✅ GDPR Compliance Checklist

Work through this interactive checklist to assess your small business's GDPR compliance. Track your progress in real time.

⚠️ This checklist is for informational purposes only and does not constitute legal advice. GDPR compliance is complex — consult a data protection specialist for a full assessment.

Your Progress

0 of 30 items completed (0%)

1. Lawful Basis for Processing

We have identified a lawful basis (consent, contract, legitimate interest, legal obligation, vital interests, or public task) for every type of personal data we process.

We have documented our lawful basis for each processing activity in a Record of Processing Activities (ROPA).

Where we rely on consent, we obtain it freely, specifically, unambiguously, and with an affirmative action (no pre-ticked boxes).

We keep records of all consents given, including when and how consent was obtained.

2. Privacy Notices & Transparency

We have a clear, up-to-date Privacy Policy published on our website.

Our Privacy Policy explains what data we collect, why we collect it, how long we keep it, and who we share it with.

We inform individuals about their rights (access, erasure, portability, objection, etc.).

We provide privacy information at the point of data collection (e.g., on contact forms, sign-up pages).

3. Individual Rights

We have a process to handle Subject Access Requests (SARs) within 30 days.

We can erase personal data upon valid request (Right to Erasure / "Right to be Forgotten").

We can provide individuals with their data in a portable format upon request (Right to Data Portability).

Individuals can withdraw consent at any time as easily as they gave it.

4. Data Minimisation & Retention

We only collect personal data that is necessary for our stated purpose (data minimisation principle).

We have defined data retention periods for each type of personal data we hold.

We securely delete or anonymize personal data when it is no longer needed.

We do not use personal data for purposes incompatible with the original collection purpose.

5. Data Security

We have implemented appropriate technical measures to secure personal data (e.g., encryption, access controls, secure passwords).

Our website uses HTTPS (SSL/TLS) to encrypt data in transit.

We limit access to personal data to only those staff members who need it.

We have a documented data breach response plan and know we must report certain breaches to the ICO (UK) or relevant supervisory authority within 72 hours.

6. Third-Party Processors

We have identified all third parties who process personal data on our behalf (e.g., email platforms, analytics tools, cloud storage).

We have signed Data Processing Agreements (DPAs) with all relevant third-party processors.

If we transfer data outside the UK/EEA, we have appropriate safeguards in place (e.g., Standard Contractual Clauses).

7. Cookies & Tracking

We have a cookie consent mechanism that allows visitors to accept or decline non-essential cookies before they are set.

Our cookie policy lists all cookies we use, their purpose, and their duration.

Analytics and advertising cookies (e.g., Google Analytics, AdSense) are only activated after consent is given.

8. Accountability & Governance

We maintain a Record of Processing Activities (ROPA) documenting all data processing.

Staff who handle personal data have received appropriate GDPR training.

We review and update our data protection practices and policies regularly.

If required (processing at large scale, special category data, or systematic monitoring), we have appointed a Data Protection Officer (DPO).