What is a GDPR compliance checklist?

A GDPR compliance checklist is a structured list of the legal, technical, and organisational measures required under the General Data Protection Regulation. It covers documentation (Privacy Policy, Cookie Policy, DPAs, ROPA), data subject rights procedures, processor relationships, security measures, and incident response — everything an organisation processing EU personal data must have in place.

Is GDPR compliance mandatory for small businesses?

Yes. The GDPR applies to any organisation that processes personal data of individuals in the EU or EEA, regardless of the organisation's size or location. There is no SME exemption. Fines are scaled relative to annual global turnover — up to €20 million or 4% of turnover — so the obligation applies to startups and sole traders as much as to large enterprises.

How do I know which GDPR documents my business needs?

It depends on your specific processing activities — the types of data you collect, who you share it with, whether you transfer data outside the EEA, and the scale of your processing. A free GDPR Recommendations Report analyses your actual setup and tells you exactly which of the 8 documents you need and in which order to prioritise them.

GDPR Compliance Tools

GDPR Compliance Checklist —
What Documents Does Your Business Need?

A complete checklist for startups and SMEs. Tick off each item as you complete it — your progress is saved automatically.

0 of 20 completed0%

Get my free GDPR report →Generate Privacy Policy — €19

Checklist Items

Document Types Covered

GDPR-Certified

Specialist

What does GDPR compliance actually require?

The General Data Protection Regulation (GDPR) applies to any organisation that processes personal data of individuals in the EU or EEA — regardless of where the organisation is based. There is no exemption for small businesses, startups, or sole traders. If you have a contact form, an email list, or analytics tracking on your website, you are processing personal data.

Compliance is not a single document. It is a combination of published notices (Privacy Policy, Cookie Policy), contractual obligations (Data Processing Agreements), internal records (ROPA), rights procedures (DSAR process), and technical measures (security documentation, breach response). The exact set of documents your business needs depends on your specific processing activities.

The checklist below covers all 20 items across 6 categories. Use it to audit your current position and identify gaps. A free Recommendations Report will then tell you exactly which documents to prioritise for your specific setup.

Your GDPR compliance checklist

Tick each item as you complete it. Progress is saved in your browser.

Data Processing Foundations

0/4

Identify personal data collected

Name, email, IP addresses, cookies, device data — every category you hold

Map your data flows

Where data comes from, where it goes, how long it stays, who can access it

Assign a legal basis per purpose

Consent, contract, legitimate interest, or legal obligation — for each activity separately

Maintain a ROPA

Records of Processing Activities required under Article 30 for most organisations

Published Notices

0/3

Must cover all 8 mandatory disclosure elements — controller identity, purposes, legal basis, recipients, retention, rights

Cookie Policy + consent mechanism

Required before any non-essential cookies fire — consent must be freely given, specific, and withdrawable

Privacy notice on collection forms

Short notice at each point of data collection (contact forms, sign-up pages, checkout)

Processor Relationships

0/3

DPAs with all processors

A Data Processing Agreement is required for every vendor handling personal data on your behalf

Third-country transfer safeguards

Standard Contractual Clauses or adequacy decision required for processors outside the EEA

Sub-processor list maintained

Know who your processors delegate to downstream — you remain responsible

Data Subject Rights

0/4

SAR handling process

Respond to Subject Access Requests within 30 days — provide a copy of all data held

Erasure / right to be forgotten

Process for deleting data on request where no overriding legal basis exists

Data portability

Provide data in machine-readable format (CSV, JSON) where consent or contract is the legal basis

Right to object / restrict processing

Process for handling objections to processing based on legitimate interests or direct marketing

Security & Incident Response

0/4

Technical measures documented

Encryption at rest and in transit, access controls, pseudonymisation where appropriate

Data Breach Response Plan

Written steps for detection, containment, assessment, and notification of a personal data breach

72-hour SA notification process

Supervisory authority must be notified within 72 hours of becoming aware of a notifiable breach

Processor breach notification clause

Your DPAs must require processors to notify you without undue delay on discovering a breach

Higher-Risk Processing

0/2

DPIA completed where required

Mandatory for large-scale processing, special category data, or systematic profiling

DPO designated where required

Required for public bodies, large-scale regular monitoring, or large-scale special category processing

Get a personalised version of this checklist

A free Recommendations Report analyses your specific business and tells you exactly which items apply — and which documents to generate first.

Get my free GDPR report →

Which documents does your business need?

The required documents vary depending on your role in the data ecosystem — whether you are a controller, a processor, or both. Here is a baseline by business type.

SaaS / Web App

✓Privacy Policy
✓Cookie Policy
✓DPA (with processors)
✓ROPA
✓DSAR Procedure
✓Breach Response Plan

E-commerce

✓Privacy Policy
✓Cookie Policy
✓DPA (with processors)
✓ROPA
✓DSAR Procedure
✓Breach Response Plan

B2B / Data Processor

✓Privacy Policy
✓DPA (as processor)
✓ROPA
✓Breach Response Plan
✓DPIA (likely required)

This is a baseline. Your actual requirements depend on the specific data you process, the tools you use, and whether you transfer data outside the EEA. A free Recommendations Report generates a personalised version of this mapping for your business.

How long does GDPR compliance take?

Manual GDPR compliance — writing documents from scratch, researching applicable articles, and adapting generic templates to your specific processing activities — typically takes two to three weeks for a full documentation set. Each document requires legal research, drafting, internal review, and often external legal sign-off.

DocumentLegas.aiManual

Privacy Policy5 min2–4 hours

Cookie Policy5 min1–2 hours

Data Processing Agreement10 min3–5 hours + legal review

Records of Processing Activities15 min1–2 days

Full documentation set (all 8 docs)Under 1 hour2–3 weeks

Why generic checklists are not enough

The problem

A generic checklist tells you what to do, not whether you have done it correctly. A Privacy Policy that uses the wrong legal basis for your analytics tool is non-compliant even if every box is ticked. Compliance is in the content, not the coverage.

The Legas.ai difference

Legas.ai generates documents based on your answers about your actual business — your tools, your data flows, your legal bases. The output is specific to you. A free Recommendations Report starts the process by identifying exactly where your gaps are.

Frequently asked questions

Ready to close your
compliance gaps?

Start with a free report that identifies exactly which documents your business needs — then generate them in minutes.