Gdpr Compliance Checklist

LEGAL DISCLAIMER: This skill provides educational frameworks and general guidance only. It does not constitute legal advice and does not create an attorney-client relationship. GDPR is enforced by 30+ supervisory authorities with differing interpretations; country-specific derogations, sectoral laws (e.g., ePrivacy, German BDSG, French CNIL guidance, Italian Garante decisions) all apply. Engage a licensed privacy attorney or DPO in your lead supervisory authority's jurisdiction before relying on any output.

GDPR compliance is not a one-time project — it is an operational program. This skill structures a compliant program that survives regulator scrutiny.

Phase 1 — Intake

1.1 Organizational Context

• [ ] Company legal name, EU establishment(s), lead supervisory authority (one-stop-shop analysis)
• [ ] Controller vs. processor role for each processing activity (often both)
• [ ] EU representative appointed under Art. 27 if no EU establishment?
• [ ] DPO appointed per Art. 37 triggers? (public body, large-scale monitoring, special categories)
• [ ] Current privacy team structure, budget, and executive sponsor
• [ ] Existing certifications (ISO 27701, SOC 2 Privacy), codes of conduct

1.2 Data Inventory Scope

• [ ] Number and types of data subjects (customers, employees, visitors, minors)
• [ ] Categories of personal data processed (identifiers, financial, health, biometric, location)
• [ ] Special category data (Art. 9) processed? (race, health, biometric, political, religion)
• [ ] Criminal offense data (Art. 10) processed?
• [ ] Children's data (under 16 / local age of consent) processed?
• [ ] All business units, subsidiaries, product lines in scope

1.3 Processing Activities & Systems

• [ ] List of all processing activities (marketing, HR, product analytics, support)
• [ ] Systems of record (CRM, ERP, HRIS, product database, analytics)
• [ ] Processors and sub-processors (vendors, cloud, SaaS)