How often should we re-run this GDPR audit?

Quarterly at minimum, and after any significant product change that affects personal data processing (new features, new third-party integrations, new markets). Schedule the audit as a recurring calendar event with the same cross-functional team.

Do we need a Data Protection Officer (DPO)?

A DPO is mandatory if your core activity involves regular and systematic monitoring of data subjects at scale, or large-scale processing of special category data (health, biometric, etc.). Most B2B SaaS companies processing standard personal data do not legally require a DPO, but appointing one (even part-time) is a strong signal to regulators and customers.

What is the difference between a data controller and a data processor?

The controller determines why and how personal data is processed. The processor processes data on behalf of the controller. Most SaaS products are processors for their customers' data and controllers for their own user account data. This dual role means you need both a privacy policy (controller obligations) and DPAs with your customers (processor obligations).

How do we handle data subject access requests efficiently?

Build a self-service data export feature in your product. This eliminates manual effort for the majority of DSARs. For requests that require manual handling, create a DSAR playbook with step-by-step instructions, templates, and SLAs. The [privacy impact assessment template](/templates/privacy-impact-assessment-template) can help you map where personal data lives across your systems.

What happens if we discover a GDPR gap during the audit?

Document the gap, assess the risk level (likelihood of regulatory scrutiny multiplied by potential impact), and create a remediation plan with an owner and deadline. Minor gaps (e.g., outdated privacy policy language) should be fixed within 2 weeks. Major gaps (e.g., no lawful basis documented) should be escalated to legal and fixed within 30 days. ---

GDPR Compliance Audit Checklist Template

What This Template Is For

If your product collects personal data from EU residents, GDPR compliance is not optional. Fines can reach 4% of global annual revenue or 20 million euros, whichever is higher. But beyond the financial risk, GDPR violations erode user trust and can block expansion into European markets entirely.

This template provides a structured audit checklist that product teams can use to assess their current GDPR compliance posture, identify gaps, and track remediation. It covers the six key areas that regulators evaluate: lawful basis for processing, data subject rights, consent mechanisms, data processing records, breach notification readiness, and third-party data processor agreements.

Most product teams treat GDPR as a legal problem. It is not. Every feature that collects, stores, or processes personal data has compliance implications. The PM needs to understand which lawful basis applies, what consent flows are required, and how data subject access requests (DSARs) are fulfilled. For a broader view of how privacy fits into product strategy, see the Product Strategy Handbook. If your product processes data at scale, the data classification template helps you categorize data by sensitivity level. For tracking privacy-related metrics, the product metrics library covers retention and trust indicators.

How to Use This Template

Assemble your audit team. Include the PM, engineering lead, legal counsel, and a security or DPO representative.
Go through each section systematically. Check off items that are fully implemented. Mark items as partial or not started.
Document evidence. For each completed item, note where the evidence lives (e.g., "consent flow documented in Figma file X, implemented in PR #1234").
Identify gaps. Any unchecked items become action items with owners and deadlines.
Review quarterly. GDPR compliance is not a one-time project. Schedule quarterly re-audits using this checklist.

The Template

Section 1: Lawful Basis for Data Processing

☐ Identified and documented the lawful basis (consent, contract, legitimate interest, legal obligation, vital interests, public task) for each type of personal data processing
☐ Legitimate interest assessments (LIAs) completed for any processing based on legitimate interest
☐ Consent is freely given, specific, informed, and unambiguous where consent is the lawful basis
☐ No pre-ticked consent boxes or bundled consent with terms of service
☐ Records of consent stored with timestamp, version of consent text, and method of collection
☐ Process exists to re-obtain consent if the purpose of processing changes

Section 2: Data Subject Rights

☐ Right to access (DSAR): users can request a copy of all personal data within 30 days
☐ Right to rectification: users can correct inaccurate personal data
☐ Right to erasure ("right to be forgotten"): users can request deletion of their data
☐ Right to data portability: users can export their data in a machine-readable format (JSON, CSV)
☐ Right to restrict processing: users can request that processing be paused
☐ Right to object: users can object to processing based on legitimate interest or direct marketing
☐ Automated decision-making: users are informed of and can challenge any automated profiling
☐ DSAR fulfillment process documented with roles, SLAs, and escalation paths

