GDPR Document Compliance Checklist

Accessible document describing purposes, legal bases, retention periods, and data subject rights.

Explicit, granular, and documented consent mechanisms for each processing purpose.

Cookie banner and detailed policy with opt-in management compliant with ePrivacy regulations.

Traceability system recording who consented, when, to what, and through which mechanism.

Encryption at rest (AES-256) and in transit (TLS 1.2+) for all documents containing personal data.

Table defining retention periods by document type and purpose, with automated purge procedures.

Comprehensive inventory of personal data flows, systems involved, and third-party processors.

Records of server locations and verification of compliance for cross-border data transfers.

Formalised process for responding to data subject access requests within the one-month deadline.

Capability to export personal data in a structured, commonly used, machine-readable format.

Documented process for deleting data on request, including copies and backups.

Timestamped log of all data subject rights requests with status and response timelines.

Formal designation of a Data Protection Officer, registered with the supervisory authority.

DPO contact information accessible on the website and within the privacy policy.

Ongoing training programme for the DPO and regular awareness sessions for all staff.

Impact assessment for processing activities that pose a high risk to individuals' rights and freedoms.

Technical and organisational measures identified to reduce risks to an acceptable level.

Archived assessment with periodic review triggered by significant changes to the processing.

Action plan for data breaches: notify the supervisory authority within 72 hours and inform affected individuals.