When to Use This Skill
- Before launching a SaaS product that processes EU personal data
- When adding a new feature that collects, stores, or processes personal data
- After a data breach (or suspected breach) to assess scope and obligations
- When onboarding a new sub-processor or third-party service
- Before enabling cross-border data transfers (US vendors, CDNs, analytics)
- When implementing consent management or cookie banners
- During periodic compliance reviews (recommended quarterly)
- When a data subject exercises a right (access, erasure, portability request)
- Before conducting a Data Protection Impact Assessment
- When regulators announce new guidance or enforcement actions
How It Works
┌──────────────────────────────────────────────────────────────────────┐
│ GDPR AUDIT FLOW │
│ │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ │
│ │ PHASE 1 │ │ PHASE 2 │ │ PHASE 3 │ │ PHASE 4 │ │
│ │ Data │─▶│ Lawful │─▶│ Rights & │─▶│ Transfer │ │
│ │ Inventory│ │ Basis │ │ Consent │ │ & Cookie │ │
│ └──────────┘ └──────────┘ └──────────┘ └──────────┘ │
│ Map all Verify Check DSR Validate │
│ personal Art.6 basis endpoints SCCs, cookie │
│ data flows per purpose & consent consent │
│ │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ │
│ │ PHASE 5 │ │ PHASE 6 │ │ PHASE 7 │ │
│ │ Minimize │─▶│ DPIA & │─▶│ Report & │ │
│ │ & Retain │ │ Breach │ │ Remediate│ │
│ └──────────┘ └──────────┘ └──────────┘ │
│ Audit excess Assess DPIA Full report │
│ data, check triggers, with Article │
│ retention breach plan references │
│ │
│ ┌──────────────────────────────────────────────────────────────┐ │
│ │ COMPLIANCE LEVELS │ │
│ │ │ │
│ │ COMPLIANT — Processing meets GDPR requirements │ │
│ │ PARTIAL — Some measures in place, gaps remain │ │
│ │ NON-COMPLIANT — Missing required controls, fix urgently │ │
│ │ CRITICAL RISK — Active violation, potential fine exposure │ │
│ └──────────────────────────────────────────────────────────────┘ │
└──────────────────────────────────────────────────────────────────────┘
Phase 1: Personal Data Inventory
Map every piece of personal data in the system — where it enters, where it is stored, how it flows, and where it exits.
┌──────────────────────────────────────────────────────────────┐
│ PERSONAL DATA INVENTORY │
│ │
│ STEP 1: SCAN THE DATABASE SCHEMA │
│ │
│ Look at every table/model for personal data fields: │
│ □ Names (first_name, last_name, display_name) │
│ □ Email addresses │
│ □ Phone numbers │
│ □ Physical addresses │
│ □ IP addresses (stored in logs, sessions, audit trails) │
│ □ User agents / browser fingerprints │
│ □ Dates of birth │
│ □ Photos / avatars │
│ □ Government IDs (SSN, passport, tax ID) │
│ □ Financial data (bank, card — even tokenized references) │
│ □ Health data (if applicable — special category Art.9) │
│ □ Location data (GPS, timezone, locale) │
│ □ Behavioral data (learning progress, click patterns) │
│ □ Device identifiers (cookie IDs, device tokens) │
│ │
│ STEP 2: MAP DATA FLOWS │
│ │
│ For each personal data field, document: │
│ □ Collection point — where does it enter the system? │
│ □ Storage location — which table/column/service stores it? │
│ □ Processing — what operations run on it? │
│ □ Sharing — is it sent to third parties / sub-processors? │
│ □ Retention — how long is it kept? │
│ □ Deletion — can it be fully removed on request? │
│ │
│ STEP 3: CLASSIFY BY CATEGORY │
│ │
│ ┌────────────────────┬──────────────────────────────┐ │
│ │ Category │ GDPR Treatment │ │
│ ├────────────────────┼──────────────────────────────┤ │
│ │ Basic identity │ Standard (Art.6 basis needed) │ │
│ │ Contact info │ Standard (Art.6 basis needed) │ │
│ │ Financial │ Standard + extra security │ │
│ │ Behavioral/usage │ Standard (often leg. interest)│ │
│ │ Health data │ Special category — Art.9 │ │
│ │ Biometric │ Special category — Art.9 │ │
│ │ Political/religious│ Special category — Art.9 │ │
│ │ Children's data │ Art.8 — parental consent │ │
│ │ Criminal records │ Art.10 — special rules │ │
│ └────────────────────┴──────────────────────────────┘ │
│ │
│ STEP 4: MAP DATA TO PURPOSES │
│ │
│ Every field must be tied to at least one purpose: │
│ □ Account creation and authentication │
│ □ Service delivery (core product functionality) │
│ □ Billing and invoicing │
│ □ Customer support │
│ □ Analytics and product improvement │
│ □ Marketing communications │
│ □ Legal and regulatory compliance │
│ □ Security and fraud prevention │
│ │
│ If a field has NO purpose — it should not be collected │
└──────────────────────────────────────────────────────────────┘
Personal Data Inventory Table
Produce this table for every personal data element found:
| # | Data Element | DB Table.Column | Collection Point | Purpose | Lawful Basis | Shared With | Retention | Deletable? | |
|---|
| 1 | Email | users.email | Registration form | Account, comms | Contract | SendGrid | Account life + 3yr | Yes | |
| 2 | IP Address | audit_logs.ip | Every request | Security | Leg. interest | None | 1 year | Yes (anonymize) | |
| 3 | Name | users.first_name | Profile form | Display | Contract | None | Account life + 3yr | Yes | |
| ... | ... | ... | ... | ... | ... | ... | ... | ... | |
Phase 2: Lawful Basis Verification
Every data processing activity must have a documented lawful basis under Art.6. There are exactly six options — no others exist.
