CalendarEU

EU GDPR Compliance Calendar

GDPR deadlines are part legal history and part live operating discipline.

Use both the fixed legal milestones and the recurring workflow SLAs to keep the privacy program current.

Back to main artifactReview sources
Author
Sorena AI
Published
Feb 21, 2026
Updated
Feb 21, 2026
Sections
4

Structured answer sets in this page tree.

Primary sources
4

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Feb 21, 2026
Updated Feb 21, 2026
Overview

GDPR is mature law, but the calendar still matters. The most useful GDPR calendar includes both the fixed regulatory milestones that explain the current legal state and the recurring operational deadlines that determine day to day compliance. That means combining the adoption and application dates, SCC and adequacy milestones, and the ongoing clocks for DSARs, breach notification, DPIA review, RoPA maintenance, vendor oversight, and transfer reassessment.

Recommended next step

Turn EU GDPR Compliance Calendar into an operational assessment

Assessment Autopilot can take EU GDPR Compliance Calendar from planning deadlines, owners, and milestones from this page to a reusable workflow inside Sorena. Teams working on EU GDPR can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Assessment workflow
Open Assessment Autopilot for EU GDPR Compliance Calendar

Start from EU GDPR Compliance Calendar and turn the guidance into owned tasks, evidence requests, and review checkpoints.

Explore next step
Talk to Sorena
Talk through EU GDPR

Review your current process, evidence gaps, and next steps for EU GDPR Compliance Calendar.

Explore next step
Section 2

Always-on operational deadlines

These are the deadlines that most often create enforcement pain because they are measured in hours or weeks, not years.

Treat them as service levels with owners, escalation, and evidence outputs.

  • DSARs: respond without undue delay and in any event within one month, with a documented basis for any two-month extension.
  • Breach notification: notify the supervisory authority within 72 hours of awareness unless the breach is unlikely to result in a risk to rights and freedoms.
  • Processor breach escalation: processors must notify the controller without undue delay after becoming aware.
  • Article 34 communications: where high risk exists, communicate to affected individuals without undue delay unless a legal exception applies.
Section 3

Monthly and quarterly governance cadence

GDPR failures often come from drift rather than from one missed incident. Governance cadence prevents that drift.

Build these recurring checks into the privacy operating calendar.

  • Monthly transfer and vendor change review for new destinations, sub-processors, and cloud-region changes.
  • Monthly notice and lawful-basis review for new product flows, cookies, analytics, and marketing changes.
  • Quarterly RoPA refresh for changed purposes, recipients, retention, security measures, and transfer mechanisms.
  • Quarterly DPIA screening for new or materially changed high-risk processing and automation use cases.
  • Quarterly DSAR and breach tabletop exercises in at least one live business area.
Section 4

Annual checkpoints that catch stale evidence

A privacy program without annual evidence refresh turns into archive theater.

Use annual checkpoints to remove outdated transfer, vendor, and retention assumptions.

  • Annual transfer review for high-risk routes, including TIAs, adequacy reliance, and supplementary measures where relevant.
  • Annual vendor review of Article 28 clauses, sub-processor lists, incident obligations, and security evidence.
  • Annual policy and notice version cleanup so old wording does not survive in live channels.
  • Annual training and escalation-path refresh for privacy, security, support, and procurement teams.
Primary sources

References and citations

Related guides

Explore more topics

EU GDPR Checklist (Regulation (EU) 2016/679) | Audit-Ready Controls, Owners, Evidence, and Common Pitfalls
An audit-ready GDPR checklist: scope and role mapping, lawful basis and consent, transparency and notices, DSAR workflows, DPIA governance, security measures.
EU GDPR Compliance Guide | Build a Repeatable Program: Inventory, Controls, Evidence, and Operating Cadence
An execution-oriented GDPR compliance guide for Regulation (EU) 2016/679: program setup, governance, control design, evidence exports.
EU GDPR FAQ | Practical Answers: Scope, Consent, DSAR, DPIA, Breach (72h), Transfers/SCCs, Vendor Contracts
Frequently asked GDPR questions answered with practical implementation guidance: does GDPR apply (Article 3), what counts as personal data.
EU GDPR Requirements (Regulation (EU) 2016/679) | Obligations Map: Scope, Rights, Security, DPIA, Vendors, Transfers + Evidence Index
A practical GDPR requirements breakdown: scope (Articles 2-3), principles (Article 5), lawful basis (Article 6-7), transparency (Articles 12-14).
GDPR Applicability Test (Article 2-3) | Territorial Scope, Establishment vs Targeting, Roles, and Edge Cases
A practical GDPR applicability test for Regulation (EU) 2016/679: check material scope (Article 2), territorial scope (Article 3), establishment vs targeting.
GDPR Breach Notification (72 Hours) | Article 33-34 Workflow, Awareness Timestamp, Risk Test, and Evidence Pack
An execution-ready guide to GDPR breach notification built on Articles 33 and 34, the EDPB breach-notification guidelines.
GDPR Data Subject Rights + DSAR Workflow | Articles 12-22 Playbook: Intake, Identity, Search, Response, Exceptions, Evidence
A practical DSAR (data subject access request) playbook for GDPR Articles 12-22: build intake and identity verification, define system search scope.
GDPR DPIA (Article 35) + Risk Management | Triggers, Template, Controls, Residual Risk Sign-off, and Prior Consultation (Article 36)
A practical DPIA guide for GDPR Articles 35-36: how to screen for DPIA triggers, run a risk assessment focused on rights/freedoms.
GDPR International Transfers (Chapter V) + SCCs | Transfer Map, Adequacy, SCC Packs, TIA, Supplementary Measures, and Monitoring
A practical guide to GDPR international transfers (Chapter V): how to build a transfer map, choose mechanisms (adequacy vs SCCs).
GDPR Lawful Basis (Article 6) + Consent (Article 7) | How to Choose, Document, Implement, and Prove Compliance
A practical guide to GDPR lawful bases (Article 6) and consent (Article 7): how to select a lawful basis per purpose, when consent is appropriate vs risky.
GDPR Penalties and Fines | Articles 83-84 Explained + Risk Reduction Controls and Evidence
A practical penalties guide for GDPR enforcement: how administrative fines work under Articles 83-84, what factors drive exposure (purpose drift.
GDPR Processor Contracts (Article 28) + Vendor Management | DPA Checklist, Sub-processors, Security Evidence, Transfers/SCCs
A practical vendor management guide for GDPR: how to operationalize Article 28 processor contracts, define controller vs processor roles.
GDPR RoPA Template (Article 30) | Record of Processing Activities: Fields, Examples, and Evidence Tips
A practical Record of Processing Activities (RoPA) template for GDPR Article 30: controller and processor fields.
GDPR vs CCPA/CPRA | Key Differences in Scope, Rights, Legal Bases, and Operational Compliance (DSAR, Vendors, Transfers)
A practical comparison of GDPR (EU) and CCPA/CPRA (California): differences in applicability triggers, roles, legal bases versus sale/share models.
GDPR vs UK GDPR | Practical Differences for Scope, Enforcement, Transfers (EU SCCs vs UK IDTA/Addendum), and Evidence
A practical comparison of EU GDPR and UK GDPR: territorial scope triggers, regulator structure (one-stop-shop vs ICO), cross-border processing implications.