GDPR Readiness Checklist

A practical GDPR compliance checklist for technology companies, updated for 2026. Use this as a self-assessment to identify gaps in your privacy program. Each item links to the underlying GDPR article and indicates priority.

This is not a substitute for actual compliance work or legal advice, but it does cover the items most companies miss or get wrong.

Documentation foundation

Records of Processing Activities (Article 30). Documented inventory of all processing activities covering purposes, categories of data and data subjects, recipients, transfers, retention, and security measures. Required for most companies.

Privacy notice for customers and website visitors (Articles 13 and 14). Compliant with GDPR content requirements including all required disclosures. Updated when processing changes.

Privacy notice for employees and job applicants. Internal-facing privacy notice covering employment-related processing.

Internal data protection policy. Documented internal policy on personal data handling.

Data Protection Impact Assessment register. Documented DPIAs for high-risk processing activities, with review schedule.

Subprocessor and vendor list. Current list of all processors and subprocessors handling personal data. Published if you are a processor.

Cookie and consent register. Documentation of consent capture for cookies and non-essential processing, with audit trail.

Lawful basis

Documented lawful basis for each processing activity. Article 6 lawful basis (consent, contract, legitimate interest, legal obligation, vital interests, public task) identified and documented for each.

Article 9 conditions documented where special category data is processed (health, biometric, racial, political, religious, sexual orientation, trade union).

Legitimate interest assessments completed and documented where legitimate interest is the lawful basis.

Consent management for processing requiring consent. Granular consent capture, easy withdrawal, audit trail of consent.

Data subject rights

Documented process for handling Data Subject Access Requests within the 1-month timeline.

Documented process for handling deletion requests (right to erasure under Article 17).

Documented process for handling rectification, restriction, portability, and objection requests.

Documented process for automated decision-making and profiling requests under Article 22.

Verification process for data subject identity that is proportionate (not over-verifying).

Internal training for staff who may receive rights requests.

International transfers

Inventory of all personal data transfers outside the EEA.

Transfer mechanism documented for each transfer (Standard Contractual Clauses, Adequacy Decision, Binding Corporate Rules, or specific derogations under Article 49).

Transfer Impact Assessments conducted for transfers to non-Adequacy countries (post-Schrems II).

EU-US Data Privacy Framework certification considered for US transfers if applicable.

Standard Contractual Clauses updated to the 2021 version.

Security and breach

Technical and organizational security measures appropriate to the risk (Article 32) including encryption in transit and at rest, access controls, logging and monitoring, backup and recovery.

Breach response procedure documented including 72-hour supervisory authority notification capability under Article 33.

Breach register maintained including breaches not requiring notification.

Incident response testing and training.

Cyber insurance coverage with privacy-specific coverage.

DPO and governance

DPO appointment if required under Article 37. Notified to relevant supervisory authority.

DPO contact details published in privacy notice and on website.

DPO involvement in privacy-relevant decisions documented.

Privacy by design and by default (Article 25) considered in product development.

Senior leadership accountability and reporting on privacy posture.

Specific to 2026

EU AI Act analysis. AI system inventory and classification under the AI Act risk categories. High-risk system readiness for August 2, 2026 deadline.

GPAI compliance if you provide General Purpose AI models. Article 53 obligations including documentation, copyright, training data summary.

NIS2 compliance analysis if you are an essential or important entity under NIS2.

DORA compliance if you are a financial entity or ICT provider to financial entities.

US state law coverage including CCPA/CPRA ADMT and cybersecurity audit requirements applicable January 2026, plus the new Indiana, Kentucky, and Rhode Island laws also effective January 2026.

Self-assessment scoring

Count items where you can confidently say "yes, we have this documented and operational":

  • 25 or more: Mature privacy program. Likely defensible in a regulator inquiry.

  • 18 to 24: Solid foundation with gaps. Most growing tech companies fall here. Priority remediation needed.

  • 10 to 17: Early-stage program with material gaps. Investor due diligence may flag issues. Begin remediation now.

  • Less than 10: Significant compliance exposure. If GDPR applies to you and you face enforcement, the matter is unlikely to resolve favorably.

How Engage Compliance helps

This checklist is the starting point. Real GDPR readiness work involves:

Privacy audit to confirm actual state vs documented state.

Documentation development or update where gaps exist.

Operational process design and training.

Vendor coordination for DPAs and transfer mechanisms.

DPO appointment if required.

Specific 2026 work for AI Act, NIS2, DORA, and US state laws.

We deliver this as fractional DPO services for technology companies at 500 to 5,000 EUR per month depending on tier.

Get started

If you want a focused privacy audit and roadmap for your company specifically, book a consultation.