┌──────────────────────────────────────────────────────────────┐
│ LAWFUL BASIS DECISION TREE │
│ │
│ For each processing activity, walk through this tree: │
│ │
│ ┌─────────────────────┐ │
│ │ Is there a contract │ │
│ │ with the data │──── YES ──▶ Art.6(1)(b) Contract │
│ │ subject requiring │ Processing necessary for │
│ │ this processing? │ the contract (e.g., account│
│ └────────┬────────────┘ management, service delivery│
│ │ NO │
│ ▼ │
│ ┌─────────────────────┐ │
│ │ Is there a legal │ │
│ │ obligation (law, │──── YES ──▶ Art.6(1)(c) Legal │
│ │ regulation) that │ obligation │
│ │ requires this? │ (e.g., tax records, │
│ └────────┬────────────┘ AML checks) │
│ │ NO │
│ ▼ │
│ ┌─────────────────────┐ │
│ │ Is there a legit- │ │
│ │ imate interest that │──── YES ──▶ Art.6(1)(f) Legitimate │
│ │ is NOT overridden │ interest │
│ │ by the individual's │ REQUIRES a Legitimate │
│ │ rights? │ Interest Assessment (LIA) │
│ └────────┬────────────┘ │
│ │ NO │
│ ▼ │
│ ┌─────────────────────┐ │
│ │ Can you obtain │ │
│ │ freely given, │──── YES ──▶ Art.6(1)(a) Consent │
│ │ specific, informed, │ Must be withdrawable, │
│ │ unambiguous consent?│ recorded, granular │
│ └────────┬────────────┘ │
│ │ NO │
│ ▼ │
│ ┌─────────────────────┐ │
│ │ DO NOT PROCESS │ │
│ │ No lawful basis │ │
│ │ exists — STOP │ │
│ └─────────────────────┘ │
│ │
│ Remaining bases (rarely used in SaaS): │
│ → Art.6(1)(d) Vital interests — life/death situations │
│ → Art.6(1)(e) Public task — government functions │
└──────────────────────────────────────────────────────────────┘
Lawful Basis Audit Checklist
┌──────────────────────────────────────────────────────────────┐
│ LAWFUL BASIS VERIFICATION │
│ │
│ FOR EACH PROCESSING ACTIVITY: │
│ │
│ DOCUMENTATION (Art.5(2) — Accountability) │
│ □ Is the lawful basis documented in a ROPA? (Art.30) │
│ □ Is the basis stated in the privacy notice? (Art.13/14) │
│ □ Does the code enforce the stated basis? │
│ □ Could the basis change if the feature changes? │
│ │
│ IF CONTRACT (Art.6(1)(b)): │
│ □ Is there an actual contract (ToS, subscription)? │
│ □ Is the processing genuinely necessary for the contract? │
│ □ Would the service fail without this processing? │
│ □ Are you stretching "necessary"? (analytics is NOT │
│ necessary for a contract — use legitimate interest) │
│ │
│ IF CONSENT (Art.6(1)(a)): │
│ □ Is consent freely given? (no service denial if refused) │
│ □ Is consent specific to each purpose? │
│ □ Is consent informed? (clear language, not legal jargon) │
│ □ Is consent unambiguous? (active opt-in, not pre-ticked) │
│ □ Is consent recorded? (timestamp, version, content) │
│ □ Can consent be withdrawn as easily as it was given? │
│ □ Does withdrawal actually stop the processing? │
│ □ Is there a re-consent mechanism for purpose changes? │
│ □ For children (under 16/13): parental consent? (Art.8) │
│ │
│ IF LEGITIMATE INTEREST (Art.6(1)(f)): │
│ □ Is the interest documented? │
│ □ Is the processing necessary for that interest? │
│ □ Is there a balancing test (LIA) documented? │
│ □ Does the individual's interest override yours? │
│ □ Can the data subject object? (Art.21) │
│ □ Is the objection mechanism implemented in code? │
│ │
│ CODE-LEVEL CHECK │
│ □ grep for data collection points — do they have basis? │
│ □ grep for analytics/tracking calls — consent checked? │
│ □ grep for email sending — unsubscribe implemented? │
│ □ grep for third-party data sharing — basis documented? │
└──────────────────────────────────────────────────────────────┘
Phase 3: Data Subject Rights Implementation Audit
GDPR grants data subjects specific rights. These are not optional features — they are legal requirements. Audit whether each right has a working implementation.
