ChecklistEU

EU GDPR Checklist

A checklist designed for execution: owners, evidence, acceptance criteria.

Use it to build a compliance program that is provable under pressure.

Back to main artifactReview sources
Author
Sorena AI
Published
Feb 21, 2026
Updated
Feb 21, 2026
Sections
8

Structured answer sets in this page tree.

Primary sources
4

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Feb 21, 2026
Updated Feb 21, 2026
Overview

GDPR is not a policy exercise. It is a set of controls, registers, and timed workflows that need to survive product change, vendor change, transfer change, and incident pressure. This checklist is strongest when used as a program backbone: scope and role mapping, lawful-basis control, rights workflows, RoPA upkeep, DPIA governance, breach readiness, vendor clauses, transfer packs, and a single evidence index.

Section 1

1) Scope, roles, and inventory (foundation)

Goal: a defensible applicability decision and a processing inventory baseline.

If you cannot explain scope, everything else becomes inconsistent.

  • Article 2-3 applicability memo (material + territorial scope) with facts and evidence.
  • Role mapping per activity: controller vs processor vs joint controller (owners and obligations).
  • Processing inventory: systems, data categories, purposes, recipients, and retention (baseline).
Section 3

3) DSAR workflow (Articles 12-22) - operationalize requests

Goal: DSAR handling is measurable, consistent, and explainable across systems and vendors.

DSAR failures are usually process failures: intake, identity checks, search scope, and deadline tracking.

  • DSAR intake channels and identity verification rules with abuse protections.
  • Search playbook: systems to search, log formats, and response format standards.
  • SLA tracking: 1-month target + extension criteria and notification templates.
  • Evidence: request logs, decisions, response packages, and escalation approvals.
Section 4

4) DPIA and risk management (Articles 35-36) - high-risk governance

Goal: identify high-risk processing early and control it with documented assessments.

DPIAs must be usable by engineering teams: controls, mitigations, and residual risk decisions.

  • DPIA triggers and screening checklist; DPIA template and review workflow.
  • Mitigation tracking linked to product backlog (privacy by design controls).
  • If needed: prior consultation process artifacts and decision records.
  • Evidence: DPIA register, approvals, and residual risk sign-offs.
Section 5

5) Security of processing + breach response (Articles 32-34)

Goal: security controls are mapped to personal data processing risks and are testable.

Breach response must be executable: awareness timekeeping, risk tests, and notification templates.

  • Security controls mapped to data and threats (access control, encryption, logging, monitoring).
  • Breach workflow: classification, awareness timestamp, Article 33 risk test, Article 34 high-risk test.
  • Evidence pack: incident timeline, logs, decisions, communications, and remediation.
Section 6

6) Vendor/processor contracts (Article 28) + ongoing vendor governance

Goal: vendor contracts and oversight reflect actual processing and transfer reality.

A signed DPA without operational controls is a common enforcement failure.

  • Article 28 contract clauses present and tailored to processing reality (sub-processors, audits, security).
  • Vendor inventory mapped to processing purposes, data categories, and transfer destinations.
  • Ongoing monitoring: SOC/ISO evidence, incident reporting, sub-processor change notifications.
Section 7

7) International transfers (Chapter V) - SCCs, TIA, supplementary measures

Goal: Chapter V compliance is engineered: transfer map, mechanism choice, and operational controls.

Treat SCCs as an implementation project: configuration, logging, and governance-not a legal PDF.

  • Transfer map: exporters/importers, data categories, destinations, and onward transfers.
  • Mechanism selection: adequacy vs SCCs vs other safeguards; document decisions.
  • TIA + supplementary measures playbook; evidence of implementation and monitoring.
Section 8

Evidence index (the fastest way to be audit-ready)

Goal: export evidence quickly and consistently. Aim for coherence, not volume.

  • Scope memo + role mapping + processing inventory baseline.
  • Lawful basis map + notice versions + consent logs (if applicable).
  • DSAR logs + response packages + search playbooks.
  • DPIA register + mitigations + approvals.
  • Breach playbook + incident logs + notification artifacts.
  • Vendor contracts + sub-processor list + audit evidence.
  • Transfer map + SCC packs + TIA + supplementary measures evidence.
Recommended next step

Turn EU GDPR Checklist into an operational assessment

Assessment Autopilot can take EU GDPR Checklist from turning this checklist into an operational workflow to a reusable workflow inside Sorena. Teams working on EU GDPR can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Assessment workflow
Open Assessment Autopilot for EU GDPR Checklist

Start from EU GDPR Checklist and turn the guidance into owned tasks, evidence requests, and review checkpoints.

