A practical GDPR compliance checklist for technology companies, updated for 2026. Use this as a self-assessment to identify gaps in your privacy program. Each item links to the underlying GDPR article and indicates priority.
This is not a substitute for actual compliance work or legal advice, but it does cover the items most companies miss or get wrong.
Key takeaways
- This is a practical GDPR self-assessment checklist for technology companies, updated for 2026, covering the items most companies miss or get wrong.
- It spans the documentation foundation, lawful basis, data subject rights, international transfers, security and breach, DPO and governance, and 2026-specific items.
- DPO appointment is required under Article 37 where applicable, and once appointed must be notified to the relevant supervisory authority.
- Score 25 or more documented and operational items and you have a mature program likely defensible in a regulator inquiry; fewer than 10 signals significant exposure.
- We deliver real readiness work as outsourced DPO services for technology companies, from €500 to €5,000 per month depending on tier.
Documentation foundation
Records of Processing Activities (Article 30). Documented inventory of all processing activities covering purposes, categories of data and data subjects, recipients, transfers, retention, and security measures. Required for most companies.
Privacy notice for customers and website visitors (Articles 13 and 14). Compliant with GDPR content requirements including all required disclosures. Updated when processing changes.
Privacy notice for employees and job applicants. Internal-facing privacy notice covering employment-related processing.
Internal data protection policy. Documented internal policy on personal data handling.
Data Protection Impact Assessment register. Documented DPIAs for high-risk processing activities, with review schedule.
Subprocessor and vendor list. Current list of all processors and subprocessors handling personal data. Published if you are a processor.
Cookie and consent register. Documentation of consent capture for cookies and non-essential processing, with audit trail.
Lawful basis
Documented lawful basis for each processing activity. Article 6 lawful basis (consent, contract, legitimate interest, legal obligation, vital interests, public task) identified and documented for each.
Article 9 conditions documented where special category data is processed (health, biometric, racial, political, religious, sexual orientation, trade union).
Legitimate interest assessments completed and documented where legitimate interest is the lawful basis.
Consent management for processing requiring consent. Granular consent capture, easy withdrawal, audit trail of consent.
Data subject rights
Documented process for handling Data Subject Access Requests within the 1-month timeline.
Documented process for handling deletion requests (right to erasure under Article 17).
Documented process for handling rectification, restriction, portability, and objection requests.
Documented process for automated decision-making and profiling requests under Article 22.
Verification process for data subject identity that is proportionate (not over-verifying).
Internal training for staff who may receive rights requests.
International transfers
Inventory of all personal data transfers outside the EEA.
Transfer mechanism documented for each transfer (Standard Contractual Clauses, Adequacy Decision, Binding Corporate Rules, or specific derogations under Article 49).
Transfer Impact Assessments conducted for transfers to non-Adequacy countries (post-Schrems II).
EU-US Data Privacy Framework certification considered for US transfers if applicable.
Standard Contractual Clauses updated to the 2021 version.
Security and breach
Technical and organizational security measures appropriate to the risk (Article 32) including encryption in transit and at rest, access controls, logging and monitoring, backup and recovery.
Breach response procedure documented including 72-hour supervisory authority notification capability under Article 33.
Breach register maintained including breaches not requiring notification.
Incident response testing and training.
Cyber insurance coverage with privacy-specific coverage.
DPO and governance
DPO appointment if required under Article 37. Notified to relevant supervisory authority.
DPO contact details published in privacy notice and on website.
DPO involvement in privacy-relevant decisions documented.
Privacy by design and by default (Article 25) considered in product development.
Senior leadership accountability and reporting on privacy posture.
Specific to 2026
EU AI Act analysis. AI system inventory and classification under the AI Act risk categories. High-risk system readiness for the EU AI Act deadline (August 2, 2026 under current law; revised under the Digital Omnibus provisional agreement to 2 December 2027 stand-alone and 2 August 2028 embedded, pending formal adoption).
GPAI compliance if you provide General Purpose AI models. Article 53 obligations including documentation, copyright, training data summary.
NIS2 compliance analysis if you are an essential or important entity under NIS2.
DORA compliance if you are a financial entity or ICT provider to financial entities.
US state law coverage including CCPA/CPRA ADMT and cybersecurity audit requirements applicable January 2026, plus the new Indiana, Kentucky, and Rhode Island laws also effective January 2026.
Self-assessment scoring
Count items where you can confidently say “yes, we have this documented and operational”:
- 25 or more: Mature privacy program. Likely defensible in a regulator inquiry.
- 18 to 24: Solid foundation with gaps. Most growing tech companies fall here. Priority remediation needed.
- 10 to 17: Early-stage program with material gaps. Investor due diligence may flag issues. Begin remediation now.
- Less than 10: Significant compliance exposure. If GDPR applies to you and you face enforcement, the matter is unlikely to resolve favorably.
How Engage Compliance helps
This checklist is the starting point. Real GDPR readiness work involves:
- Privacy audit to confirm actual state vs documented state.
- Documentation development or update where gaps exist.
- Operational process design and training.
- Vendor coordination for DPAs and transfer mechanisms.
- DPO appointment if required.
- Specific 2026 work for AI Act, NIS2, DORA, and US state laws.
We deliver this as outsourced DPO services for technology companies at From €500 to €5,000 per month depending on tier.
Get started
If you want a focused privacy audit and roadmap for your company specifically, book a consultation.
This page is general information, not legal advice.