The GDPR Compliance Checklist for Small Business

A free, practical path through the EU GDPR in 8 steps. The General Data Protection Regulation applies to any organization that processes the personal data of people in the EU — including businesses outside the EU that offer goods or services to, or monitor, people there. This checklist walks you through the core obligations, each tied to the article it comes from.

Who this is for: founders, operations and marketing leads at small businesses, startups and SaaS companies that handle EU (or UK) customer or employee data and want a clear, honest route to GDPR readiness.

Honest note: this is a free step-by-step checklist — a roadmap, not the documents themselves. GDPR compliance comes from how you actually process personal data, not from paperwork alone. The UK GDPR and Data Protection Act 2018 mirror most of this for UK data. When you want the editable records, notices and procedures to fill in, that is our paid pack below.

Step 1Map your personal data (Article 30 — Records of Processing Activities (RoPA))

You cannot protect or lawfully process data you have not mapped — and a supervisory authority can ask for your RoPA at any time.

  • List every processing activity: what personal data you hold, why, and for whom
  • For each, record the purpose, the categories of data and people, who you share it with, retention period, and any transfers abroad
  • Flag any special-category data (health, biometric, etc. — Article 9), which needs extra justification
  • Keep this record in a workbook you can update — it feeds every step below

Step 2Establish a lawful basis for each purpose (Article 6 (and Article 9 for special categories))

Every processing activity needs one of the six lawful bases — without it, the processing is unlawful no matter how well documented.

  • Assign one lawful basis per purpose: consent, contract, legal obligation, vital interests, public task, or legitimate interests
  • For legitimate interests, complete and record a balancing test (LIA)
  • For special-category data, identify an additional Article 9 condition
  • Document the basis so it appears consistently in your RoPA and privacy notices

Step 3Publish clear privacy notices (Articles 12–14 — transparency)

People have the right to know what you do with their data, in plain language, at the point you collect it.

  • Write a privacy notice covering who you are, what you collect, why, the lawful basis, who you share with, retention, transfers, and their rights
  • Provide it when you collect data directly (Art. 13) and within a reasonable period when you obtain it elsewhere (Art. 14)
  • Use clear, plain language — no dense legalese
  • Keep separate, purpose-specific notices where needed (e.g. customers vs. employees)

Step 4Set up data-subject-rights handling (DSARs) (Articles 15–22)

Anyone can exercise their rights, and you must respond — usually within one month — or face complaints and penalties.

  • Document a procedure to handle access, rectification, erasure, restriction, portability and objection requests
  • Set a one-month response clock (extendable by two months for complex requests, with notice)
  • Define identity-verification and internal routing so requests are not missed
  • Log every request and your response as evidence

Step 5Manage consent properly (where it is your basis) (Article 7)

Invalid consent is one of the most common — and most fined — GDPR failures.

  • Make consent freely given, specific, informed and unambiguous — no pre-ticked boxes
  • Keep it as easy to withdraw as it was to give, and record when and how it was obtained
  • Do not bundle consent for unrelated purposes
  • For cookies and tracking, obtain consent before non-essential trackers load

Step 6Run a DPIA for high-risk processing (Article 35 (and Article 36))

A Data Protection Impact Assessment is mandatory before high-risk processing — and the process itself surfaces risks you can fix cheaply now.

  • Screen new or changed processing for high risk (large-scale, sensitive data, systematic monitoring, new tech)
  • Where high risk applies, complete a DPIA: describe the processing, assess necessity and risks, and set mitigations
  • If residual risk stays high, consult your supervisory authority before starting (Art. 36)
  • Review DPIAs when the processing changes

Step 7Secure the data and plan for breaches (Articles 32, 33 and 34)

You must both prevent breaches and be ready to report them fast — the clock is 72 hours.

  • Implement appropriate technical and organizational measures (access control, encryption, backups, logging) proportionate to the risk
  • Document a breach-response procedure that can assess and report a notifiable breach to the supervisory authority within 72 hours (Art. 33)
  • Notify affected individuals without undue delay when a breach is likely to result in high risk to them (Art. 34)
  • Keep an internal breach log of all incidents, notifiable or not

Step 8Control processors and international transfers (Articles 28 and 44–49)

Your responsibility follows the data — to every vendor that processes it and every border it crosses.

  • Put a written data processing agreement (DPA) in place with every processor (Art. 28)
  • Vet processors for adequate safeguards before you engage them, and keep a processor register
  • For transfers outside the EEA, rely on an adequacy decision or appropriate safeguards such as Standard Contractual Clauses (Art. 44–49)
  • Appoint a Data Protection Officer if your processing meets the Article 37 triggers, and document the assessment either way

Skip the blank page — get the editable GDPR pack

The GDPR Compliance Pack for Small Business gives you the editable documents behind this checklist — a pre-structured Records of Processing Activities (Article 30) workbook, privacy notices, a data-subject-rights (DSAR) procedure, a DPIA procedure, a personal-data breach-response procedure, and a processor/DPA checklist — in Microsoft Word and Excel. You map your own processing and tailor the [placeholders]; the records and procedures are built for exactly that. Instant download, 14 documents, $79 ($55.30 — 30% off auto-applied through July 31, 2026).

View the GDPR pack

Want the numbers? See GDPR fines in numbers, read common compliance questions answered, or browse all free resources.

Professional editable templates and general information — not legal advice, and not a guarantee of compliance. The GDPR is referenced descriptively; ComplianceDocs is not affiliated with any supervisory authority. A product of ExpertEngine LLC.

Professional editable templates — general information only, not legal, audit, tax, or certification advice, and no professional or advisory relationship is created. No purchase makes an organization compliant or certified. Review each document with qualified counsel, your compliance professional, or your auditor before relying on it. ISO, IEC, SOC 2, AICPA, HIPAA, NIST, GDPR, the EU AI Act, IRS and FTC are referenced descriptively only; ComplianceDocs (ExpertEngine LLC) is independent and is not affiliated with, endorsed by, or certified by any standards body, regulator, or audit firm.