Data Inventory
Maintain a record of all processing activities (Art. 30)
Document legal basis for each processing purpose (Art. 6)
Map all data flows to third-party processors
Privacy Notices
Update client intake forms with GDPR-compliant privacy notice
Update website privacy policy (Art. 13)
Ensure cookie banner is compliant
Data Processor Agreements
Sign DPAs with all software vendors (Art. 28)
Review processor agreements annually
Ensure sub-processors are approved
Data Subject Rights
Process access requests within 30 days (Art. 15)
Have erasure ("right to be forgotten") procedure (Art. 17)
Enable data portability where applicable (Art. 20)
Security & Breach Response
Implement appropriate technical and organisational measures (Art. 32)
Document and test breach response procedure (72h notification)
Conduct annual security review
Retention & Deletion
Document retention schedule for all data categories
Legal files: 6 years after case closure (§ 50 BRAO for Germany)
Automate deletion of data beyond retention period