Data Subject Rights Matrix
| Right | GDPR Article | Requirement | Implementation Check | |
|---|
| Right of Access | Art.15 | Provide copy of all personal data within 30 days | API endpoint or UI to export user data in structured format | |
| Right to Rectification | Art.16 | Allow correction of inaccurate data | Profile edit forms, admin correction tools | |
| Right to Erasure | Art.17 | Delete personal data on request (with exceptions) | Account deletion flow that cascades across all tables and services | |
| Right to Restriction | Art.18 | Stop processing but retain data | Flag to restrict processing without deleting | |
| Right to Portability | Art.20 | Provide data in machine-readable format (JSON/CSV) | Export endpoint returning structured, portable data | |
| Right to Object | Art.21 | Stop processing based on legitimate interest | Opt-out mechanism that halts specified processing | |
| Automated Decision Making | Art.22 | Right to human review of automated decisions | Override mechanism for algorithmic decisions affecting users | |
Rights Implementation Audit
┌──────────────────────────────────────────────────────────────┐
│ DATA SUBJECT RIGHTS AUDIT │
│ │
│ RIGHT OF ACCESS (Art.15) │
│ □ Is there an API endpoint or UI for data export? │
│ □ Does the export include ALL personal data across │
│ all tables? (not just the users table) │
│ □ Is the response in a structured, commonly used format? │
│ □ Does it include processing purposes and recipients? │
│ □ Can access requests be fulfilled within 30 days? │
│ □ Is there an identity verification step before export? │
│ □ Is the access request logged for accountability? │
│ │
│ RIGHT TO RECTIFICATION (Art.16) │
│ □ Can users edit their own profile data? │
│ □ Can admins correct data on behalf of users? │
│ □ Are corrections propagated to all data stores? │
│ □ Are corrections propagated to third parties who │
│ received the original data? (Art.19) │
│ │
│ RIGHT TO ERASURE (Art.17) — "Right to be Forgotten" │
│ □ Is there an account deletion endpoint/UI? │
│ □ Does deletion cascade across ALL tables? │
│ (not just soft-delete on the users table) │
│ □ Are backups handled? (erasure from backups within │
│ reasonable timeframe or on next rotation) │
│ □ Is data in third-party services also deleted? │
│ (analytics, email providers, payment processors) │
│ □ Are there valid exceptions documented? │
│ (legal obligation to retain, freedom of expression) │
│ □ Is the deletion logged for accountability? │
│ □ Is hard delete used for personal data? (not just │
│ soft-delete — GDPR requires actual erasure) │
│ │
│ CHECK DELETION COMPLETENESS: │
│ → List every table with personal data or user_id FK │
│ → For each table: is the data deleted when account is │
│ deleted? │
│ → Check: audit_logs, sessions, support_tickets, │
│ notifications, file_uploads, comments, enrollments, │
│ submissions, certificates, activity_logs │
│ │
│ RIGHT TO DATA PORTABILITY (Art.20) │
│ □ Can data be exported in JSON or CSV? │
│ □ Does the export include data the user provided? │
│ □ Is the format machine-readable and interoperable? │
│ □ Can data be transmitted directly to another controller? │
│ │
│ RIGHT TO RESTRICTION OF PROCESSING (Art.18) │
│ □ Can processing be paused without deleting data? │
│ □ Is there a restriction flag in the database? │
│ □ Does the flag actually prevent processing? │
│ □ Is storage still permitted during restriction? │
│ │
│ RIGHT TO OBJECT (Art.21) │
│ □ Can users object to processing based on leg. interest? │
│ □ Does objection stop the processing immediately? │
│ □ For direct marketing: objection must ALWAYS be honored │
│ (no balancing test — Art.21(3)) │
│ □ Is there an unsubscribe link in every marketing email? │
│ □ Does unsubscribe work with one click? │
│ │
│ AUTOMATED DECISION-MAKING (Art.22) │
│ □ Are any decisions made solely by automated processing? │
│ □ Do automated decisions produce legal or significant │
│ effects? (scoring, access denial, pricing) │
│ □ Is there a mechanism for human review? │
│ □ Is the logic explained to the data subject? │
│ □ Can the data subject contest the decision? │
└──────────────────────────────────────────────────────────────┘
Phase 4: Consent Management Review
If any processing relies on consent (Art.6(1)(a)), the consent mechanism must meet strict requirements.
┌──────────────────────────────────────────────────────────────┐
│ CONSENT MANAGEMENT AUDIT │
│ │
│ CONSENT COLLECTION (Art.7) │
│ □ Is consent obtained BEFORE processing begins? │
│ □ Is consent opt-in? (not pre-ticked, not implied) │
│ □ Is the consent request clearly distinguishable from │
│ other content? (not buried in ToS) │
│ □ Is the language plain and specific? │
│ □ Are separate consents collected for separate purposes? │
│ (marketing vs analytics vs profiling — not bundled) │
│ □ Is consent freely given? (service not conditional on it) │
│ □ Can the user use the service if they decline consent │
│ for non-essential processing? │
│ │
│ CONSENT RECORDS (Art.7(1) — burden of proof) │
│ □ Is there a consent_records table or equivalent? │
│ □ Does each record include: │
│ → Who consented (user ID) │
│ → What they consented to (purpose, scope) │
│ → When they consented (timestamp) │
│ → How they consented (UI element, version of notice) │
│ → The text/version of the consent request shown? │
│ □ Are consent records immutable? (append-only, not editable)│
│ □ Can you produce consent proof if a regulator asks? │
│ │
│ CONSENT WITHDRAWAL (Art.7(3)) │
│ □ Is there a UI/API for withdrawing consent? │
│ □ Is withdrawal as easy as giving consent? │
│ (if consent was 1 click, withdrawal must be 1 click) │
│ □ Does withdrawal actually stop the processing? │
│ □ Is the withdrawal timestamped and recorded? │
│ □ Does withdrawal propagate to third parties? │
│ □ Is the user informed that withdrawal does not affect │
│ lawfulness of prior processing? (Art.7(3) last sentence) │
│ │
│ COOKIE CONSENT (ePrivacy Directive) │
│ □ Are cookies categorized? │
│ → Strictly necessary: no consent required │
│ → Functional: consent recommended │
│ → Analytics: consent required │
│ → Marketing/tracking: consent required │
│ □ Are non-essential cookies blocked BEFORE consent? │
│ (no loading GA/Hotjar until the user clicks "Accept") │
│ □ Is "Reject All" as prominent as "Accept All"? │
│ □ Can the user change preferences later? │
│ □ Is consent stored and not re-asked on every page load? │
│ □ Is there a cookie policy/notice? │
│ │
│ CODE-LEVEL CHECKS │
│ → grep for tracking scripts: "gtag\|analytics\|hotjar\| │
│ fbq\|pixel\|_ga" in frontend code │
│ → Are they conditionally loaded based on consent state? │
│ → grep for "setConsent\|consentGranted\|consent_mode" │
│ → Check: does page load fire any tracking before consent? │
└──────────────────────────────────────────────────────────────┘
Phase 5: Data Minimization & Retention Audit
GDPR requires that you collect only what is necessary (Art.5(1)(c)), keep it only as long as needed (Art.5(1)(e)), and process it only for stated purposes (Art.5(1)(b)).
