GDPR readiness evaluates your controls across multiple domains. For each domain, reviewers look for evidence that controls are designed properly and operating effectively. Below are the core control domains with minimum requirements and example evidence artifacts.
What reviewers look for: Reviewers don't just check that policies exist. They verify that controls are operating as described, that evidence is produced on schedule, and that gaps are tracked and remediated. The evidence examples below show what "operating effectiveness" looks like in practice.
Establish and document a valid lawful basis under Art. 6 for every processing activity, with additional justification for special category data under Art. 9.
Requirements
- Documented lawful basis per processing activity (Art. 6(1)(a)–(f))
- Legitimate interest assessments (LIA) where Art. 6(1)(f) is relied upon
- Special category data processing justification under Art. 9(2) conditions
- Regular review of lawful basis validity and continued applicability
Evidence Examples
| Artifact | Owner | Frequency |
| Record of Processing Activities (ROPA) with lawful basis column populated for each activity | Data Protection Officer | Quarterly |
| Legitimate Interest Assessment (LIA) documentation with balancing test outcomes | Privacy Counsel | Per new processing activity |
| Consent records with timestamps, scope, and withdrawal capability | Privacy Operations Manager | Ongoing |
| Special category data processing register with Art. 9(2) condition references | Data Protection Officer | Semi-annually |
Implement and operate processes to fulfill data subject rights under Art. 15–22, including access, rectification, erasure, restriction, portability, and objection.
Requirements
- Verified identity before responding to any data subject request
- 30-day response timeline with documented extensions up to 90 days for complex requests
- Automated or semi-automated process for access and portability requests
- Erasure cascade to all processors and sub-processors
- Restriction and objection handling with processing suspension capability
Evidence Examples
| Artifact | Owner | Frequency |
| DSR request log with timestamps, request type, response dates, and outcomes | Privacy Operations Manager | Ongoing |
| Standardized response templates for each right (access, erasure, portability, etc.) | Privacy Counsel | Annually reviewed |
| Processor erasure confirmation receipts showing cascade completion | Vendor Management Lead | Per erasure request |
| Identity verification procedure documentation and audit trail | Privacy Operations Manager | Quarterly |
Collect, record, and manage consent that meets GDPR standards for being freely given, specific, informed, and unambiguous, with granular controls and easy withdrawal.
Requirements
- Freely given, specific, informed, and unambiguous consent (Art. 7(1))
- Granular consent per processing purpose — no bundled consent
- Easy withdrawal mechanism that is as simple as giving consent (Art. 7(3))
- Children's consent with parental verification where applicable (Art. 8)
Evidence Examples
| Artifact | Owner | Frequency |
| Consent collection UI screenshots showing granular purpose selection and clear language | Product Manager | Per release |
| Consent database exports with timestamps, purpose, version, and withdrawal status | Privacy Engineer | Quarterly |
| Withdrawal mechanism logs showing time-to-effect and confirmation delivery | Privacy Operations Manager | Monthly |
Maintain comprehensive records of processing activities as required by Art. 30, for both controller and processor roles.
Requirements
- Controller ROPA containing all Art. 30(1) fields: purposes, data categories, recipients, transfers, retention periods, and security measures
- Processor ROPA containing all Art. 30(2) fields: categories of processing, transfers, and security measures
- Regular updates reflecting new processing activities and changes to existing ones
- ROPA available to the supervisory authority on request
Evidence Examples
| Artifact | Owner | Frequency |
| ROPA spreadsheet or tool export with all Art. 30(1) fields populated | Data Protection Officer | Quarterly |
| ROPA update log showing change history and review dates | Privacy Operations Manager | Monthly |
| Processor ROPA covering all processing performed on behalf of controllers | Vendor Management Lead | Semi-annually |
Conduct DPIAs for processing operations likely to result in high risk to individuals, including systematic evaluation of necessity, proportionality, and risk mitigation.
