How do I become GDPR compliant?

Becoming GDPR compliant means working through ten core steps: map your personal data into a Record of Processing Activities, establish a lawful basis for each activity, publish a compliant privacy notice, build a data-subject-rights process, fix consent where you rely on it, sign processor contracts (DPAs), run DPIAs for high-risk processing, implement appropriate security measures, prepare a 72-hour breach-response process, and assign accountability with an annual review.

Does a small business need to comply with GDPR?

Yes. GDPR applies to any organisation that processes the personal data of people in the EU/EEA, regardless of size. Smaller organisations get some relief — for example, the Article 30 record-keeping exemption for businesses under 250 employees does not apply if processing is non-occasional, high-risk, or involves special-category data, which covers most real businesses — so the safe approach is to keep a record anyway.

How long do I have to respond to a GDPR data-subject request?

One calendar month from receiving the request. You can extend by a further two months for complex or numerous requests, but you must tell the individual within the first month and explain why. Responses are usually free unless the request is manifestly unfounded or excessive.

Do I need a Data Protection Officer (DPO)?

A DPO is mandatory under Article 37 only if you are a public authority, your core activities involve large-scale regular and systematic monitoring of individuals, or large-scale processing of special-category data. Many businesses do not strictly need one but still benefit from naming a responsible person to own data protection.

How fast must I report a data breach under GDPR?

You must notify your supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of a personal-data breach (Article 33), unless the breach is unlikely to result in a risk to individuals. Where the risk to individuals is high, you must also notify the affected people without undue delay (Article 34).

Checklist · Updated 2026

GDPR Compliance Checklist

Last updated 2026 · 7 min read

Quick answer

To comply with GDPR, work through ten steps: map your personal data (RoPA), establish a lawful basis, publish a privacy notice, build a data-subject-rights process, fix consent, sign processor contracts (DPAs), run DPIAs for high-risk processing, implement security measures, prepare 72-hour breach response, and assign accountability with an annual review.

The 10-step GDPR compliance checklist

1
Map your personal data
Build a Record of Processing Activities (RoPA, Article 30): list every category of personal data you hold, why you process it, where it is stored, who you share it with, and how long you keep it.
2
Establish a lawful basis
For each processing activity, document one of the six lawful bases in Article 6 (consent, contract, legal obligation, vital interests, public task, or legitimate interests). For special-category data, identify an Article 9 condition too.
3
Update your privacy notice
Publish a clear, plain-language privacy notice (Articles 13–14) covering who you are, what data you collect, your lawful basis, retention periods, recipients, transfers, and how people exercise their rights.
4
Build a data-subject-rights process
Create a workflow to handle access, rectification, erasure, restriction, portability, and objection requests within one month (Articles 15–22), with identity verification and an audit trail.
5
Fix consent where you rely on it
Where consent is your lawful basis, make it freely given, specific, informed, and unambiguous — no pre-ticked boxes — and make withdrawing consent as easy as giving it.
6
Sign processor contracts (DPAs)
Put an Article 28 data processing agreement in place with every vendor that processes personal data on your behalf, and confirm appropriate safeguards for any transfers outside the EU/EEA.
7
Run DPIAs for high-risk processing
Carry out a Data Protection Impact Assessment (Article 35) before any processing likely to result in high risk — large-scale profiling, special-category data at scale, or systematic monitoring.
8
Implement security measures
Apply appropriate technical and organisational measures (Article 32): encryption, access controls, pseudonymisation where useful, backups, and a tested ability to restore data.
9
Prepare breach response
Have a process to detect, assess, and report a personal-data breach to your supervisory authority within 72 hours (Article 33), and to notify affected individuals where the risk is high (Article 34).
10
Assign accountability & review
Designate someone responsible for data protection (a DPO if required by Article 37), train staff, and review the whole programme at least annually or whenever processing changes.

GDPR compliance — frequently asked questions

How do I become GDPR compliant?: Becoming GDPR compliant means working through ten core steps: map your personal data into a Record of Processing Activities, establish a lawful basis for each activity, publish a compliant privacy notice, build a data-subject-rights process, fix consent where you rely on it, sign processor contracts (DPAs), run DPIAs for high-risk processing, implement appropriate security measures, prepare a 72-hour breach-response process, and assign accountability with an annual review.
Does a small business need to comply with GDPR?: Yes. GDPR applies to any organisation that processes the personal data of people in the EU/EEA, regardless of size. Smaller organisations get some relief — for example, the Article 30 record-keeping exemption for businesses under 250 employees does not apply if processing is non-occasional, high-risk, or involves special-category data, which covers most real businesses — so the safe approach is to keep a record anyway.
How long do I have to respond to a GDPR data-subject request?: One calendar month from receiving the request. You can extend by a further two months for complex or numerous requests, but you must tell the individual within the first month and explain why. Responses are usually free unless the request is manifestly unfounded or excessive.
Do I need a Data Protection Officer (DPO)?: A DPO is mandatory under Article 37 only if you are a public authority, your core activities involve large-scale regular and systematic monitoring of individuals, or large-scale processing of special-category data. Many businesses do not strictly need one but still benefit from naming a responsible person to own data protection.
How fast must I report a data breach under GDPR?: You must notify your supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of a personal-data breach (Article 33), unless the breach is unlikely to result in a risk to individuals. Where the risk to individuals is high, you must also notify the affected people without undue delay (Article 34).

Get GDPR-ready faster

Start with free GeraCompliance templates — RoPA, privacy notice, DPA, DPIA — or let our fixed-scope sprint deliver audit-ready GDPR documentation in days.

Browse templates Get expert help

GDPR deadline & enforcement alerts

When GDPR guidance, transfer rules or fines change, we send a short, no-spam update so your checklist stays current.

The 10-step GDPR compliance checklist

Map your personal data

Establish a lawful basis

Update your privacy notice

Build a data-subject-rights process

Fix consent where you rely on it

Sign processor contracts (DPAs)

Run DPIAs for high-risk processing

Implement security measures

Prepare breach response

Assign accountability & review

GDPR compliance — frequently asked questions

Get GDPR-ready faster

GDPR deadline & enforcement alerts

Related reading