEA residents. It covers the core operational requirements a small to mid-sized business can self-assess: identifying a lawful basis for each processing activity, implementing data subject rights workflows, maintaining records of processing activities under Article 30, conducting Data Protection Impact Assessments where required under Article 35, signing Data Processing Agreements with vendors under Article 28, and meeting the 72-hour breach notification deadline under Article 33.
What it does not cover: jurisdiction-specific guidance from individual Data Protection Authorities (the German Datenschutzkonferenz, the UK ICO, and the Irish DPC each publish supplementary guidance that may apply to your specific sector); evolving legal interpretation of concepts such as legitimate interest and cookie consent; formal certification schemes under Article 42; or the specific requirements of GDPR's implementing regulations in each EU member state. Compliance requirements vary significantly based on your sector, the categories of data you process, and where your users are located. Last verified May 2026 against the official text at gdpr-info.eu.
Real-world GDPR enforcement cases
In May 2023, the Irish Data Protection Commission fined Meta Platforms Ireland €1.2 billion for transferring personal data of EU Facebook users to the United States in violation of Article 46 GDPR. Meta was relying on Standard Contractual Clauses, but the DPC found that U.S. surveillance law (specifically FISA Section 702) meant those SCCs did not provide an essentially equivalent level of protection. The fine was the largest in GDPR history and required Meta to suspend the transfers. The case demonstrates that international data transfers are a live enforcement risk, not a paperwork exercise.
In September 2022, the Irish DPC fined Meta €405 million for processing children's personal data contrary to Articles 5, 6, and 25 GDPR. The violation concerned Instagram's default public account settings for users aged 13 to 17, and the display of contact information in public-facing business account profiles for minors. The case illustrates that privacy-by-design under Article 25 is an active design obligation with real enforcement consequences, not a documentation checkbox.
In July 2021, Luxembourg's CNPD fined Amazon €746 million for processing personal data for advertising purposes without a valid legal basis under Article 6. Amazon's cookie-based advertising system loaded tracking cookies without obtaining genuine, freely given consent as required by Articles 4(11) and 7. The Amazon case reinforces that consent mechanisms that load advertising trackers by default before any user action do not meet GDPR's consent standard.
Common GDPR mistakes
Relying on legitimate interest without a balancing test. Legitimate interest under Article 6(1)(f) requires a three-part test: a legitimate purpose, necessity of the processing for that purpose, and a finding that your interests do not override the data subject's rights and freedoms. Organisations frequently treat legitimate interest as a blanket basis for any processing they consider reasonable. Without a documented balancing test, this basis will not survive regulatory scrutiny. See checklist item: documented lawful basis.
Pre-ticked consent boxes and bundled consent. Consent under Article 7 must be a freely given, specific, informed, and unambiguous indication through a clear affirmative action. Pre-ticked checkboxes, opt-out mechanisms, and consent bundled with terms of service are all invalid under GDPR. Many websites still fail this basic test, particularly for marketing emails and analytics cookies.
Generic or missing Data Processing Agreements. Article 28 requires a written DPA with every processor that handles personal data on your behalf. SaaS tools, analytics platforms, cloud infrastructure, email service providers, and payment processors are all typically processors. A DPA must specify the nature, purpose, duration, and type of data being processed. A generic addendum that does not reflect actual processing activities does not fulfil the obligation.
Missing DSAR deadlines. Articles 15 to 22 grant data subjects rights including access, rectification, erasure, and portability. Requests must be responded to within one month of receipt, extendable by two months for complex requests with written notice. Organisations with no DSAR workflow treating incoming requests ad hoc frequently miss this deadline.
US data transfers without a valid mechanism. Since Schrems II (CJEU, July 2020) invalidated the EU-US Privacy Shield, transfers to US processors require Standard Contractual Clauses supplemented by a transfer impact assessment, or self-certification of the US recipient under the EU-US Data Privacy Framework (in force from July 2023 under Decision 2023/1795). Many businesses still transfer data to US SaaS providers without checking either mechanism.
What changed in GDPR: 2024 to 2026
The European Commission adopted Adequacy Decision 2023/1795 in July 2023, establishing the EU-US Data Privacy Framework (DPF) as a valid transfer mechanism under Article 45. US companies self-certified under the DPF can receive personal data from the EU without SCCs. As of May 2026, over 2,500 US companies are DPF-certified. Privacy advocacy groups have indicated intent to challenge the DPF before the CJEU; verify the status of any legal challenge before relying on the DPF as your sole transfer mechanism.
The EDPB published Guidelines 3/2022 on Dark Patterns in Social Media Platforms (adopted September 2022), providing detailed examples of what constitutes deceptive UX design that violates GDPR consent requirements. In 2024 and 2025, multiple DPAs issued enforcement actions specifically targeting cookie banner design, making non-compliant consent flows one of the most actively enforced GDPR requirements.
Regulation (EU) 2024/1689 (the EU AI Act) entered into force in August 2024. For AI systems that process personal data, compliance overlaps significantly with GDPR obligations, particularly around data minimisation (Article 5(1)(c)), automated decision-making (Article 22), and transparency (Articles 13 to 14). If your product uses AI to process personal data, both frameworks apply concurrently. Last reviewed May 2026 by the Zeta Solutions editorial team.