┌──────────────────────────────────────────────────────────────┐
│ DATA MINIMIZATION AUDIT │
│ │
│ COLLECTION MINIMIZATION (Art.5(1)(c)) │
│ │
│ For EVERY data collection point (forms, APIs, imports): │
│ □ Is each field necessary for the stated purpose? │
│ □ Are optional fields clearly marked as optional? │
│ □ Are there fields collected "just in case"? (violation) │
│ □ Is the registration form collecting more than needed? │
│ (do you need date of birth for an LMS? phone number?) │
│ □ Are API endpoints accepting more fields than they use? │
│ (mass assignment risk + minimization violation) │
│ │
│ STORAGE MINIMIZATION │
│ □ Are there database columns that are never read? │
│ □ Are there tables storing data with no current purpose? │
│ □ Are full request/response bodies logged? │
│ (may contain personal data — log only what is needed) │
│ □ Are IP addresses stored longer than necessary? │
│ □ Are user agents stored? (do you actually need them?) │
│ □ Can behavioral data be anonymized or aggregated? │
│ │
│ RETENTION AUDIT (Art.5(1)(e) — Storage Limitation) │
│ │
│ For EVERY table containing personal data: │
│ □ Is there a defined retention period? │
│ □ Is the retention period documented in the privacy notice? │
│ □ Is there automated deletion/anonymization at expiry? │
│ □ Is there a manual review process for expired data? │
│ │
│ RETENTION SCHEDULE │
│ ┌──────────────────┬──────────────┬─────────────────┐ │
│ │ Data Category │ Retention │ Action at Expiry │ │
│ ├──────────────────┼──────────────┼─────────────────┤ │
│ │ Active accounts │ Account life │ Deletion request │ │
│ │ Deleted accounts │ 30-90 days │ Hard delete │ │
│ │ Server logs │ 90 days-1yr │ Auto-delete │ │
│ │ Audit logs │ 3-7 years │ Archive/delete │ │
│ │ Analytics │ 2 years │ Anonymize │ │
│ │ Support tickets │ 3-5 years │ Archive/delete │ │
│ │ Billing records │ 7 years │ Legal obligation │ │
│ │ Consent records │ Duration +7yr│ Legal obligation │ │
│ │ Backup data │ 30-90 days │ Auto-rotate │ │
│ └──────────────────┴──────────────┴─────────────────┘ │
│ │
│ CODE-LEVEL CHECKS │
│ → Is there a scheduled job for data cleanup? │
│ → Are soft-deleted records eventually hard-deleted? │
│ → Do backups have a rotation policy? │
│ → Are log files rotated and purged on schedule? │
│ → grep for "createdAt\|created_at\|deletedAt\|deleted_at" │
│ — is there logic comparing these to retention periods? │
└──────────────────────────────────────────────────────────────┘
Phase 6: Cross-Border Transfer Compliance
Post-Schrems II, transferring personal data outside the EEA requires additional safeguards. Every sub-processor, CDN, and analytics service is a transfer.
┌──────────────────────────────────────────────────────────────┐
│ CROSS-BORDER TRANSFER AUDIT │
│ │
│ STEP 1: MAP ALL DATA TRANSFERS │
│ │
│ Identify every service that receives personal data: │
│ □ Cloud hosting (AWS region, GCP region, Azure region) │
│ □ Email providers (SendGrid, SES, Mailgun) │
│ □ Payment processors (Stripe, PayPal) │
│ □ Analytics (GA4, Mixpanel, Amplitude) │
│ □ Error tracking (Sentry, Datadog, New Relic) │
│ □ CDN (Cloudflare, CloudFront, Fastly) │
│ □ Chat/support (Intercom, Zendesk, Crisp) │
│ □ Auth providers (Auth0, Firebase Auth) │
│ □ AI/ML services (OpenAI, Anthropic, Google AI) │
│ □ File storage (S3, GCS, Azure Blob) │
│ □ Search (Algolia, Elasticsearch Cloud) │
│ │
│ STEP 2: DETERMINE TRANSFER MECHANISM │
│ │
│ For each service in a non-EEA country: │
│ □ Is there an adequacy decision? (Art.45) │
│ → UK, Japan, South Korea, Canada (commercial), │
│ Switzerland, Israel, New Zealand, etc. │
│ → US: EU-US Data Privacy Framework (DPF) — check if │
│ the specific company is DPF-certified │
│ □ If no adequacy: are SCCs in place? (Art.46(2)(c)) │
│ → Standard Contractual Clauses (new 2021 version) │
│ → Signed by both parties │
│ → Module selection correct (C2C, C2P, P2P, P2C) │
│ □ Has a Transfer Impact Assessment (TIA) been conducted? │
│ → Required by Schrems II for SCCs │
│ → Assess laws of the destination country │
│ → Document supplementary measures if needed │
│ □ Are Binding Corporate Rules used? (Art.47) │
│ → Only for intra-group transfers │
│ │
│ STEP 3: SUPPLEMENTARY MEASURES │
│ │
│ If SCCs alone are insufficient (high-risk destination): │
│ □ Technical: encryption in transit and at rest │
│ □ Technical: pseudonymization before transfer │
│ □ Technical: split processing (process in EEA, store keys │
│ separately from data) │
│ □ Organizational: access controls limiting who can read │
│ the data in the destination country │
│ □ Contractual: additional audit rights, notification │
│ obligations for government access requests │
│ │
│ TRANSFER AUDIT TABLE │
│ ┌─────────────┬────────┬──────────┬───────────┬──────────┐ │
│ │ Service │ Country│ Data Sent│ Mechanism │ TIA Done │ │
│ ├─────────────┼────────┼──────────┼───────────┼──────────┤ │
│ │ AWS │ IE │ All data │ Adequacy │ N/A │ │
│ │ Stripe │ US │ Payment │ DPF+SCCs │ Yes │ │
│ │ SendGrid │ US │ Email │ SCCs │ Yes │ │
│ │ Sentry │ US │ Errors │ SCCs │ Pending │ │
│ └─────────────┴────────┴──────────┴───────────┴──────────┘ │
│ │
│ CODE-LEVEL CHECKS │
│ → grep for third-party API calls — where does data go? │
│ → Check environment variables for service URLs/regions │
│ → Are any services hard-coded to non-EEA endpoints? │
│ → Can the hosting region be configured per tenant? │
└──────────────────────────────────────────────────────────────┘
Phase 7: Cookie & Tracking Audit
The ePrivacy Directive (and GDPR for personal data in cookies) requires informed consent before setting non-essential cookies or running tracking scripts.
