Checklist
Advanced
GDPR Quarterly Check Checklist
Quarterly GDPR housekeeping for the EU-data-handling functions of the business.
When to use this
Not a substitute for a DPO or annual deep audit. A practical operations check that catches the drift between quarterly DPO reviews.
The template
# GDPR Quarterly Check Checklist ## Data inventory - [ ] Any new systems handling personal data this quarter? Logged in the ROPA. - [ ] Any systems removed? ROPA updated. - [ ] Any new categories of data being collected? - [ ] Lawful basis recorded for all new processing. ## Subject access requests - [ ] SARs received this quarter: count - [ ] SARs responded to within 1 calendar month: yes / no - [ ] Any complaints / regulator contact ## Marketing - [ ] Consent records audited (sample) - [ ] Unsubscribe path working on all email templates - [ ] No legacy lists in use without lawful basis ## Vendors and processors - [ ] Any new third-party processors? Data processing agreement signed. - [ ] Cross-border transfer mechanisms still valid (SCCs, IDTA) - [ ] Sub-processor list reviewed ## Security incidents - [ ] Any personal-data incidents this quarter - [ ] Notifiable incidents reported within 72h - [ ] Lessons logged ## Training - [ ] New joiners trained on data protection in week 1 - [ ] Annual refresher compliance rate ## Findings | # | Finding | Severity | Owner | Due | |---|---------|----------|-------|-----| | | | | | |