A GDPR compliance check checklist breaks down the regulation's requirements into actionable verification steps. This guide walks through the audit process for Canadian organizations with EU data subjects, covering lawful basis documentation, data mapping, subject rights infrastructure, processor agreements, and breach response protocols.
GDPR extends beyond EU borders to any organization offering goods or services to EU residents or monitoring their behaviour. For Canadian businesses this typically activates through e-commerce shipping to Europe, European customer accounts on SaaS platforms, analytics tracking of EU visitors, or marketing campaigns targeting European markets. The regulation applies regardless of corporate structure or revenue size.
Your first checkpoint confirms whether processing occurs. Review analytics for EU traffic, payment processor data for European billing addresses, email lists for .eu or country-code domains, and sales records for European transactions. If EU data subjects exist in any system, compliance obligations trigger. Many Canadian companies discover scope through third-party tools that passively collect EU visitor data through analytics or chat widgets, creating obligations they hadn't anticipated.
Every data collection point requires one of six lawful bases: consent, contract, legal obligation, vital interests, public task, or legitimate interests. The compliance check here verifies that documentation exists specifying which basis applies to each processing activity before collection begins.
Audit signup forms, account creation flows, newsletter subscriptions, contact forms, and checkout processes. Each must explicitly state why data is collected and under what legal basis. Consent-based processing requires affirmative action, not pre-ticked boxes or implied agreement through continued use. Legitimate interest requires a balancing test documented in writing, weighing business needs against individual rights. Contract-based processing must tie directly to service delivery. Most Canadian organizations discover gaps in historical data collected under assumptions that don't meet GDPR standards, requiring either re-consent campaigns or legitimate interest assessments retroactively applied.
Article 30 mandates Records of Processing Activities documenting what data exists, where it lives, who accesses it, and how long it's retained. The compliance check builds or verifies this map across all systems.
Catalog databases, CRMs, email platforms, analytics tools, backup systems, and third-party processors. For each, document data categories collected, processing purposes, storage locations including server jurisdictions, access permissions, retention periods, and deletion procedures. Many organizations find data scattered across abandoned tools, archived databases, or employee devices outside formal systems.
Retention schedules must link to legitimate business or legal requirements. Generic indefinite retention fails compliance. Specify deletion triggers like account closure plus six months for transaction records, or campaign end plus one year for marketing analytics. Automated deletion workflows reduce manual compliance burden and demonstrate accountability.
GDPR grants individuals rights to access, rectify, erase, restrict processing, port data, and object to processing. Your compliance check confirms operational capacity to fulfill these requests within mandated timeframes.
Verify a documented intake process exists, typically through a dedicated email address or web form. Test retrieval capability by attempting to compile all data for a sample individual across systems. This reveals whether data architecture allows efficient search and export. Assess whether you can actually delete individuals from all systems or whether technical constraints create retention beyond the deletion request.
The 30-day response window runs from receipt, not from when someone gets around to it. Assign responsibility, document escalation paths for complex requests, and maintain request logs. Portability requests require machine-readable formats like CSV or JSON. Objection rights mean halting processing immediately for that purpose while retaining data for other lawful bases if applicable. Many Canadian organizations lack the cross-system visibility to efficiently execute these rights, requiring significant technical investment.
Any vendor that processes personal data on your behalf requires a Data Processing Agreement with specific GDPR provisions. The compliance check inventories all processors and verifies contractual coverage.
List every service handling EU personal data: email platforms, CRMs, analytics providers, payment processors, hosting companies, support ticket systems, marketing automation tools. Each needs an agreement addressing processing instructions, confidentiality, security measures, sub-processor permissions, breach notification obligations, audit rights, and deletion upon termination.
Many legacy contracts predate GDPR and lack required clauses. Major platforms like Google and Mailchimp provide standard DPAs, but niche vendors may resist negotiation. Document which vendors have compliant agreements, which need amendments, and which present ongoing risk. For Canadian processors, remember they must meet GDPR standards when handling EU data even though they operate under PIPEDA domestically. Processor failures create controller liability, making this contractual layer critical risk transfer.
Article 32 requires appropriate technical and organizational measures based on processing risk. The compliance check assesses implemented safeguards and tests breach response capability.
Verify encryption for data in transit and at rest, access controls limiting who sees personal data, authentication requirements including multi-factor where appropriate, logging and monitoring of data access, regular security updates, and backup procedures. Appropriateness scales with sensitivity—financial or health data demands stronger controls than newsletter emails.
Breach notification procedures must account for the 72-hour window to notify supervisory authorities of breaches likely to risk individual rights. Document detection mechanisms, assessment criteria to determine reportability, internal escalation paths, authority contact procedures, and individual notification templates. Run tabletop exercises to test whether your team could actually meet the timeline under pressure. Most organizations discover their incident response plans lack GDPR-specific elements or haven't been tested against realistic scenarios.
Articles 13 and 14 mandate specific disclosures at collection time and within privacy policies. The compliance check verifies completeness and accessibility of these notices.
Your privacy policy must identify the controller, list processing purposes, specify lawful bases, name data categories collected, disclose recipients including processors, state retention periods, explain subject rights, provide supervisory authority contact information, note whether automated decision-making occurs, and if relevant describe international transfer mechanisms. Many Canadian policies omit lawful basis specificity or use vague retention language like retaining data as long as necessary.
Transparency extends beyond a buried policy link. Collection points need concise, clear notices in plain language. Layered approaches work well—brief notice at collection with a link to full policy details. For Canadian organizations serving Quebec, remember provincial Law 25 may impose parallel requirements. Verify policies reflect actual practices rather than aspirational or outdated procedures.
Yes, if you process data of EU residents regardless of physical presence. This includes selling to European customers, tracking EU website visitors through analytics, or marketing to European audiences. The regulation follows the data subject's location, not the company's headquarters. Even incidental EU traffic through organic search can trigger obligations if you collect personal data from those visitors.
GDPR consent requires affirmative action, clear purpose specification, easy withdrawal, and separation from other terms. Pre-ticked boxes, bundled consents for unrelated purposes, or continued use as implied consent all fail. Canadian PIPEDA allows more flexibility with implied consent for reasonable purposes. For EU data subjects, you must meet the stricter GDPR standard even if PIPEDA would permit looser approaches domestically.
Build a cross-system search capability using common identifiers like email addresses. Document which systems hold personal data in your Records of Processing Activities. Create export scripts or manual procedures for each platform. Consolidate results, redact third-party information, and deliver in a readable format within 30 days. Many organizations maintain a master identifier table mapping individuals across disconnected systems to streamline retrieval.
You face three options: negotiate minimum required clauses, find an alternative vendor with compliant terms, or document the risk and business justification for proceeding. Continuing without a DPA creates controller liability for processor failures. For critical vendors unwilling to negotiate, some organizations add indemnification clauses or cyber insurance, though these don't eliminate the underlying compliance gap.
Only if you're a public authority, conduct large-scale systematic monitoring, or process special categories or criminal data at scale. Most Canadian SMBs don't meet these thresholds. However, designating someone responsible for compliance even without the formal DPO title helps accountability. Larger organizations often appoint a privacy lead to coordinate compliance activities and serve as the supervisory authority contact point.
Conduct and record a balancing test weighing your business need against individual rights and freedoms. Document what data you collect, why it's necessary for your interest, whether less intrusive alternatives exist, what safeguards you've implemented, and why your interest isn't overridden by individual rights. The test must happen before processing begins. Marketing analytics often relies on legitimate interest, but direct marketing typically requires consent unless based on existing customer relationships.