Instant downloadAuditor-writtenSecure Stripe checkout
GDPR Requirements Checklist: Best 2026 Guide — ISO Toolkits

GDPR Requirements Checklist: Best 2026 Guide

This GDPR requirements checklist gives you a structured, practical way to assess how your organisation measures up against the EU General Data Protection Regulation (EU Regulation 2016/679), which has applied across the EU since 25 May 2018. Whether you are a controller or a processor, working through the checklist below helps you turn abstract legal duties into concrete, auditable actions.

The GDPR applies to organisations that process the personal data of individuals in the EU, regardless of where the organisation itself is based. Meeting its obligations is not a one-off project but an ongoing programme of governance, documentation and continuous improvement.

This article is general guidance only and is not legal advice.

Your GDPR requirements checklist at a glance

Use this GDPR requirements checklist as a working map of the main obligations. Each row summarises what the Regulation expects and what evidence typically demonstrates that you meet it.

AreaWhat the GDPR expectsTypical evidence
Lawful basisIdentify a valid lawful basis for every processing activityProcessing register, basis mapping
TransparencyProvide clear privacy information to data subjectsPrivacy notices, layered notices
Data subject rightsEnable individuals to exercise their rightsRequest procedure, response logs
Records of processingMaintain records of processing activitiesROPA document
SecurityApply appropriate technical and organisational measuresRisk assessments, access controls, encryption
Breach responseNotify the supervisory authority within 72 hours where requiredBreach log, notification templates
DPIAsAssess high-risk processing before it beginsCompleted DPIAs
DPOAppoint a Data Protection Officer where requiredAppointment record, contact details
AccountabilityDemonstrate compliance across the programmePolicies, training, audit trail

Establish your lawful basis and core principles

Every processing activity must rest on one of the six lawful bases: consent, contract, legal obligation, vital interests, public task, or legitimate interests. Choose the basis before you process, document it, and do not switch bases casually afterwards.

Beyond a lawful basis, your processing must honour the core data protection principles:

  • Lawfulness, fairness and transparency — process data in ways people would reasonably expect.
  • Purpose limitation — collect data for specified, explicit purposes.
  • Data minimisation — collect only what you genuinely need.
  • Accuracy — keep personal data correct and up to date.
  • Storage limitation — retain data no longer than necessary.
  • Integrity and confidentiality — protect data with appropriate security.
  • Accountability — be able to demonstrate all of the above.

Special category and children’s data

If you process special category data (such as health, biometric or religious data) or children’s data, you generally need additional safeguards and, in many cases, a stronger justification. Flag these processing activities early in your checklist review.

Support data subject rights

The GDPR grants individuals a suite of rights, and your organisation must be able to respond to each within the timeframes the Regulation sets. Build a repeatable request-handling procedure rather than improvising each time.

  • Access — provide a copy of the personal data you hold.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure — the “right to be forgotten,” where applicable.
  • Restriction — pause processing in certain circumstances.
  • Portability — supply data in a structured, machine-readable format.
  • Objection — allow individuals to object to certain processing.
  • Automated decisions — provide safeguards around solely automated decision-making and profiling.

Documentation, DPIAs and governance roles

Accountability is the principle that ties the GDPR requirements checklist together. You must not only comply but be able to show it. Maintain records of processing activities describing what data you hold, why, and how it flows.

Where a type of processing is likely to result in a high risk to individuals, carry out a Data Protection Impact Assessment (DPIA) before you begin, and document the mitigations you apply. Appoint a Data Protection Officer (DPO) where the Regulation requires one, for example where you carry out large-scale monitoring or process special category data at scale.

Controller and processor obligations

Clarify whether you act as a controller, a processor, or both, because your duties differ. Controllers determine the purposes and means of processing; processors act on the controller’s documented instructions. Put a written data processing agreement in place between the two.

Breach response and enforcement

Prepare for personal data breaches in advance. Where a breach is likely to result in a risk to individuals, you must notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of it. High-risk breaches may also require notifying the affected individuals.

The stakes are significant: the most serious infringements can attract fines of up to 20 million euro, or 4% of total worldwide annual turnover, whichever is higher. Treat your breach log and notification templates as essential parts of the checklist. For the consolidated legal text, see the official GDPR text and recitals.

Frequently asked questions

Who does the GDPR requirements checklist apply to?

It applies to any organisation acting as a controller or processor of personal data relating to individuals in the EU, including organisations outside the EU that offer goods or services to, or monitor, EU individuals.

How often should I review this checklist?

Treat it as a living document. Review it at least annually and whenever you launch a new product, adopt a new technology, change vendors, or experience a significant organisational change.

Do small businesses need to comply?

Yes. The GDPR applies regardless of size. Some record-keeping obligations are lighter for smaller organisations in limited circumstances, but the core principles and data subject rights still apply.

Is a DPO always mandatory?

No. A DPO is required only in specific situations, such as large-scale systematic monitoring or large-scale processing of special category data, though many organisations appoint one voluntarily.

GDPR requirements checklist toolkit templates
The editable GDPR Toolkit — policies, registers, DPIA and breach templates.

Related guides

Ready to turn this checklist into working documents? Our editable GDPR (EU Regulation 2016/679) toolkit gives you ready-to-tailor policies, registers, DPIA templates and breach procedures so you can move from assessment to evidence quickly.

Shopping Cart