This GDPR requirements checklist gives you a structured, practical way to assess how your organisation measures up against the EU General Data Protection Regulation (EU Regulation 2016/679), which has applied across the EU since 25 May 2018. Whether you are a controller or a processor, working through the checklist below helps you turn abstract legal duties into concrete, auditable actions.
The GDPR applies to organisations that process the personal data of individuals in the EU, regardless of where the organisation itself is based. Meeting its obligations is not a one-off project but an ongoing programme of governance, documentation and continuous improvement.
This article is general guidance only and is not legal advice.
Your GDPR requirements checklist at a glance
Use this GDPR requirements checklist as a working map of the main obligations. Each row summarises what the Regulation expects and what evidence typically demonstrates that you meet it.
| Area | What the GDPR expects | Typical evidence |
|---|---|---|
| Lawful basis | Identify a valid lawful basis for every processing activity | Processing register, basis mapping |
| Transparency | Provide clear privacy information to data subjects | Privacy notices, layered notices |
| Data subject rights | Enable individuals to exercise their rights | Request procedure, response logs |
| Records of processing | Maintain records of processing activities | ROPA document |
| Security | Apply appropriate technical and organisational measures | Risk assessments, access controls, encryption |
| Breach response | Notify the supervisory authority within 72 hours where required | Breach log, notification templates |
| DPIAs | Assess high-risk processing before it begins | Completed DPIAs |
| DPO | Appoint a Data Protection Officer where required | Appointment record, contact details |
| Accountability | Demonstrate compliance across the programme | Policies, training, audit trail |
Establish your lawful basis and core principles
Every processing activity must rest on one of the six lawful bases: consent, contract, legal obligation, vital interests, public task, or legitimate interests. Choose the basis before you process, document it, and do not switch bases casually afterwards.
Beyond a lawful basis, your processing must honour the core data protection principles:
- Lawfulness, fairness and transparency — process data in ways people would reasonably expect.
- Purpose limitation — collect data for specified, explicit purposes.
- Data minimisation — collect only what you genuinely need.
- Accuracy — keep personal data correct and up to date.
- Storage limitation — retain data no longer than necessary.
- Integrity and confidentiality — protect data with appropriate security.
- Accountability — be able to demonstrate all of the above.
Special category and children’s data
If you process special category data (such as health, biometric or religious data) or children’s data, you generally need additional safeguards and, in many cases, a stronger justification. Flag these processing activities early in your checklist review.
Support data subject rights
The GDPR grants individuals a suite of rights, and your organisation must be able to respond to each within the timeframes the Regulation sets. Build a repeatable request-handling procedure rather than improvising each time.
- Access — provide a copy of the personal data you hold.
- Rectification — correct inaccurate or incomplete data.
- Erasure — the “right to be forgotten,” where applicable.
- Restriction — pause processing in certain circumstances.
- Portability — supply data in a structured, machine-readable format.
- Objection — allow individuals to object to certain processing.
- Automated decisions — provide safeguards around solely automated decision-making and profiling.
Documentation, DPIAs and governance roles
Accountability is the principle that ties the GDPR requirements checklist together. You must not only comply but be able to show it. Maintain records of processing activities describing what data you hold, why, and how it flows.
Where a type of processing is likely to result in a high risk to individuals, carry out a Data Protection Impact Assessment (DPIA) before you begin, and document the mitigations you apply. Appoint a Data Protection Officer (DPO) where the Regulation requires one, for example where you carry out large-scale monitoring or process special category data at scale.
Controller and processor obligations
Clarify whether you act as a controller, a processor, or both, because your duties differ. Controllers determine the purposes and means of processing; processors act on the controller’s documented instructions. Put a written data processing agreement in place between the two.
Breach response and enforcement
Prepare for personal data breaches in advance. Where a breach is likely to result in a risk to individuals, you must notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of it. High-risk breaches may also require notifying the affected individuals.
The stakes are significant: the most serious infringements can attract fines of up to 20 million euro, or 4% of total worldwide annual turnover, whichever is higher. Treat your breach log and notification templates as essential parts of the checklist. For the consolidated legal text, see the official GDPR text and recitals.
Frequently asked questions
Who does the GDPR requirements checklist apply to?
It applies to any organisation acting as a controller or processor of personal data relating to individuals in the EU, including organisations outside the EU that offer goods or services to, or monitor, EU individuals.
How often should I review this checklist?
Treat it as a living document. Review it at least annually and whenever you launch a new product, adopt a new technology, change vendors, or experience a significant organisational change.
Do small businesses need to comply?
Yes. The GDPR applies regardless of size. Some record-keeping obligations are lighter for smaller organisations in limited circumstances, but the core principles and data subject rights still apply.
Is a DPO always mandatory?
No. A DPO is required only in specific situations, such as large-scale systematic monitoring or large-scale processing of special category data, though many organisations appoint one voluntarily.

Related guides
- Complete GDPR compliance guide for controllers and processors
- Understanding GDPR data subject rights and how to handle requests
- GDPR vs CCPA: key differences in EU and California privacy law
Ready to turn this checklist into working documents? Our editable GDPR (EU Regulation 2016/679) toolkit gives you ready-to-tailor policies, registers, DPIA templates and breach procedures so you can move from assessment to evidence quickly.