┌──────────────────────────────────────────────────────────────┐
│ COOKIE & TRACKING AUDIT │
│ │
│ STEP 1: SCAN FOR ALL COOKIES AND TRACKING │
│ │
│ Check the frontend codebase for: │
│ □ document.cookie usage │
│ □ localStorage / sessionStorage usage with personal data │
│ □ Google Analytics / GA4 (gtag, dataLayer) │
│ □ Facebook Pixel (fbq) │
│ □ Hotjar / FullStory / LogRocket │
│ □ HubSpot / Intercom / Drift tracking │
│ □ Advertising pixels (LinkedIn, Twitter, TikTok) │
│ □ A/B testing tools (Optimizely, VWO) │
│ □ Custom event tracking / telemetry │
│ □ Third-party script tags loaded in <head> or <body> │
│ │
│ STEP 2: CLASSIFY EACH COOKIE/TRACKER │
│ │
│ ┌──────────────────┬───────────┬───────────────────────┐ │
│ │ Category │ Consent? │ Examples │ │
│ ├──────────────────┼───────────┼───────────────────────┤ │
│ │ Strictly necess. │ No │ Session ID, CSRF, │ │
│ │ │ │ auth token, load │ │
│ │ │ │ balancer │ │
│ ├──────────────────┼───────────┼───────────────────────┤ │
│ │ Functional │ Recommend │ Language preference, │ │
│ │ │ │ theme, UI state │ │
│ ├──────────────────┼───────────┼───────────────────────┤ │
│ │ Analytics │ Required │ GA4, Mixpanel, │ │
│ │ │ │ Amplitude, Hotjar │ │
│ ├──────────────────┼───────────┼───────────────────────┤ │
│ │ Marketing │ Required │ Facebook Pixel, │ │
│ │ │ │ Google Ads, retarget │ │
│ └──────────────────┴───────────┴───────────────────────┘ │
│ │
│ STEP 3: VERIFY CONSENT GATE │
│ │
│ □ Is there a cookie consent banner? │
│ □ Is "Reject All" as easy as "Accept All"? │
│ □ Are non-essential scripts blocked until consent is given? │
│ → Check: does GA fire on page load without consent? │
│ → Check: are marketing pixels loaded before consent? │
│ □ Does the consent banner use dark patterns? │
│ (larger "Accept" button, hidden "Reject," nudging) │
│ □ Is consent granular? (analytics separate from marketing) │
│ □ Can users change their preference after initial choice? │
│ □ Does the consent preference persist correctly? │
│ □ Is consent re-asked if the cookie policy changes? │
│ │
│ STEP 4: VERIFY CONSENT INTEGRATION │
│ │
│ For Google Analytics (GA4): │
│ □ Is consent mode enabled? (consent: 'default', 'denied') │
│ □ Does gtag('consent','update',...) fire on acceptance? │
│ □ Are cookieless pings used before consent? │
│ (Google consent mode v2 sends cookieless pings — check │
│ if this is acceptable under your DPA interpretation) │
│ │
│ For all tracking scripts: │
│ □ Are scripts loaded dynamically after consent? │
│ □ Is there a consent state check before every tracking │
│ call? (not just on page load — SPAs need re-checks) │
└──────────────────────────────────────────────────────────────┘
Phase 8: Data Protection Impact Assessment
A DPIA is required when processing is likely to result in high risk to individuals. Art.35 defines when it is mandatory.
┌──────────────────────────────────────────────────────────────┐
│ DPIA TRIGGER ASSESSMENT │
│ │
│ A DPIA IS MANDATORY if any of these apply (Art.35(3)): │
│ │
│ □ Systematic and extensive profiling with significant │
│ effects on individuals │
│ □ Large-scale processing of special category data (Art.9) │
│ or criminal conviction data (Art.10) │
│ □ Systematic monitoring of a publicly accessible area │
│ □ Large-scale processing by itself │
│ □ Matching or combining datasets from different sources │
│ □ Processing data of vulnerable individuals (employees, │
│ children, patients, students) │
│ □ Innovative use of technology (AI/ML, biometrics, │
│ IoT, blockchain for personal data) │
│ □ Processing that prevents data subjects from exercising │
│ a right or using a service │
│ □ Automated decision-making with legal or significant │
│ effects (Art.22) │
│ │
│ If 2 or more criteria are met → DPIA is required │
│ If unsure → conduct the DPIA anyway (Art.35(1) general rule)│
│ │
│ ───────────────────────────────────────────────────────── │
│ │
│ DPIA STRUCTURE (if required): │
│ │
│ 1. Description of processing │
│ → What data, what purpose, what technology │
│ 2. Necessity and proportionality assessment │
│ → Is this processing necessary for the purpose? │
│ → Could you achieve the same goal with less data? │
│ 3. Risk assessment │
│ → What are the risks to individuals? │
│ → What is the likelihood and severity? │
│ 4. Mitigation measures │
│ → What controls reduce the identified risks? │
│ → Are they technical or organizational? │
│ 5. Residual risk assessment │
│ → After mitigation, is the remaining risk acceptable? │
│ 6. DPO consultation │
│ → DPO opinion documented │
│ 7. Supervisory authority consultation (if high residual risk)│
│ → Art.36 — prior consultation │
│ │
│ RISK MATRIX │
│ ┌───────────────┬────────────┬────────────┬────────────┐ │
│ │ │ Low Impact │ Med Impact │ High Impact│ │
│ ├───────────────┼────────────┼────────────┼────────────┤ │
│ │ Low Likelihood│ LOW │ LOW │ MEDIUM │ │
│ │ Med Likelihood│ LOW │ MEDIUM │ HIGH │ │
│ │ High Likelihd │ MEDIUM │ HIGH │ CRITICAL │ │
│ └───────────────┴────────────┴────────────┴────────────┘ │
└──────────────────────────────────────────────────────────────┘
Phase 9: Breach Detection & Notification Readiness
Art.33 requires notification to the supervisory authority within 72 hours. Art.34 requires communication to affected data subjects if the breach is high risk.