☐ Privacy policy is written in clear, plain language (not legal jargon)
☐ Privacy policy is easily accessible from every page (footer link)
☐ Cookie consent banner implemented with granular opt-in/opt-out controls
☐ Separate consent obtained for each distinct processing purpose (e.g., analytics vs. marketing emails)
☐ Users can withdraw consent as easily as they gave it
☐ Privacy notice updated whenever data processing practices change
☐ Age verification or parental consent mechanism in place if product targets users under 16

Section 4: Data Processing Records (Article 30)

☐ Record of Processing Activities (ROPA) maintained and up to date
☐ ROPA includes: purposes, data categories, recipients, retention periods, security measures, transfer safeguards
☐ Data flow diagrams created showing where personal data enters, moves through, and exits the system
☐ Data retention periods defined for each data category
☐ Automated deletion or anonymization processes in place for data past retention period
☐ Third-party sub-processors listed with processing purposes and data categories

Section 5: Data Breach Notification

☐ Breach detection and reporting process documented
☐ Ability to notify supervisory authority within 72 hours of becoming aware of a breach
☐ Ability to notify affected data subjects "without undue delay" for high-risk breaches
☐ Breach register maintained with details of all past breaches and responses
☐ Breach response team identified with contact information and escalation procedures
☐ Breach notification templates prepared for authority and data subject communications

Section 6: Third-Party Processors

☐ Data Processing Agreements (DPAs) signed with all third-party processors
☐ DPAs include: processing instructions, confidentiality, security measures, sub-processor controls, audit rights
☐ Due diligence conducted on each processor's security and compliance posture
☐ Processors outside the EEA have appropriate transfer mechanisms (Standard Contractual Clauses, adequacy decisions)
☐ Regular review schedule for third-party processor compliance
☐ Processor inventory maintained with data categories, transfer locations, and DPA status

Section 7: Technical and Organizational Measures

☐ Personal data encrypted at rest and in transit
☐ Access controls limit personal data access to authorized personnel only
☐ Audit logs track who accessed personal data and when
☐ Data minimization: only collect personal data that is necessary for the stated purpose
☐ Pseudonymization applied where possible (e.g., analytics, testing environments)
☐ Regular security testing conducted (penetration tests, vulnerability scans)
☐ Staff training on data protection completed annually

Filled Example: SaaS Analytics Product

Product: CloudMetrics, a B2B SaaS analytics platform that processes website visitor data for 2,400 business customers. Processes approximately 50M events/day containing IP addresses, device fingerprints, and browsing behavior.

Audit Summary

Area	Status	Score	Notes
Lawful Basis	Partial	4/6	Legitimate interest assessments missing for two processing activities
Data Subject Rights	Complete	8/8	DSAR portal launched Q4 2025, average response time: 6 days
Consent & Privacy	Partial	5/7	Cookie consent needs granular opt-out for analytics vs. marketing
Processing Records	Partial	4/6	ROPA exists but data flow diagrams are outdated
Breach Notification	Complete	6/6	Tested in Q1 2026 tabletop exercise
Third-Party Processors	Partial	4/6	Two processors missing updated DPAs
Technical Measures	Complete	7/7	Encryption, access controls, audit logs all in place

Key Gaps and Remediation Plan

#	Gap	Action	Owner	Due Date
1	LIA missing for behavioral analytics aggregation	Complete LIA with DPO and legal	PM Lead	March 21
2	Cookie consent bundles analytics and marketing	Split consent into granular categories	Frontend Lead	March 28
3	Data flow diagrams outdated (last updated Oct 2025)	Re-map all data flows including new Snowflake integration	Data Eng	April 4
4	AWS sub-processor DPA uses old SCCs	Execute updated DPA with AWS and Segment	Legal	March 14
5	LIA missing for IP-based geolocation enrichment	Complete LIA, evaluate consent alternative	PM Lead	March 21

Key Takeaways

GDPR compliance requires ongoing attention, not a one-time checklist. Schedule quarterly audits
Document everything: lawful basis, consent records, processing activities, breach responses
Build data subject rights (access, deletion, portability) into your product as self-service features
Ensure all third-party processors have signed Data Processing Agreements with current Standard Contractual Clauses
Treat GDPR gaps as product bugs. Assign owners, set deadlines, and track to completion

About This Template

Created by: Tim Adair

Last Updated: 3/4/2026

Version: 1.0.0

License: Free for personal and commercial use

GDPR Compliance Audit Checklist Template