Requirements
- DPIA for all processing likely to result in high risk to data subjects (Art. 35(1))
- Systematic description of processing operations and purposes
- Assessment of necessity and proportionality relative to the stated purposes
- Risk assessment covering rights and freedoms of data subjects with mitigation measures
- Prior consultation with supervisory authority when residual risk remains high (Art. 36)
Evidence Examples
| Artifact | Owner | Frequency |
| Completed DPIA documents with risk scoring and mitigation action plans | Data Protection Officer | Per high-risk processing activity |
| DPIA screening checklist used to determine whether a full DPIA is required | Privacy Counsel | Per new processing activity |
| Supervisory authority prior consultation records and correspondence | Data Protection Officer | As needed |
| DPIA review and update log for ongoing high-risk processing | Privacy Operations Manager | Annually |
Appoint and support a Data Protection Officer where required, ensuring independence, accessibility, and involvement in all data protection matters.
Requirements
- DPO appointment when required by Art. 37(1) — public authorities, large-scale monitoring, or large-scale special category processing
- Independence and absence of conflicts of interest (Art. 38(3), Art. 38(6))
- Published and accessible contact point for data subjects and supervisory authorities
- Direct reporting line to highest level of management (Art. 38(3))
- Involvement in all issues relating to the protection of personal data (Art. 38(1))
Evidence Examples
| Artifact | Owner | Frequency |
| DPO appointment letter or contract specifying role, responsibilities, and independence guarantees | Chief Executive Officer | At appointment and upon change |
| Published DPO contact details on the organization's website and privacy notices | Privacy Operations Manager | Annually verified |
| Organizational chart showing DPO reporting line to senior management | Human Resources Director | Annually |
| DPO activity log documenting involvement in data protection decisions and consultations | Data Protection Officer | Quarterly |
Ensure all transfers of personal data to third countries or international organizations comply with Chapter V safeguards under Art. 44–49.
Requirements
- Adequacy decision reliance documented with reference to specific Commission decisions (Art. 45)
- Standard Contractual Clauses (SCCs) executed for transfers lacking an adequacy decision (Art. 46(2)(c))
- Transfer impact assessments (TIAs) evaluating third-country legal frameworks
- Supplementary measures implemented where TIAs identify inadequate protections
- Binding Corporate Rules (BCRs) for intra-group transfers where applicable (Art. 47)
Evidence Examples
| Artifact | Owner | Frequency |
| SCC register listing all executed clauses with counterparties, data categories, and transfer destinations | Privacy Counsel | Quarterly |
| Transfer impact assessment documents analyzing third-country surveillance laws and data protection standards | Data Protection Officer | Per transfer mechanism and upon legal landscape changes |
| Adequacy decision reference log mapping transfers to applicable Commission decisions | Privacy Operations Manager | Semi-annually |
| Supplementary measures documentation (encryption, pseudonymization, contractual commitments) | Information Security Manager | Annually |
Detect, assess, and notify personal data breaches within the timelines and procedures mandated by Art. 33–34.
Requirements
- 72-hour notification to the supervisory authority for breaches likely to result in risk (Art. 33(1))
- Risk assessment to determine whether data subject notification is required (Art. 34)
- Comprehensive breach register documenting all breaches regardless of notification obligation (Art. 33(5))
- Processor obligation to notify controller without undue delay upon becoming aware of a breach (Art. 33(2))
Evidence Examples
| Artifact | Owner | Frequency |
| Breach register documenting facts, effects, and remedial actions for all incidents | Information Security Manager | Ongoing |
| Supervisory authority notification records with submission timestamps and content | Data Protection Officer | Per breach event |
| Incident response playbook covering breach detection, assessment, containment, and notification workflows | Chief Information Security Officer | Annually reviewed |
| Processor breach notification clause compliance tracker | Vendor Management Lead | Semi-annually |
Integrate data protection into the design of processing activities and ensure default settings minimize personal data collection and use, as required by Art. 25.
