Skip to main content
← Back to Blog
GDPR·12 min read·

GDPR Compliance Checklist for Businesses in 2026: The Complete Guide

GDPR fines exceeded €4 billion in 2025. Here is the definitive compliance checklist covering lawful basis, data subject rights, DPIAs, processor contracts, and breach notification.

#GDPR#data protection#compliance checklist#data subject rights#DPIA#DPO

Why GDPR Compliance Matters More Than Ever in 2026

The General Data Protection Regulation turned eight years old in 2026. During that time, data protection authorities across the EU have issued fines totalling over €4 billion. The era of GDPR being treated as a box-ticking exercise is over — regulators are now conducting proactive audits, following up on complaints from individuals, and imposing substantial penalties for systemic violations.

The top five single fines issued to date: Meta (€1.2 billion), WhatsApp (€225 million), Google (€150 million), TikTok (€345 million), and Amazon (€746 million). These companies had large compliance teams. Smaller organisations with no formal compliance programme face proportionally equivalent risk.

This checklist covers the core requirements that every organisation processing EU personal data must address.

1. Establish Lawful Basis for Every Processing Activity

Every processing activity must have a lawful basis from Article 6. The six available bases are:

  1. Consent: Freely given, specific, informed, and unambiguous indication of agreement. Must be as easy to withdraw as to give. Pre-ticked boxes are not valid consent. Consent obtained for one purpose cannot be reused for another.
  2. Contract: Processing is necessary to perform a contract with the data subject, or to take pre-contractual steps at their request.
  3. Legal obligation: Processing is necessary to comply with a legal obligation under EU or member state law.
  4. Vital interests: Necessary to protect someone's life. Narrow — rarely applicable for commercial processing.
  5. Public task: Processing by public authorities exercising official powers. Generally not available to private organisations.
  6. Legitimate interests: Processing is necessary for the legitimate interests of the controller or a third party, and those interests are not overridden by the rights of the data subject. Requires a documented balancing test (Legitimate Interests Assessment).

Critical error to avoid: Relying on consent as a fallback when another basis would be more appropriate — then using the processing for purposes that consent was not sought for. Consent must always be specific to the purpose.

For special categories of data (health data, biometric data, political opinions, religious beliefs, trade union membership, sexual orientation), you need both an Article 6 basis and a separate Article 9 condition, the most common being explicit consent or necessity for employment law purposes.

2. Record of Processing Activities (Article 30)

Every controller with 250+ employees must maintain a written (including electronic) record of processing activities. Organisations with fewer than 250 employees must also maintain this record if their processing is not occasional, involves special categories of data, or could result in a risk to individuals' rights.

The record must contain:

  • Name and contact details of the controller and any DPO
  • Purposes of the processing
  • Description of categories of data subjects and personal data
  • Categories of recipients
  • Transfers to third countries and safeguards used
  • Envisaged erasure timelines
  • General description of technical and organisational security measures

This is not a one-time document. It must be kept current and updated whenever processing activities change.

3. Privacy Notices (Articles 13 and 14)

When you collect personal data directly from individuals, you must provide a privacy notice at the time of collection. When data is collected from other sources, the notice must be provided within a reasonable period (at most one month).

The notice must include: identity and contact details of the controller, DPO contact if applicable, purposes and lawful basis for processing, legitimate interests if relied upon, recipients of the data, international transfers and safeguards, retention periods, all applicable data subject rights, right to withdraw consent (if consent is the lawful basis), right to lodge a complaint with a supervisory authority, whether provision of data is a statutory or contractual requirement, and the existence of any automated decision-making including profiling.

Most privacy notices in practice fail on one or more of these requirements. Common deficiencies: vague purpose descriptions ("to improve our services"), failure to specify retention periods, omission of transfer information, and burying the notice in inaccessible language.

4. Data Subject Rights (Articles 15–22)

You must have verified processes to respond to all data subject rights requests:

  • Access (Article 15): Respond within 30 days with a copy of all data held and all Article 13/14 information. The copy is free for the first request; subsequent requests may attract a reasonable fee.
  • Rectification (Article 16): Correct inaccurate data within 30 days.
  • Erasure (Article 17): Delete data when it is no longer necessary, consent is withdrawn, or the subject objects and there are no overriding legitimate grounds. Exceptions apply for legal obligations, public health, research, and legal claims.
  • Restriction (Article 18): Suspend processing (though not delete) while accuracy is contested or objection is considered.
  • Portability (Article 20): Provide data in a machine-readable structured format for processing based on consent or contract.
  • Object (Article 21): Absolute right to object to direct marketing. Right to object to processing based on legitimate interests.
  • Automated decision-making (Article 22): Right not to be subject to solely automated decisions with legal or similarly significant effects, unless based on consent, necessity for a contract, or authorised by law with suitable safeguards.

