Eva de Vries
Legal Associate
Compliance is not a one-off project — it is an ongoing posture. Here are the twelve things every organisation should have in place, refreshed for the AI era.
Almost eight years after the GDPR became enforceable, the fundamentals have not changed — but the scrutiny has. Regulators now expect organisations to demonstrate accountability, not merely claim it, and the rise of AI has put data minimisation and lawful basis back under the spotlight. Use this checklist as a health-check, not a substitute for tailored advice.
1. Map your data
You cannot protect what you have not mapped. Maintain an up-to-date record of processing activities (Article 30): what personal data you hold, why, where it lives, who can access it and how long you keep it.
2. Confirm a lawful basis for every activity
Each processing activity needs one of the six lawful bases in Article 6. 'We have always done it' is not one of them. Where you rely on consent, make sure it is freely given, specific, informed and as easy to withdraw as to give.
3. Keep privacy notices current
Transparency (Articles 13–14) means telling people what you do with their data in clear, plain language — including new AI-driven uses, analytics and any international transfers.
4. Make data-subject rights routine
- Access, rectification and erasure ('right to be forgotten').
- Restriction, portability and the right to object.
- A defined workflow to respond within one month.
5. Get international transfers right
If data leaves the EEA — including remote access from outside it — document your transfer mechanism: an adequacy decision (such as the EU–US Data Privacy Framework), standard contractual clauses with a transfer impact assessment, or binding corporate rules.
6. Build privacy in by design and default
Article 25 requires data protection to be baked into new systems and processes from the outset — not retrofitted. Run a data protection impact assessment (DPIA) for high-risk processing, including most significant AI deployments.
7. Tighten your processor contracts
Every vendor that processes data on your behalf needs an Article 28 data-processing agreement. Re-paper inherited contracts and check sub-processor and transfer terms.
8. Have a 72-hour breach plan
Reportable breaches must reach the supervisory authority within 72 hours. Rehearse the plan — who decides, who notifies, who communicates — before you need it.
9. Decide if you need a DPO
A Data Protection Officer is mandatory for public authorities and for organisations whose core activities involve large-scale systematic monitoring or large-scale processing of special-category data.
10. Train your people
Most breaches start with human error. Regular, role-specific training turns policy on paper into behaviour in practice.
11. Govern your AI
Where AI processes personal data, the GDPR applies in full — lawful basis for training data, transparency, and the Article 22 limits on solely automated decisions — now alongside the EU AI Act.
12. Review and repeat
Treat compliance as a cycle. Re-run this checklist annually and whenever you launch a new product, vendor or data flow.
Accountability is the heart of the GDPR: it is not enough to comply — you must be able to show how.
This article is general information, not legal advice. For guidance on your specific situation, please speak to our team.
Have a question on data protection & gdpr?
Our specialists are a message away.