┌──────────────────────────────────────────────────────────────┐
│ BREACH NOTIFICATION READINESS │
│ │
│ DETECTION CAPABILITIES │
│ □ Are there audit logs for data access? (who accessed what) │
│ □ Are there alerts for unusual access patterns? │
│ □ Are failed login attempts logged and monitored? │
│ □ Are bulk data exports detected? │
│ □ Are unauthorized API access attempts logged? │
│ □ Is there intrusion detection on the infrastructure? │
│ │
│ NOTIFICATION WORKFLOW │
│ □ Is there a documented breach response procedure? │
│ □ Is there a breach register (even for non-reported ones)? │
│ □ Can you determine the scope of a breach? (what data, │
│ how many subjects, what categories) │
│ □ Can you generate a breach notification report with: │
│ → Nature of the breach (Art.33(3)(a)) │
│ → Categories and approximate number of data subjects │
│ → Categories and approximate number of records │
│ → Name and contact of the DPO │
│ → Likely consequences of the breach │
│ → Measures taken or proposed to address the breach │
│ □ Is there a template for supervisory authority notification?│
│ □ Is there a template for data subject notification? │
│ │
│ TIMELINE │
│ ┌─────────────┬─────────────────────────────────────────┐ │
│ │ T+0 │ Breach detected or reported │ │
│ │ T+0 to T+24 │ Assess scope, contain, preserve evidence │ │
│ │ T+24 to T+48│ Prepare notification, consult DPO │ │
│ │ T+48 to T+72│ Notify supervisory authority (Art.33) │ │
│ │ T+72+ │ Notify data subjects if high risk (Art.34)│ │
│ │ Ongoing │ Document everything in breach register │ │
│ └─────────────┴─────────────────────────────────────────┘ │
│ │
│ CODE-LEVEL CHECKS │
│ → Is there an audit_logs or event_logs table? │
│ → Does it log data access events (not just auth events)? │
│ → Is there a bulk export alert mechanism? │
│ → Are admin actions logged with IP and timestamp? │
│ → Is there a breach flag or incident model in the database? │
└──────────────────────────────────────────────────────────────┘
Phase 10: Privacy Notice Review
Art.13 (data collected from the subject) and Art.14 (data obtained from other sources) require transparent disclosure of processing activities.
┌──────────────────────────────────────────────────────────────┐
│ PRIVACY NOTICE REVIEW │
│ │
│ REQUIRED DISCLOSURES — Art.13 │
│ │
│ □ Identity and contact details of the controller │
│ □ Contact details of the DPO (if appointed) │
│ □ Purposes of the processing │
│ □ Lawful basis for each purpose │
│ □ Legitimate interests pursued (if Art.6(1)(f)) │
│ □ Recipients or categories of recipients │
│ □ Details of international transfers + safeguards │
│ □ Retention periods (or criteria to determine them) │
│ □ Data subject rights (access, rectification, erasure, │
│ restriction, portability, objection) │
│ □ Right to withdraw consent (if consent is the basis) │
│ □ Right to lodge a complaint with a supervisory authority │
│ □ Whether provision of data is statutory/contractual │
│ requirement and consequences of not providing it │
│ □ Existence of automated decision-making (Art.22) │
│ □ If data obtained from sources other than the data │
│ subject: the source and categories of data (Art.14) │
│ │
│ ACCESSIBILITY │
│ □ Is the notice easy to find? (footer link, registration) │
│ □ Is it written in clear, plain language? (not legal jargon)│
│ □ Is it available in relevant languages? │
│ □ Is it provided at the time of data collection? │
│ □ Is it layered? (short notice + full notice) │
│ □ Is there a version date on the notice? │
│ □ Are users notified of material changes? │
│ │
│ CODE-LEVEL CHECKS │
│ → Is the privacy notice linked in the registration form? │
│ → Is consent checkbox text accurate and up to date? │
│ → Does the privacy notice match what the code actually does?│
│ → If the code collects data not mentioned in the notice │
│ → that is a transparency violation (Art.5(1)(a)) │
└──────────────────────────────────────────────────────────────┘
GDPR Compliance Checklist
Comprehensive checklist mapped to specific Articles. Use this as the final sign-off for any GDPR audit.