You need a documented process — not just a policy — for receiving, verifying, and responding to each type of request within the 30-day deadline. Identity verification procedures must not be so burdensome as to effectively deny the right.

5. Data Protection Impact Assessments (Article 35)

A DPIA is mandatory when processing is likely to result in a high risk to individuals. The European Data Protection Board has identified nine criteria that indicate high risk. Two or more criteria trigger a DPIA requirement:

  1. Evaluation or scoring (profiling, credit scoring, health prediction)
  2. Automated decision-making with legal or significant effects
  3. Systematic monitoring (CCTV, employee monitoring, network surveillance)
  4. Processing of sensitive or highly personal data
  5. Processing at large scale
  6. Matching or combining datasets
  7. Processing of vulnerable data subjects (children, patients, employees)
  8. Innovative use of technology
  9. Processing that prevents individuals from exercising a right or accessing a service

A DPIA must include: a systematic description of the processing, assessment of necessity and proportionality, assessment of risks to data subjects' rights and freedoms, and measures to address risks including safeguards, security measures, and mechanisms to ensure compliance.

If the DPIA indicates a high residual risk that you cannot mitigate, you must consult your supervisory authority before processing.

6. Data Processor Agreements (Article 28)

Every relationship with a data processor — any third party that processes personal data on your behalf — must be governed by a written contract. A data processor is any provider that processes your customers' or employees' data to provide a service: cloud providers, HR systems, email platforms, analytics tools, payment processors, customer support software, and many others.

The processor contract must include:

  • Processing only on documented instructions from the controller
  • Confidentiality obligations on authorised persons
  • Implementing appropriate security measures (Article 32)
  • Not engaging sub-processors without prior written consent
  • Assisting the controller with data subject rights requests
  • Assisting with security, breach notification, DPIAs, and prior consultation
  • Deletion or return of all data at the end of the relationship
  • Providing all information necessary to demonstrate compliance
  • Allowing and contributing to audits by the controller

Many organisations have dozens of processor relationships — cloud infrastructure, marketing tools, analytics platforms — without proper contracts. This is a common finding in regulatory investigations.

7. International Data Transfers (Chapter V)

Transferring personal data to countries outside the EU/EEA (and UK, for UK GDPR) requires a safeguard mechanism. Following the Schrems II decision in 2020, organisations can no longer rely on the Privacy Shield for US transfers — though the EU-US Data Privacy Framework adopted in 2023 provides a new adequacy decision for certified US organisations.

Available transfer mechanisms:

  • Adequacy decision: The EU has recognised over 15 countries as providing adequate protection, including the UK, Canada, Japan, and now the US (for DPF-certified organisations)
  • Standard Contractual Clauses: Updated SCCs from June 2021 are the most commonly used mechanism
  • Binding Corporate Rules: For intragroup transfers within multinationals
  • Derogations: Explicit consent, performance of a contract, vital interests, public interest, legal claims — all narrow and not appropriate for routine transfers

When using SCCs for transfers to countries with problematic government access to data (most notably the US for non-DPF transfers), a Transfer Impact Assessment is recommended to document that the SCCs provide effective protection.

8. Data Breach Notification (Articles 33–34)

When a personal data breach occurs:

  • Notify your supervisory authority within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to individuals. The 72-hour clock starts when you become aware, not when the breach occurred — but you are expected to investigate promptly.
  • If the breach is likely to result in a high risk to individuals, you must also notify the affected individuals without undue delay, in clear language.

You must maintain a record of all breaches (even those not notifying the authority), including the facts, effects, and remedial action taken. This log is subject to regulatory review.

Common notification failures: waiting until the full investigation is complete before notifying (you should notify within 72 hours even with incomplete information, followed by further notifications as facts emerge), and failing to notify individuals when the threshold is met.

9. Data Protection Officer (Articles 37–39)

A DPO is mandatory if you are a public authority, if your core activities require large-scale systematic monitoring of individuals, or if your core activities involve large-scale processing of special categories of data. Even if not mandatory, appointing a DPO is good practice and demonstrates accountability.

The DPO must have professional knowledge of data protection law, report to the highest management level, and must not receive instructions or be penalised for performing their tasks. They can be an employee or an external consultant. Their contact details must be published and communicated to supervisory authorities.

10. Keeping Records of Compliance

GDPR's accountability principle (Article 5(2)) requires you to be able to demonstrate compliance. This means maintaining documented evidence of: your legal basis for each processing activity, your consent collection processes, your privacy notice content and update history, your DPIA outcomes, your processor agreements, your breach log, and your data subject request log.

GeraCompliance automates this documentation — generating and maintaining the evidence files that demonstrate your GDPR compliance programme, including automatic updates when regulatory guidance changes.