GDPR Checklist

It is a free, browser-based interactive checklist covering 28 key GDPR compliance requirements organized into five sections: Lawful Basis for Processing, Data Subject Rights, Technical Measures, Organizational Measures, and International Transfers. Check off items as you verify them and track your progress visually.

GDPR Article 6 defines six lawful bases: (1) Consent — the data subject has given explicit consent; (2) Contract — processing is necessary for a contract with the data subject; (3) Legal Obligation — processing is required by law; (4) Vital Interests — processing is necessary to protect someone's life; (5) Public Task — processing is needed for a task in the public interest; (6) Legitimate Interest — processing is necessary for the controller's or a third party's legitimate interests, provided these interests are not overridden by the data subject's rights.

GDPR grants individuals eight rights: (1) Right of Access — to obtain a copy of their personal data; (2) Right to Rectification — to correct inaccurate data; (3) Right to Erasure ("Right to be Forgotten") — to have data deleted in certain circumstances; (4) Right to Restriction of Processing — to limit how data is used; (5) Right to Data Portability — to receive data in a machine-readable format; (6) Right to Object — to object to processing based on legitimate interest or for direct marketing; (7) Rights related to automated decision-making and profiling; (8) Right to Withdraw Consent — to withdraw previously given consent at any time.

A Data Protection Officer (DPO) is a designated individual responsible for overseeing GDPR compliance within an organization. A DPO is required when: (1) you are a public authority; (2) your core activities involve large-scale systematic monitoring of individuals; or (3) your core activities involve large-scale processing of special category data (health, genetic, biometric data, etc.). Even when not legally required, appointing a DPO is a best practice for compliance governance.

A Data Protection Impact Assessment (DPIA) is a process to identify and minimize data protection risks in high-risk processing activities. It is required when processing is likely to result in high risk to individuals — for example, large-scale profiling, systematic monitoring of public areas, or processing special categories of data at scale. A DPIA should be conducted before starting the processing activity.

Standard Contractual Clauses are pre-approved contract templates provided by the European Commission that legally bind data importers outside the EEA to GDPR-equivalent data protection standards. They are one of the primary mechanisms for lawfully transferring personal data to third countries that do not have an Adequacy Decision from the European Commission.

No. This tool is a structured reference and self-assessment aid, not a legal compliance certification. GDPR compliance depends on the specific nature of your data processing activities, your jurisdiction, and evolving regulatory guidance. This checklist helps you identify gaps and organize your compliance efforts, but you should consult a qualified data protection lawyer or consultant for a formal compliance assessment.

No. All checkbox state is stored only in the browser's React component state for your current session. When you close the tab or browser, your progress is not saved. No data is written to localStorage, cookies, or any server. For persistent tracking, take a screenshot of your progress or use a dedicated compliance management platform.