Principles (Art.5)
| # | Check | Article | Status | |
|---|
| 1 | Processing is lawful, fair, and transparent | Art.5(1)(a) | | |
| 2 | Data collected for specified, explicit, and legitimate purposes | Art.5(1)(b) | | |
| 3 | Data is adequate, relevant, and limited to what is necessary | Art.5(1)(c) | | |
| 4 | Data is accurate and kept up to date | Art.5(1)(d) | | |
| 5 | Data retained only as long as necessary for the purpose | Art.5(1)(e) | | |
| 6 | Data processed with appropriate security (integrity & confidentiality) | Art.5(1)(f) | | |
| 7 | Controller can demonstrate compliance with all principles | Art.5(2) | | |
Lawful Basis (Art.6-11)
| # | Check | Article | Status | |
|---|
| 8 | Every processing activity has a documented lawful basis | Art.6(1) | | |
| 9 | Consent is freely given, specific, informed, and unambiguous | Art.7(1) | | |
| 10 | Consent can be withdrawn as easily as it was given | Art.7(3) | | |
| 11 | Consent records include who, what, when, and how | Art.7(1) | | |
| 12 | Children's consent handled with age verification + parental consent | Art.8 | | |
| 13 | Special category data (health, biometric, etc.) has explicit consent or exception | Art.9 | | |
| 14 | Criminal conviction data processed only under official authority | Art.10 | | |
| 15 | Processing that does not require identification does not force identification | Art.11 | | |
Transparency & Information (Art.12-14)
| # | Check | Article | Status | |
|---|
| 16 | Privacy notice is concise, transparent, intelligible, and easily accessible | Art.12(1) | | |
| 17 | Information provided free of charge | Art.12(5) | | |
| 18 | Data subject requests responded to within one month | Art.12(3) | | |
| 19 | Identity of controller and DPO contact details disclosed | Art.13(1)(a-b) | | |
| 20 | Processing purposes and lawful basis disclosed | Art.13(1)(c-d) | | |
| 21 | Recipients and international transfer details disclosed | Art.13(1)(e-f) | | |
| 22 | Retention periods disclosed | Art.13(2)(a) | | |
| 23 | Data subject rights disclosed | Art.13(2)(b-d) | | |
| 24 | Automated decision-making logic disclosed | Art.13(2)(f) | | |
| 25 | Third-party sourced data: source and categories disclosed | Art.14(2)(f) | | |
Data Subject Rights (Art.15-22)
| # | Check | Article | Status | |
|---|
| 26 | Right of access — user can obtain a copy of all their personal data | Art.15 | | |
| 27 | Access response includes purposes, categories, recipients, retention, rights | Art.15(1) | | |
| 28 | Access response provided in commonly used electronic format | Art.15(3) | | |
| 29 | Right to rectification — user can correct inaccurate data | Art.16 | | |
| 30 | Right to erasure — user can request deletion of their data | Art.17(1) | | |
| 31 | Erasure cascades to all data stores, backups (within reason), and processors | Art.17(2) | | |
| 32 | Erasure exceptions documented (legal obligation, public interest, legal claims) | Art.17(3) | | |
| 33 | Right to restriction — processing can be paused on request | Art.18 | | |
| 34 | Notification obligation — recipients informed of rectification/erasure/restriction | Art.19 | | |
| 35 | Right to data portability — data provided in structured, machine-readable format | Art.20(1) | | |
| 36 | Portability includes direct transmission to another controller if feasible | Art.20(2) | | |
| 37 | Right to object — user can object to processing based on legitimate interest | Art.21(1) | | |
| 38 | Right to object to direct marketing — always honored, no balancing test | Art.21(2-3) | | |
| 39 | Automated individual decision-making — right to human intervention | Art.22(1) | | |
| 40 | Automated decisions — user can express their point of view and contest | Art.22(3) | | |
Controller & Processor (Art.24-31)
| # | Check | Article | Status | |
|---|
| 41 | Controller implements appropriate technical and organizational measures | Art.24(1) | | |
| 42 | Data protection by design — privacy built into systems from the start | Art.25(1) | | |
| 43 | Data protection by default — only necessary data processed by default | Art.25(2) | | |
| 44 | Joint controllers have a documented arrangement | Art.26 | | |
| 45 | Processor has a written contract/DPA with required clauses | Art.28(3) | | |
| 46 | Sub-processors authorized by controller, same obligations imposed | Art.28(2,4) | | |
| 47 | Records of Processing Activities (ROPA) maintained | Art.30(1) | | |
| 48 | ROPA includes purposes, categories, recipients, transfers, retention, security | Art.30(1)(a-g) | | |
Security & Breach (Art.32-34)
| # | Check | Article | Status | |
|---|
| 49 | Encryption of personal data in transit (TLS) | Art.32(1)(a) | | |
| 50 | Encryption of personal data at rest | Art.32(1)(a) | | |
| 51 | Ability to ensure ongoing confidentiality, integrity, availability | Art.32(1)(b) | | |
| 52 | Ability to restore access to personal data after an incident | Art.32(1)(c) | | |
| 53 | Regular testing and evaluation of security measures | Art.32(1)(d) | | |
| 54 | Breach notification to supervisory authority within 72 hours | Art.33(1) | | |
| 55 | Breach notification includes nature, categories, numbers, DPO, consequences, measures | Art.33(3) | | |
| 56 | Breach register maintained (all breaches, even non-reported) | Art.33(5) | | |
| 57 | High-risk breach communicated to affected data subjects | Art.34(1) | | |
DPIA & Prior Consultation (Art.35-36)
| # | Check | Article | Status | |
|---|
| 58 | DPIA conducted for high-risk processing | Art.35(1) | | |
| 59 | DPIA trigger criteria documented and assessed | Art.35(3) | | |
| 60 | DPIA includes description, necessity, risks, and mitigation measures | Art.35(7) | | |
| 61 | DPO consulted during DPIA | Art.35(2) | | |
| 62 | Supervisory authority consulted if residual risk is high | Art.36(1) | | |
International Transfers (Art.44-49)
| # | Check | Article | Status | |
|---|
| 63 | All transfers to non-EEA countries identified | Art.44 | | |
| 64 | Transfers based on adequacy decision documented | Art.45 | | |
| 65 | Transfers using SCCs: correct module selected, signed | Art.46(2)(c) | | |
| 66 | Transfer Impact Assessment (TIA) conducted post-Schrems II | Art.46 + CJEU | | |
| 67 | Supplementary measures implemented where SCCs insufficient | Art.46 + EDPB | | |
| 68 | BCRs approved by supervisory authority (if used) | Art.47 | | |
| 69 | Derogations used only in limited circumstances | Art.49 | | |
DPO & Governance (Art.37-43)
| # | Check | Article | Status | |
|---|
| 70 | DPO appointed if required (public authority, large-scale monitoring, special categories) | Art.37(1) | | |
| 71 | DPO contact details published and communicated to supervisory authority | Art.37(7) | | |
| 72 | DPO involved in all data protection matters | Art.38(1) | | |
| 73 | DPO reports to highest management level | Art.38(3) | | |
Cookie & ePrivacy Compliance
| # | Check | Article | Status | |
|---|
| 74 | Cookies classified (necessary, functional, analytics, marketing) | ePrivacy Art.5(3) | | |
| 75 | Non-essential cookies require prior informed consent | ePrivacy Art.5(3) | | |
| 76 | Consent banner presents "Reject All" equally to "Accept All" | EDPB Guidelines | | |
| 77 | Non-essential scripts/cookies blocked before consent is given | ePrivacy Art.5(3) | | |
| 78 | Cookie preferences can be changed after initial choice | EDPB Guidelines | | |
| 79 | Cookie policy is accessible and up to date | ePrivacy Art.5(3) | | |
| 80 | No dark patterns in consent UI (nudging, pre-selection, obstruction) | EDPB Guidelines 05/2020 | | |
GDPR Article Reference by Code Area
Quick reference mapping code areas to the GDPR Articles you must check.
