GDPR Compliance Checklist: 12 Essential Controls Every European SME Must Implement

The General Data Protection Regulation remains the cornerstone of European data protection law. With cumulative fines exceeding EUR 5 billion since 2018, supervisory authorities across the EU have demonstrated an unwavering commitment to enforcement. For small and medium-sized enterprises, understanding which controls matter most is no longer optional. It is a business imperative.

This checklist distils the 12 foundational controls that EU Data Protection Authorities consistently examine during audits. Each control maps directly to specific GDPR articles, giving your organisation a clear path from regulatory text to operational compliance.

1. Data Mapping and Records of Processing Activities

Article 30 of the GDPR requires controllers and processors to maintain written records of processing activities. For SMEs, this means building a comprehensive data inventory that documents every category of personal data your organisation collects, the legal basis for processing, retention periods, and any third parties with whom data is shared.

Your data map should cover all departments, including HR, marketing, finance, and customer service. Many enforcement actions originate from incomplete or outdated records of processing activities. The Belgian DPA, for example, has issued multiple fines specifically for Article 30 violations, treating incomplete records as evidence of broader compliance failures.

• Document all categories of personal data processed (names, emails, IP addresses, health data, etc.)
• Record the purpose and legal basis for each processing activity
• Identify data flows between internal departments and external processors
• Specify retention periods for each data category
• Update the register at least quarterly or whenever processing activities change

2. Establish a Lawful Basis for Every Processing Activity

Article 6 sets out six lawful bases for processing personal data: consent, contractual necessity, legal obligation, vital interests, public task, and legitimate interests. Every processing activity in your data map must be linked to exactly one of these bases. Relying on the wrong basis, or failing to document your choice, is one of the most common violations cited by supervisory authorities.

For special categories of data (Article 9), such as health data, biometric data, or data revealing racial or ethnic origin, you must identify an additional condition under Article 9(2). Processing special category data without meeting both Article 6 and Article 9 requirements constitutes a serious infringement.

• Map each processing activity to one of the six Article 6 bases
• For legitimate interests, conduct and document a Legitimate Interests Assessment (LIA)
• Never default to consent when another basis is more appropriate
• Identify Article 9 conditions for any special category data

3. Consent Management

Where consent is your chosen legal basis, Articles 7 and 8 impose strict requirements. Consent must be freely given, specific, informed, and unambiguous. It must be as easy to withdraw consent as it was to give it. Pre-ticked boxes, bundled consent, or consent buried in terms and conditions do not meet the GDPR standard.

The CNIL (French DPA) has been particularly active in enforcing consent requirements, issuing significant fines to organisations that relied on non-compliant cookie consent mechanisms. Your consent management platform should generate auditable records that demonstrate when, how, and for what purpose each individual gave consent.

• Implement granular consent mechanisms (separate consent for separate purposes)
• Maintain auditable consent records with timestamps
• Provide a straightforward mechanism to withdraw consent at any time
• Review consent validity annually, refreshing where the processing context has changed
• For children under 16 (or the age set by your Member State), obtain parental consent per Article 8

4. Data Protection Officer (DPO) Assessment

Article 37 requires the appointment of a Data Protection Officer where the core activities of the controller or processor involve regular and systematic monitoring of data subjects on a large scale, or large-scale processing of special categories of data. Even where appointment is not mandatory, designating a DPO or a privacy lead demonstrates accountability.

The DPO must be provided with the resources necessary to carry out their tasks (Article 38) and must report to the highest level of management. The DPO cannot be dismissed or penalised for performing their duties, and conflicts of interest must be avoided.

• Assess whether your organisation is required to appoint a DPO under Article 37
• If not required, consider a voluntary appointment or designate a privacy lead
• Ensure the DPO has direct access to senior management
• Publish the DPO contact details and communicate them to your supervisory authority

5. Data Protection Impact Assessments (DPIAs)

Article 35 mandates a DPIA where processing is likely to result in a high risk to the rights and freedoms of natural persons. This includes systematic and extensive profiling with significant effects, large-scale processing of special category data, and systematic monitoring of publicly accessible areas.

A DPIA must describe the processing, assess its necessity and proportionality, evaluate the risks, and identify measures to mitigate those risks. Where the DPIA indicates high residual risk, Article 36 requires prior consultation with the supervisory authority before processing begins.

• Maintain a DPIA threshold assessment for all new processing activities
• Conduct full DPIAs for high-risk processing as defined by Article 35(3) and your DPA published lists
• Document risk mitigation measures and residual risk assessments
• Consult the supervisory authority under Article 36 where residual risk remains high

6. Data Breach Notification Procedures

Articles 33 and 34 establish a strict breach notification regime. Personal data breaches must be reported to the supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Where a breach is likely to result in a high risk to individuals, those individuals must also be notified directly.

Many supervisory authorities treat late notification as an aggravating factor when determining fines. The Dutch DPA (Autoriteit Persoonsgegevens) and the Irish DPC have both imposed penalties specifically for delayed breach reporting, separate from any penalty for the underlying security failure.

• Establish an internal breach detection and escalation procedure
• Define roles and responsibilities for breach assessment and notification
• Create template notifications for supervisory authorities (Article 33(3) content requirements)
• Implement a breach register documenting all personal data breaches, including those not reported
• Conduct post-breach reviews to prevent recurrence

7. Cross-Border Data Transfers

Chapter V of the GDPR (Articles 44 to 49) restricts transfers of personal data to countries outside the EEA unless adequate safeguards are in place. Following the Schrems II judgment (C-311/18), organisations must conduct Transfer Impact Assessments (TIAs) for transfers relying on Standard Contractual Clauses (SCCs).

