# GDPR Quarterly Check Checklist

## Data inventory
- [ ] Any new systems handling personal data this quarter? Logged in the ROPA.
- [ ] Any systems removed? ROPA updated.
- [ ] Any new categories of data being collected?
- [ ] Lawful basis recorded for all new processing.

## Subject access requests
- [ ] SARs received this quarter: count
- [ ] SARs responded to within 1 calendar month: yes / no
- [ ] Any complaints / regulator contact

## Marketing
- [ ] Consent records audited (sample)
- [ ] Unsubscribe path working on all email templates
- [ ] No legacy lists in use without lawful basis

## Vendors and processors
- [ ] Any new third-party processors? Data processing agreement signed.
- [ ] Cross-border transfer mechanisms still valid (SCCs, IDTA)
- [ ] Sub-processor list reviewed

## Security incidents
- [ ] Any personal-data incidents this quarter
- [ ] Notifiable incidents reported within 72h
- [ ] Lessons logged

## Training
- [ ] New joiners trained on data protection in week 1
- [ ] Annual refresher compliance rate

## Findings
| # | Finding | Severity | Owner | Due |
|---|---------|----------|-------|-----|
|   |         |          |       |     |