The GDPR Compliance Checklist

Achieving GDPR Compliance shouldn't feel like a struggle. This is a basic checklist you can use to harden your GDPR compliancy.

if your organisation is determining the purpose of the storage or processing of personal information, it is considered a controller. If your organisation stores or processes personal data on behalf of another organisation, it is considered a processor. It is possible for your organisation to have both roles. Use the filter below to view only the relevant checklist items for your organisation.

This list is far from a legal exhaustive document, it merely tries to help you overcome the struggle.

Feel free to contribute directly on GitHub!

Select your organisation's role:

  • Data Controller: I determine why data is processed

  • Data Processor: I store or process data for someone else

Your data

  • Your company has a list of all types of personal information it holds, the source of that information, who you share it with, what you do with it and how long you will keep it

    • Data Processor
    • Data Controller
  • Your company has a list of places where it keeps personal information and the ways data flows between them

    • Data Processor
    • Data Controller
  • Your company has a publicly accessible privacy policy that outlines all processes related to personal data.

    • Data Processor
    • Data Controller
  • Your privacy policy should include a lawful basis to explain why the company needs to process personal information

    • Data Controller

Accountability & management

New rights


Special cases


The information above is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy. In a nutshell, you may not rely on this as legal advice, nor as a recommendation of any particular legal understanding.