Explore next step
Talk to Sorena
Talk through EU GDPR

Review your current process, evidence gaps, and next steps for EU GDPR Checklist.

Explore next step
Primary sources

References and citations

Related guides

Explore more topics

EU GDPR Compliance Guide | Build a Repeatable Program: Inventory, Controls, Evidence, and Operating Cadence
An execution-oriented GDPR compliance guide for Regulation (EU) 2016/679: program setup, governance, control design, evidence exports.
EU GDPR FAQ | Practical Answers: Scope, Consent, DSAR, DPIA, Breach (72h), Transfers/SCCs, Vendor Contracts
Frequently asked GDPR questions answered with practical implementation guidance: does GDPR apply (Article 3), what counts as personal data.
EU GDPR Requirements (Regulation (EU) 2016/679) | Obligations Map: Scope, Rights, Security, DPIA, Vendors, Transfers + Evidence Index
A practical GDPR requirements breakdown: scope (Articles 2-3), principles (Article 5), lawful basis (Article 6-7), transparency (Articles 12-14).
GDPR Applicability Test (Article 2-3) | Territorial Scope, Establishment vs Targeting, Roles, and Edge Cases
A practical GDPR applicability test for Regulation (EU) 2016/679: check material scope (Article 2), territorial scope (Article 3), establishment vs targeting.
GDPR Breach Notification (72 Hours) | Article 33-34 Workflow, Awareness Timestamp, Risk Test, and Evidence Pack
An execution-ready guide to GDPR breach notification built on Articles 33 and 34, the EDPB breach-notification guidelines.
GDPR Data Subject Rights + DSAR Workflow | Articles 12-22 Playbook: Intake, Identity, Search, Response, Exceptions, Evidence
A practical DSAR (data subject access request) playbook for GDPR Articles 12-22: build intake and identity verification, define system search scope.
GDPR Deadlines and Compliance Calendar | DSAR 1-Month SLA, Breach 72 Hours, DPIA Cadence, Vendor Reviews, Transfer Monitoring
A grounded GDPR compliance calendar that combines fixed legal milestones, 27 April 2016 adoption, 25 May 2018 application, the 2021 SCC overhaul.
GDPR DPIA (Article 35) + Risk Management | Triggers, Template, Controls, Residual Risk Sign-off, and Prior Consultation (Article 36)
A practical DPIA guide for GDPR Articles 35-36: how to screen for DPIA triggers, run a risk assessment focused on rights/freedoms.
GDPR International Transfers (Chapter V) + SCCs | Transfer Map, Adequacy, SCC Packs, TIA, Supplementary Measures, and Monitoring
A practical guide to GDPR international transfers (Chapter V): how to build a transfer map, choose mechanisms (adequacy vs SCCs).
GDPR Lawful Basis (Article 6) + Consent (Article 7) | How to Choose, Document, Implement, and Prove Compliance
A practical guide to GDPR lawful bases (Article 6) and consent (Article 7): how to select a lawful basis per purpose, when consent is appropriate vs risky.
GDPR Penalties and Fines | Articles 83-84 Explained + Risk Reduction Controls and Evidence
A practical penalties guide for GDPR enforcement: how administrative fines work under Articles 83-84, what factors drive exposure (purpose drift.
GDPR Processor Contracts (Article 28) + Vendor Management | DPA Checklist, Sub-processors, Security Evidence, Transfers/SCCs
A practical vendor management guide for GDPR: how to operationalize Article 28 processor contracts, define controller vs processor roles.
GDPR RoPA Template (Article 30) | Record of Processing Activities: Fields, Examples, and Evidence Tips
A practical Record of Processing Activities (RoPA) template for GDPR Article 30: controller and processor fields.
GDPR vs CCPA/CPRA | Key Differences in Scope, Rights, Legal Bases, and Operational Compliance (DSAR, Vendors, Transfers)
A practical comparison of GDPR (EU) and CCPA/CPRA (California): differences in applicability triggers, roles, legal bases versus sale/share models.
GDPR vs UK GDPR | Practical Differences for Scope, Enforcement, Transfers (EU SCCs vs UK IDTA/Addendum), and Evidence
A practical comparison of EU GDPR and UK GDPR: territorial scope triggers, regulator structure (one-stop-shop vs ICO), cross-border processing implications.