The European Data Protection Board (EDPB) has published detailed guidance on supplementary measures for international transfers. Where your organisation uses cloud services or SaaS platforms with servers outside the EEA, each transfer must be documented and assessed.

• Identify all international data transfers in your data map
• Verify adequacy decisions under Article 45 for each destination country
• Implement SCCs (Article 46(2)(c)) with Transfer Impact Assessments where no adequacy decision exists
• Document supplementary technical and organisational measures per EDPB Recommendations 01/2020
• Monitor changes in adequacy decisions (e.g., EU-U.S. Data Privacy Framework developments)

8. Processor Agreements

Article 28 requires a binding contract between controllers and processors that governs the processing of personal data. This contract must include specific mandatory clauses covering the subject matter, duration, nature, and purpose of processing, the types of personal data, and the obligations of the processor.

Supervisory authorities have increasingly scrutinised controller-processor relationships. The German Federal Commissioner for Data Protection (BfDI) has emphasised that using a processor without adequate contractual safeguards constitutes a standalone GDPR violation, regardless of whether any data breach occurs.

• Audit all existing processor relationships for Article 28 compliance
• Include mandatory clauses: processing instructions, confidentiality, security measures, sub-processor approvals, audit rights, deletion obligations
• Maintain a register of all processors and sub-processors
• Conduct periodic processor audits or request SOC 2 / ISO 27001 certifications

9. Privacy Notices and Transparency

Articles 13 and 14 require controllers to provide comprehensive information to data subjects at the time of data collection (or within a reasonable period for data not obtained directly). Information must be provided in a concise, transparent, intelligible, and easily accessible form, using clear and plain language.

Privacy notices must include the identity and contact details of the controller and DPO, the purposes and legal basis for processing, recipients of data, international transfer safeguards, retention periods, data subject rights, the right to lodge a complaint, and whether automated decision-making (Article 22) is used.

• Provide layered privacy notices covering all Article 13 and 14 requirements
• Make notices accessible at all data collection points (website, forms, apps, in-store)
• Use plain language appropriate for your audience
• Review and update notices whenever processing activities change

10. Data Subject Rights

Chapter III of the GDPR (Articles 15 to 22) grants data subjects a suite of rights: access, rectification, erasure (the right to be forgotten), restriction, data portability, objection, and rights related to automated decision-making and profiling. Organisations must respond to valid requests within one month, extendable by two further months for complex requests.

The Italian Garante has imposed multiple fines for failure to respond to data subject access requests within the statutory timeline. Your organisation must have documented procedures for verifying identity, locating relevant data, and providing responses in the required format.

• Establish documented procedures for each data subject right
• Implement identity verification processes to prevent unauthorised access
• Set up tracking and escalation workflows to meet the one-month deadline
• Train customer-facing staff to recognise and route data subject requests
• Maintain records of all requests received and responses provided

11. Technical and Organisational Security Measures

Article 32 requires controllers and processors to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. This includes, as appropriate, pseudonymisation and encryption, the ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems, the ability to restore data in a timely manner, and regular testing.

Security measures must be proportionate to the risk. A medical practice processing health data requires stronger controls than a retailer processing only names and delivery addresses. The Spanish AEPD has issued numerous fines for inadequate security measures, particularly where organisations failed to implement basic controls such as access management and encryption.

• Implement encryption at rest and in transit for personal data
• Enforce role-based access controls with the principle of least privilege
• Deploy multi-factor authentication for administrative and remote access
• Conduct regular vulnerability assessments and penetration testing
• Maintain and test business continuity and disaster recovery plans

12. Staff Training and Awareness

Article 39(1)(b) identifies awareness-raising and training of staff as a core task of the DPO. Beyond the legal requirement, untrained staff are the single greatest source of data protection incidents. Phishing, misdirected emails, and improper data handling account for a significant proportion of reported breaches.

Your training programme should be role-specific. Customer service agents need different training from IT administrators or marketing staff. Training must be documented, repeated at least annually, and updated to reflect new threats and regulatory developments.

• Deliver GDPR awareness training to all employees upon hiring and annually thereafter
• Provide role-specific training (e.g., breach reporting for IT, consent management for marketing)
• Document training completion and maintain attendance records
• Conduct phishing simulations and social engineering awareness exercises
• Update training content to reflect new enforcement trends and guidance

Building a Culture of Compliance

These 12 controls form the bedrock of GDPR compliance, but they are not a one-time checklist. Data protection is a continuous process that requires ongoing monitoring, periodic reviews, and adaptation to evolving regulatory expectations. The principle of accountability under Article 5(2) demands that you can demonstrate compliance at any point in time, not merely achieve it once.

Start with a gap analysis against these 12 controls. Prioritise remediation based on risk, and build a compliance roadmap with quarterly milestones. For SMEs without in-house data protection expertise, engaging a specialist consultancy can accelerate your path to compliance while reducing the risk of costly enforcement action.

The cost of non-compliance (up to EUR 20 million or 4% of global annual turnover under Article 83(5)) far exceeds the investment required to build a robust data protection programme. Begin your compliance journey today.