Skip to main content
Complicer
PricingBlogDocsLogin
Back to blog
GDPR10 min read

The Complete GDPR Compliance Checklist for 2026

Complicer TeamMarch 18, 2026

GDPR enforcement is no longer a warning shot. Since the regulation took full effect in 2018, EU data protection authorities have issued over €4.5 billion in fines, and 2026 is shaping up to be the most active enforcement year yet. The Irish DPC, Germany's Bavarian DPA, and France's CNIL are all running coordinated sweep campaigns targeting consent mechanisms, cookie compliance, and AI data processing — and they're finding violations on sites that believed they were already compliant.

The regulation itself hasn't changed, but enforcement expectations have. Regulators now treat "we didn't know" as an aggravating factor rather than a mitigating one. Technical non-compliance — cookies firing before consent, dark pattern consent banners, missing withdrawal mechanisms — is being treated on par with legal failures like inadequate privacy policies.

This checklist covers every significant requirement under the GDPR. Work through it methodically, document your status for each item, and treat anything marked as a gap as a priority remediation task.

1. Lawful Basis for Processing

Every processing activity your organization conducts must rest on one of the six lawful bases defined in Article 6: consent, contract, legal obligation, vital interests, public task, or legitimate interests.

  • Identify every category of personal data you collect and process
  • Document the lawful basis for each processing activity in a formal record
  • If relying on legitimate interests, complete a Legitimate Interests Assessment (LIA) and document it
  • Do not conflate lawful bases — if you collect data under contract, you cannot later switch to consent if the contract ends
  • Review special category data (health, biometric, political, religious data) — these require explicit consent or a narrower Article 9 exception

2026 focus: Regulators are scrutinizing legitimate interests claims in online advertising contexts. If you rely on LI for behavioral advertising or retargeting, expect challenge.

2. Cookie Consent and Consent Management

Consent under the GDPR must be freely given, specific, informed, and unambiguous. For cookies, this means affirmative action before any non-essential processing begins.

  • No cookies set before the user actively accepts (pre-consent firing is the single most common violation)
  • Consent banner presents Accept and Reject with equal visual prominence
  • No pre-checked boxes — consent must be an active, not passive, act
  • Purpose descriptions are specific, not vague ("advertising network X uses cookies to build a profile of your browsing habits" not "we use cookies to improve your experience")
  • A withdrawal mechanism exists and is easy to find (a "Cookie Settings" link in the footer, accessible at all times)
  • Withdrawing consent is as easy as giving it — no friction added to the reject or change-preferences flow
  • Consent records are stored with a timestamp, the version of the banner shown, and the user's choices
  • Consent is re-requested when purposes change or consent expires (typically 12 months)

3. Privacy Policy Requirements

A privacy policy is not a legal boilerplate checkbox — it is a substantive transparency document. Article 13 and 14 list specific mandatory disclosures.

  • Identity and contact details of the data controller
  • Contact details of the DPO (if appointed)
  • Purposes and lawful bases for each processing activity
  • Legitimate interests relied upon (if applicable)
  • Recipients or categories of recipients (including third-party processors)
  • International transfers: destination countries and safeguards in place
  • Retention periods (or criteria used to determine them) for each data category
  • Data subject rights: access, rectification, erasure, restriction, portability, objection
  • Right to withdraw consent (where processing is consent-based)
  • Right to lodge a complaint with a supervisory authority
  • Whether providing data is a contractual or statutory requirement, and consequences of not providing it
  • Existence of automated decision-making and profiling (Article 22)

2026 focus: Regulators are checking that retention periods are specific and plausible, not just "as long as necessary." If you say 7 years, be ready to justify why.

4. Data Subject Rights

Individuals have eight rights under the GDPR. You need operational processes to handle each within mandatory timeframes (generally one month, extendable to three months for complex requests).

  • Right of access (Article 15): process for receiving, verifying, and fulfilling Subject Access Requests (SARs)
  • Right to rectification (Article 16): process for correcting inaccurate personal data
  • Right to erasure / "right to be forgotten" (Article 17): process for deleting data, including propagating deletions to processors
  • Right to restriction of processing (Article 18): ability to flag and restrict data without deleting it
  • Right to data portability (Article 20): machine-readable export (JSON, CSV) for data processed by consent or contract
  • Right to object (Article 21): process for objecting to processing under legitimate interests or direct marketing
  • Rights related to automated decision-making (Article 22): process for human review requests
  • Identity verification procedure that doesn't create excessive friction
  • Response time tracking — ensure you never breach the one-month limit

5. Data Breach Notification

Article 33 requires notifying your supervisory authority within 72 hours of becoming aware of a breach that poses a risk to individuals. Article 34 requires notifying affected individuals if the risk is high.

