Free Assessment

GDPR Compliance Checklist

Score your organisation's GDPR compliance across 30 items in 6 categories. Free. Takes 10 minutes.

Built by privacy and legal professionals
Covers all 6 core GDPR compliance areas
6

Publish a Client-Facing Privacy Notice

Art. 13

Provide clients with a clear, concise privacy notice at the start of each engagement explaining what personal data you collect, why, how long you keep it, and their rights.

7

Maintain a Website Privacy Policy

Art. 12, Art. 13

Publish a comprehensive privacy policy on your firm's website covering all data processing activities — website analytics, contact forms, cookie usage, and recruitment.

8

Include Engagement Letter Disclosures

Art. 13(1)(a)–(e)

Integrate data protection clauses into client engagement letters specifying the controller identity, purposes of processing, data sharing with third parties, and retention periods.

9

Provide Employee Privacy Notices

Art. 13, Art. 14

Give staff and job applicants a dedicated privacy notice covering HR data processing — payroll, performance monitoring, background checks, and internal communications.

10

Disclose Third-Party Data Sharing

Art. 13(1)(e), Art. 14(1)(e)

Clearly inform data subjects about any sharing of their personal data with barristers, experts, courts, regulators, or other third parties. Name categories of recipients.

11

Encrypt Personal Data at Rest and in Transit

Art. 32(1)(a)

Apply encryption to client files, databases, email communications, and portable devices. Enforce TLS 1.2+ for all data in transit and AES-256 or equivalent for data at rest.

12

Implement Role-Based Access Controls

Art. 32(1)(b)

Restrict access to personal data based on job function using the principle of least privilege. Maintain access logs and review permissions quarterly.

13

Establish a Data Breach Response Plan

Art. 33, Art. 34

Document a clear incident response procedure. Notify the supervisory authority within 72 hours of becoming aware of a qualifying breach. Inform affected individuals without undue delay when there is a high risk.

14

Conduct Regular Security Testing

Art. 32(1)(d)

Perform periodic vulnerability assessments and penetration tests on systems that process personal data. Address findings promptly and document remediation.

15

Secure Physical and Remote Access

Art. 32(1)(b), Art. 32(2)

Protect physical premises with appropriate access controls. For remote work, enforce VPN usage, multi-factor authentication, and endpoint security on all devices accessing client data.

16

Implement a DSAR Handling Process

Art. 15, Art. 12(3)

Establish a documented procedure to receive, verify, and respond to data subject access requests within one calendar month. Train staff to recognise and escalate requests promptly.

17

Support Rectification and Erasure Requests

Art. 16, Art. 17

Enable individuals to correct inaccurate data and request deletion. Document lawful grounds for refusal (e.g., legal obligation to retain) and communicate these clearly.

18

Facilitate Data Portability

Art. 20

Where processing is based on consent or contract, provide personal data in a structured, commonly used, machine-readable format (CSV, JSON) upon request.

19

Honour the Right to Object

Art. 21

Stop processing personal data for direct marketing immediately upon objection. For other objections based on legitimate interests, assess whether compelling grounds override the individual's interests.

20

Review Automated Decision-Making

Art. 22

If your firm uses automated profiling or decision-making that significantly affects individuals, provide meaningful information about the logic involved and offer the right to human review.

21

Maintain Records of Processing Activities

Art. 30

Keep a comprehensive ROPA documenting every processing activity — purpose, categories of data, recipients, retention periods, and technical and organisational security measures.

22

Appoint or Assess the Need for a DPO

Art. 37, Art. 38

Determine whether your firm is required to appoint a Data Protection Officer. If appointed, ensure they have sufficient resources, independence, and direct reporting to senior management.

23

Conduct Data Protection Impact Assessments

Art. 35

Perform a DPIA before any processing likely to result in high risk to individuals — large-scale profiling, systematic monitoring, or processing of special category data.

24

Manage Third-Party Processors

Art. 28

Execute Data Processing Agreements with all processors (IT providers, cloud services, external counsel). Audit processor compliance regularly and maintain a register of all sub-processors.

25

Implement Staff Training and Policies

Art. 39(1)(b), Art. 24

Deliver mandatory data protection training to all staff at induction and annually. Maintain written policies for data handling, clean desk, acceptable use, and incident reporting.

26

Map All International Data Flows

Art. 44, Art. 49

Identify every transfer of personal data outside the EEA — cloud hosting, cross-border litigation support, international co-counsel. Document the destination country and legal basis for each transfer.

27

Implement Appropriate Transfer Safeguards

Art. 46, Art. 47

For transfers to countries without an adequacy decision, put Standard Contractual Clauses or Binding Corporate Rules in place. Conduct Transfer Impact Assessments where required.

28

Identify and Protect Special Category Data

Art. 9, Art. 10

Recognise when you process special category data (health records, criminal offence data, racial or ethnic origin) in litigation or advisory work. Apply enhanced safeguards and document the Art. 9 condition relied upon.

29

Define and Enforce Data Retention Schedules

Art. 5(1)(e), Art. 17

Set clear retention periods for each data category — client files, financial records, HR data. Implement automated deletion or anonymisation when retention periods expire.

30

Apply Data Minimisation Principles

Art. 5(1)(c)

Collect only the personal data strictly necessary for each purpose. Review intake forms, data collection practices, and legacy databases. Purge unnecessary data regularly.

0%compliant
Needs Work0 / 30 items checked

Unlock Your Compliance Score

Enter your email to reveal your compliance score and get a personalised report.

No spam. Unsubscribe anytime. We respect your privacy.

Frequently Asked Questions

Does GDPR apply to my online store?
If you sell to customers in the EU or UK, or track visitors from those regions, GDPR (and UK GDPR) applies regardless of where your business is based. Turnover and company size do not exempt you, though some obligations scale with risk and headcount.
How long does GDPR compliance take for a small eCommerce business?
Most small stores can complete the core work — lawful bases, privacy notice, consent banner, processor agreements, and a basic record of processing — in two to four weeks. Ongoing duties like DSAR handling and retention reviews then become routine operations.
What are the first steps to GDPR compliance?
Start by mapping the personal data you collect and where it flows, then establish a lawful basis for each processing activity, publish an accurate privacy notice, and implement compliant cookie consent. This checklist walks through all six domains in order.
What happens if my store is not GDPR compliant?
Regulators can fine up to €20 million or 4% of global annual turnover, whichever is higher. In practice, small businesses more often face orders to change processing, complaint-driven investigations, and reputational damage — all avoidable with basic compliance hygiene.
Do I need a Data Protection Officer (DPO)?
Most small eCommerce stores do not. A DPO is mandatory only if your core activities involve large-scale regular monitoring of individuals or large-scale processing of special-category data. You must still assign responsibility for privacy internally either way.

Want to automate these checks?

PrivacyForge handles consent management, data mapping, DSAR workflows, and audit-ready reports — so you can stop checking boxes manually.

Start Free Trial — No Card Required

This checklist is for informational purposes only and does not constitute legal advice. Consult a qualified data-protection professional to ensure full compliance.