Legal

GDPR Readiness Checklist

16-point GDPR/UK-GDPR self-audit — lawful basis, RoPA, DPAs, subprocessors, DSARs, breach process. Copy or download your status.

Free · no signup required · runs entirely in your browser

Educational only — not legal or data-protection advice.

GDPR enforcement is fact-specific and varies by member state. Work with a DPO or data protection lawyer for binding decisions.

Progress

Lawful basis for every category of personal data

Six bases under GDPR Art. 6 (consent, contract, legal obligation, vital interests, public task, legitimate interests). Documented per data category.

Public, plain-English privacy policy

Covers: what you collect, why, how long, who you share with, user rights, contact for data requests. Avoid jargon that hides what you do.

Cookie banner with genuine consent (EU/UK visitors)

Pre-ticked boxes aren't consent. Reject-all is as easy as accept-all. Analytics + marketing cookies blocked until consent.

Record of Processing Activities (RoPA) maintained

GDPR Art. 30. A spreadsheet listing every processing activity, lawful basis, retention period, recipients. Required if you have 250+ employees OR you process sensitive data OR processing is not occasional.

Data Processing Agreement signed with every subprocessor

Stripe, AWS, Resend, analytics, AI vendors — anyone who processes user data on your behalf. Most have a standard DPA you can countersign.

Public subprocessor list maintained and dated

Linked from your privacy policy. Updated when you add/remove vendors. Customers in regulated industries will diligence this.

Process for handling data subject requests (DSARs)

Access, rectification, erasure, portability, restriction, objection. 30-day response window. Document the process even if you've never had a request.

Data breach notification process

72-hour notification to the supervisory authority for risky breaches; individual notification when high risk. Decision tree drafted before you need it.

Data minimisation in product and forms

Collect what you need, not what you might want. Birthday only if you actually use it. Phone only if you'll actually call.

Retention policy documented and enforced

Each data category has a retention period. Deleted accounts purged from backups within the stated window (often 30-90 days).

International transfer mechanism in place (if applicable)

Standard Contractual Clauses (SCCs) for transfers outside the EEA/UK, plus a Transfer Impact Assessment. Schrems II makes this non-trivial for US transfers.

Marketing opt-in is separate from product opt-in

PECR (UK) + GDPR. Pre-ticked marketing boxes are unlawful. Soft opt-in for existing customers in some jurisdictions; check before assuming.

DPIA done for high-risk processing

Mandatory under GDPR Art. 35 for systematic monitoring, large-scale sensitive data, automated decisions. AI features often trigger this.

Data Protection Officer or contact named

DPO required if you do large-scale systematic monitoring OR large-scale sensitive data. Otherwise, name a privacy contact.

Incident log started

Every privacy-relevant incident logged, even ones that didn't require notification. Pattern recognition matters and regulators ask for it.

Team trained on data handling basics

Engineers know what counts as personal data. Sales doesn't email customer lists to themselves. Support doesn't copy data into chat tools.

Related resources

GDPR for Tiny SaaS