  • Incident response plan exists and is tested annually
  • Defined process to detect, contain, assess, and escalate breaches
  • Clear ownership of the 72-hour notification decision
  • Template notification ready for supervisory authority (includes: nature of breach, categories and approximate number of data subjects and records affected, DPO contact, likely consequences, mitigation measures)
  • Breach register maintained (all breaches documented even if not notified)
  • Processors contractually required to notify you of breaches "without undue delay"

6. Data Protection Officer (DPO)

Appointment of a DPO is mandatory under Article 37 if you are a public authority, if you carry out large-scale systematic monitoring of individuals, or if you process special category data at scale.

  • Assess whether DPO appointment is mandatory for your organization
  • If mandatory: appoint a DPO with adequate expertise in data protection law
  • Publish DPO contact details on your privacy policy and notify your supervisory authority
  • Ensure DPO independence: they must not receive instructions on how to perform their tasks
  • Even if not mandatory, consider appointing a DPO or equivalent as a risk management measure

7. Data Protection Impact Assessments (DPIAs)

Article 35 requires a DPIA before undertaking processing that is "likely to result in a high risk." This includes systematic profiling, large-scale processing of special categories, and systematic monitoring of publicly accessible areas.

  • Process to identify when a DPIA is required before launching new processing activities
  • DPIA template covering: description of processing, necessity and proportionality assessment, risk identification, risk mitigation measures
  • DPO consulted on DPIAs (if DPO appointed)
  • DPIAs reviewed and updated when processing changes
  • Prior consultation with supervisory authority where DPIA identifies residual high risk that cannot be mitigated

8. International Data Transfers

Transferring personal data outside the EEA requires appropriate safeguards under Chapter V of the GDPR. Post-Schrems II, standard contractual clauses (SCCs) must be accompanied by a Transfer Impact Assessment (TIA).

  • Map all data flows to third countries (include SaaS tools, cloud providers, analytics, support platforms)
  • For each transfer: identify the legal mechanism (adequacy decision, SCCs, BCRs, derogation)
  • If relying on SCCs: use the 2021 EU SCCs (older versions are no longer valid)
  • Complete a Transfer Impact Assessment for each non-adequate country transfer
  • Document any supplementary technical measures required by the TIA
  • Review US transfers: the EU-US Data Privacy Framework (DPF) provides an adequacy pathway for certified US organizations — verify your processors are certified

9. Records of Processing Activities (ROPA)

Article 30 requires organizations with 250+ employees, or those whose processing is not occasional, to maintain written records of processing activities.

  • ROPA exists and covers all processing activities
  • Each entry includes: controller name and contact, DPO contact, processing purposes, data subject categories, data categories, recipient categories, third-country transfers, retention periods, security measures
  • ROPA is kept up to date (reviewed at least annually and when new processing begins)
  • ROPA available to supervisory authority on request

10. Technical and Organizational Measures (TOMs)

Article 32 requires appropriate technical and organizational measures to ensure security appropriate to the risk.

  • Encryption of personal data at rest and in transit
  • Ongoing confidentiality, integrity, availability, and resilience of processing systems
  • Ability to restore access to data in a timely manner after an incident
  • Process for regularly testing and evaluating the effectiveness of security measures
  • Access controls: principle of least privilege, MFA for systems containing personal data
  • Vendor / processor due diligence: Data Processing Agreements (DPAs) with all processors
  • Employee training on data protection (documented)
  • Privacy by design and by default embedded into new projects and product development

How to Use This Checklist

Print it, share it with your legal and engineering teams, and work through it systematically. Each unchecked item is a potential enforcement finding. Prioritize consent management and cookie compliance — these are the fastest-moving enforcement areas in 2026 and the easiest for regulators to detect remotely.

If you want to shortcut the technical audit portion, automated scanning can identify cookie firing violations, consent banner dark patterns, and missing withdrawal mechanisms in seconds.

Automate your GDPR compliance checks with Complicer. Our scanner tests your consent banner, cookie behavior, and privacy policy completeness on every deployment — so you catch violations before regulators do.

Start your free compliance scan

Ready to automate your compliance?

Complicer scans your website, identifies compliance issues, and generates evidence packages — all in under 5 minutes.

Start free audit
© 2026 Complicer. All rights reserved.
PrivacyTermsSecurityContactComplaint