Requirements
- Data protection integrated into system design from the earliest stages of development
- Default settings configured to minimize data collection, processing scope, and retention
- Pseudonymization and encryption implemented as standard protective measures
- Privacy requirements embedded in the software development lifecycle (SDLC)
Evidence Examples
| Artifact | Owner | Frequency |
| Privacy design review checklists completed for each new system or feature | Privacy Engineer | Per project milestone |
| Privacy requirement specifications included in product requirements documents | Product Manager | Per feature release |
| Default settings documentation demonstrating data minimization configurations | Engineering Lead | Per release |
| Technical architecture reviews incorporating pseudonymization and encryption standards | Security Architect | Quarterly |
Establish and maintain binding agreements with all processors that meet Art. 28(3) requirements, including due diligence, sub-processor controls, and audit rights.
Requirements
- Written contract with all mandatory Art. 28(3) provisions for every processor relationship
- Processor due diligence assessing technical and organizational measures before engagement
- Sub-processor authorization regime with prior specific or general written authorization and notification (Art. 28(2))
- Contractual audit rights enabling controller verification of processor compliance
- Data return or deletion obligations upon termination of processing services (Art. 28(3)(g))
Evidence Examples
| Artifact | Owner | Frequency |
| Processor agreement register listing all processors with contract status, renewal dates, and Art. 28(3) clause coverage | Vendor Management Lead | Quarterly |
| Due diligence assessment records including security questionnaires and certification reviews | Information Security Manager | Per new processor and annually |
| Sub-processor notification log documenting approvals and objection handling | Privacy Operations Manager | Ongoing |
| Processor audit reports or SOC 2 / ISO 27001 certification reviews | Internal Audit Manager | Annually |
Ensure personal data is adequate, relevant, and limited to what is necessary, with defined retention periods and systematic deletion or anonymization.
Requirements
- Purpose limitation documentation linking each data element to a specific, explicit, and legitimate purpose (Art. 5(1)(b))
- Adequacy and relevance review verifying that collected data does not exceed what is necessary (Art. 5(1)(c))
- Retention schedules defined per data category with legal basis for each retention period
- Automated deletion or anonymization processes executing retention schedules (Art. 5(1)(e))
Evidence Examples
| Artifact | Owner | Frequency |
| Data retention schedule mapping data categories to retention periods and legal justifications | Data Protection Officer | Annually |
| Deletion execution logs confirming automated purge of expired data | Database Administrator | Monthly |
| Data minimization review reports assessing collected fields against stated purposes | Privacy Engineer | Semi-annually |
| Anonymization validation records confirming irreversibility of anonymized datasets | Data Scientist | Per anonymization batch |
Demonstrate compliance with GDPR through documented policies, training programs, internal audits, and a culture of data protection accountability under Art. 5(2) and Art. 24.
Requirements
- Documented data protection policies covering all GDPR obligations and organizational procedures
- Staff training records demonstrating regular privacy awareness and role-specific training
- Internal audit program evaluating GDPR compliance across all processing activities
- Demonstrable compliance evidence maintained and available for supervisory authority review
Evidence Examples
| Artifact | Owner | Frequency |
| Data protection policy suite covering data handling, retention, breach response, DSR procedures, and international transfers | Data Protection Officer | Annually reviewed |
| Training attendance logs and completion certificates for privacy awareness programs | Human Resources Director | Annually |
| Internal audit reports covering GDPR compliance assessment findings and remediation tracking | Internal Audit Manager | Annually |
| Compliance dashboard or status report summarizing control effectiveness across all GDPR domains | Data Protection Officer | Quarterly |
Evidence Naming Conventions
Organized, traceable evidence is critical for a smooth review. Adopting a consistent convention makes evidence retrieval faster and reduces friction.
Recommended format:
ControlID_System_ArtifactType_YYYY-MM-DD_Period_Owner_v# Key principles for evidence management:
- Centralized repository with access control and version history
- Consistent naming across all control domains and artifact types
- Defined cadence for each evidence type: event-driven, monthly, quarterly, or annual
- Immutable exports where possible to demonstrate evidence integrity
AI and data companies: Standard controls are the baseline. See the AI-specific advisory modules for additional controls addressing data governance, prompt logging, RAG security, and model vendor risk.