GDPR Compliance Checker

Lawful basis is conflated with consent. Article 6 lists six lawful bases for processing — consent is one of them, often the wrong one. Legitimate interest is appropriate for most analytics and product telemetry; contract is appropriate for service delivery. Relying on consent everywhere creates an obligation to honor withdrawal everywhere, which most product flows can't actually do.

Cookie consent is implemented but cookies fire before consent. The ePrivacy Directive requires consent before non-essential cookies fire. Most cookie banners load consent UI on the same page where analytics, ad pixels, and CRM scripts have already executed. Real prior consent means gating script execution on the consent state, not just collecting the consent.

Data subject requests have no SLA. Article 12 requires response within one month for access, erasure, rectification, portability, and objection requests. Most companies have a DSR inbox but no automated routing, no tracked SLA, and no defensible record of how they responded. DPAs investigate response times specifically.

Cross-border transfer mechanisms are stale. Schrems II invalidated the Privacy Shield in 2020; the EU-US Data Privacy Framework (DPF) replaced it in 2023, but only covers certified US importers. Companies relying on Standard Contractual Clauses (SCCs) signed before 2021 are using outdated clauses. SCC modernization is a 4-hour project that's almost universally deferred.

Records of Processing Activities (Article 30) don't exist. Most organizations have not maintained the Article 30 record — the catalog of what personal data they process, why, for whom, for how long, with what safeguards. This is the first document a DPA requests during any investigation.

Data Protection Officer is appointed but not independent. Article 38 requires the DPO to report to the highest management level and have no conflict of interest with other duties. DPOs who are also Engineering Managers, CISOs, or Heads of Product face structural conflict-of-interest problems that DPAs have explicitly cited in enforcement actions.

Breach notification window is unrealistic. Article 33 requires notification to the supervisory authority within 72 hours of becoming aware of a breach. Many companies' incident response runbooks assume days or weeks. 72-hour notification requires pre-built notification templates, identified legal counsel on retainer, and clear internal escalation paths.

Produce or refresh your Article 30 record. This is the foundational document — every subsequent compliance artifact references it. Without it, every gap remediation is built on sand.

Inventory your lawful bases by processing activity. Map every category of processing to a specific Article 6 basis and document the reasoning. Where you've defaulted to consent, evaluate whether legitimate interest or contract would be more accurate.

Modernize SCCs and verify DPF status for US transfers. If you're transferring data to US sub-processors, confirm whether they're DPF-certified (use the active DPF list). If not, you need current SCCs (2021 modular SCCs) plus a Transfer Impact Assessment.

Build a DSR-response workflow with SLA tracking. Treat data subject requests like security incidents — defined runbook, owner, SLA, audit trail.

Conduct DPIAs for high-risk processing. AI features, large-scale processing, and systematic monitoring of public spaces trigger Article 35 DPIA requirements. Build the template and process now, not when the regulator asks.