| Code Area | Primary Articles | What to Check | |
|---|
| User registration | Art.5, 6, 7, 12, 13, 25 | Lawful basis, consent, privacy notice, data minimization | |
| Login / authentication | Art.5(1)(f), 32 | Security measures, failed attempt logging, session management | |
| Profile / settings | Art.5(1)(d), 16, 17, 18, 20 | Rectification, erasure, restriction, portability | |
| Email / notifications | Art.6(1)(a), 7, 21 | Consent for marketing, unsubscribe mechanism, objection | |
| Analytics / tracking | Art.6(1)(a/f), 7, ePrivacy | Consent before tracking, cookie classification, LIA for leg. interest | |
| File uploads | Art.5(1)(c), 17, 32 | Minimization, erasure of uploaded files, secure storage | |
| API endpoints | Art.5(1)(f), 25, 32 | Security by design, input validation, access controls | |
| Database schema | Art.5(1)(c,e), 25, 30 | Minimization, retention, ROPA accuracy | |
| Third-party integrations | Art.28, 44-49 | DPA, SCCs, sub-processor authorization | |
| Audit / activity logs | Art.5(1)(e), 30, 33 | Retention limits, breach detection, ROPA | |
| Admin panel | Art.15, 16, 17, 32 | Access request fulfillment, admin access logging | |
| Data export | Art.15, 20 | Access right, portability format | |
| Account deletion | Art.17 | Complete erasure across all stores | |
| Backup / disaster recovery | Art.17, 32 | Erasure from backups, restore capability | |
| Error tracking (Sentry etc.) | Art.5(1)(c), 25, 44 | PII in error reports, cross-border transfer | |
Write the GDPR Compliance Report
Report Template
## GDPR Compliance Audit Report
Scope
- Application: [name and version]
- Components audited: [backend, frontend, database, infrastructure]
- Date: [date]
- Auditor: [name/role]
Executive Summary
- Compliant: X items
- Partially compliant: X items
- Non-compliant: X items (require immediate action)
- Critical risk: X items (potential fine exposure)
Critical Risk Findings
- [Article Reference] — Short description
- Article: Art.XX(Y)
- Requirement: What GDPR requires
- Current State: What the code does now
- Risk: What could happen (regulatory fine, data breach, rights violation)
- Remediation: Exact steps to fix
- Priority: Immediate / Before launch / Next sprint
Non-Compliant Findings
[same format as above]
Partially Compliant Findings
[same format — note what works and what is missing]
Compliant Areas
[list of areas that meet GDPR requirements — acknowledge good practices]
Data Subject Rights Status| Right | Article | Implemented? | Mechanism | Gap | |
|---|
| Access | Art.15 | Partial | Manual export | No self-service UI | |
| Erasure | Art.17 | Yes | Account deletion | Backups not purged | |
| ... | ... | ... | ... | ... | |
Cross-Border Transfer Register| Service | Country | Data Types | Legal Mechanism | TIA | Status | |
|---|
| ... | ... | ... | ... | ... | ... | |
Recommendations
[prioritized list of improvements, grouped by urgency]
Next Steps
Tips for Best Results
- Start with the data inventory — You cannot assess compliance if you do not know what personal data you process. Map every field, every table, every data flow before anything else.
- Follow the data, not the code structure — Personal data does not respect module boundaries. A user's email might be in the users table, the audit log, the email queue, the error tracker, and three sub-processor systems. Follow it everywhere.
- Check what the code does, not what the docs say — Privacy notices and DPAs describe intended behavior. The code describes actual behavior. When they diverge, the code is what the regulator will look at.
- Lawful basis is not retroactive — If you discover processing without a documented lawful basis, the processing is already a violation. Document the basis now, and assess whether past processing needs remediation (notification, deletion, re-consent).
- Test the rights endpoints — Do not just check that a data export endpoint exists. Call it. Does it return ALL personal data? Does the erasure endpoint actually delete from ALL tables? Does the unsubscribe link actually stop emails?
- Consent is the weakest lawful basis — It can be withdrawn at any time, it requires records, and it must be freely given. If you can use contract or legitimate interest instead, you should. Use consent only when no other basis applies (typically marketing).
- Think like a regulator — Regulators look for patterns: excessive data collection, missing transparency, broken rights mechanisms, sloppy processor management. They issue fines based on the severity and the controller's attitude toward compliance. Demonstrate that you take it seriously.