GDPR data privacy audit checklist with implementation guide

# GDPR Compliance Audit Checklist **Company type:** B2B SaaS (project management) **Data types:** User PII, company data, usage analytics, payment data, cookies --- ## 1. Data Inventory Every GDPR compliance journey starts with knowing what data you have, where it lives, and why you have it. ### Personal Data Map | Data Category | Specific Fields | Storage Location | Retention | Legal Basis | |--------------|----------------|-----------------|-----------|-------------| | **Account data** | Name, email, password hash, avatar | PostgreSQL (primary DB) | Account lifetime + 30 days | Contract (Art. 6(1)(b)) | | **Billing data** | Card last 4, billing address, invoices | Stripe (processor) | 7 years (tax obligation) | Legal obligation (Art. 6(1)(c)) | | **Usage data** | Page views, feature usage, session duration | Mixpanel (processor) | 24 months | Legitimate interest (Art. 6(1)(f)) | | **Support data** | Support tickets, chat transcripts | Intercom (processor) | 3 years | Legitimate interest | | **Cookies** | Session ID, preference cookies, analytics | Browser + Redis | Session / 12 months | Consent (Art. 6(1)(a)) | | **IP addresses** | Login IPs, API request IPs | Application logs | 90 days | Legitimate interest | | **Content data** | Tasks, comments, attachments | PostgreSQL + S3 | Account lifetime + 30 days | Contract | **Action required:** Create a living document (data map) that is updated whenever a new data source or processor is added. Assign a data steward to review quarterly. **Responsible:** Engineering Lead + DPO **Complexity:** Medium (initial creation: 2-3 weeks) **Status:** ☐ Required --- ## 2. Legal Basis Assessment | Legal Basis | When to Use | Our Data | Documentation Needed | |-------------|------------|----------|---------------------| | **Consent** | Optional data collection, marketing emails, non-essential cookies | Marketing emails, analytics cookies | Consent records with timestamp, mechanism to withdraw | | **Contract** | Data necessary to provide the service | Account data, content data | Terms of Service reference | | **Legitimate Interest** | Usage analytics, security logs, product improvement | Usage data, IP addresses, support data | Legitimate Interest Assessment (LIA) document | | **Legal obligation** | Tax records, financial reporting | Billing data | Reference to specific legislation | ### Consent Implementation Checklist - [ ] Cookie consent banner with granular choices (not just "Accept all") - [ ] Consent is freely given (service works without analytics consent) - [ ] Consent is specific (separate consent for analytics vs. marketing) - [ ] Consent records stored with timestamp, IP, and version of privacy policy - [ ] Easy withdrawal mechanism (settings page, one click) - [ ] Re-consent triggered when processing purposes change - [ ] Marketing emails have one-click unsubscribe (CAN-SPAM + GDPR) - [ ] No pre-ticked consent boxes **Responsible:** Product Lead + Legal **Complexity:** Medium **Status:** ☐ Required --- ## 3. Data Subject Rights Each right must be implementable within 30 days (extendable to 90 for complex requests). ### Right of Access (Art. 15) - [ ] **Endpoint or process** to export all user data in machine-readable format (JSON/CSV) - [ ] Include: account data, content, usage data, support tickets, billing history - [ ] **Verification process** to confirm requester identity - [ ] **Response template** for access requests - [ ] **Automation recommended:** Self-service "Download my data" button in Settings **Implementation:** ``` Settings → Privacy → "Download my data" → Generates ZIP containing: - account.json (profile, settings) - content.json (tasks, comments, attachments list) - activity.json (login history, usage summary) - billing.json (invoices, payment methods — masked) ``` ### Right to Erasure (Art. 17) - [ ] "Delete my account" flow that removes all PII within 30 days - [ ] **Cascading deletion** across all systems (DB, Stripe, Mixpanel, Intercom, S3, logs) - [ ] **Retained data:** Anonymized aggregate metrics (not PII), billing records (legal obligation — retained 7 years) - [ ] **Notification to processors:** Automated deletion request to all third-party processors - [ ] **Confirmation email** sent to user when deletion is complete - [ ] **Grace period:** 14-day soft-delete before permanent deletion (allow recovery) ### Right to Rectification (Art. 16) - [ ] Users can edit all their personal data in Settings - [ ] Changes propagate to processors (e.g., email change synced to Intercom) ### Right to Data Portability (Art. 20) - [ ] Export in structured, machine-readable format (JSON) - [ ] Include all user-provided data (not derived analytics) ### Right to Object (Art. 21) - [ ] Opt-out of usage analytics in Settings - [ ] Opt-out of marketing communications - [ ] Request to object processed within 30 days **Responsible:** Engineering Lead **Complexity:** High (initial build: 4-6 weeks) **Status:** ☐ Required --- ## 4. Technical Controls ### Data Protection by Design (Art. 25) - [ ] **Encryption at rest:** All databases encrypted (AES-256). S3 buckets with SSE-S3. ☐ Required - [ ] **Encryption in transit:** TLS 1.2+ on all connections. HSTS enabled. ☐ Required - [ ] **Password hashing:** bcrypt with cost factor ≥12. Never store plaintext. ☐ Required - [ ] **Access controls:** Role-based access to production data. No developer access to PII without approval. ☐ Required - [ ] **Audit logging:** Log all access to PII (who, when, what). Retain 12 months. ☐ Required - [ ] **Data minimization:** Only collect fields necessary for the service. Review quarterly. ☐ Required - [ ] **Pseudonymization:** Analytics data uses hashed user IDs, not email. ☐ Recommended - [ ] **Automated deletion:** Cron job to purge data beyond retention periods. ☐ Required - [ ] **Backup encryption:** All backups encrypted. Tested restore procedure documented. ☐ Required ### Cookie Implementation - [ ] **Essential cookies only** load before consent - [ ] **Analytics cookies** load only after explicit consent - [ ] **Cookie consent** persisted per user (not per session) - [ ] **Cookie policy** page listing every cookie, purpose, and expiry **Responsible:** Security Lead + Engineering **Complexity:** Medium-High **Status:** ☐ Required --- ## 5. Documentation Requirements | Document | Status | Owner | Review Cycle | |----------|--------|-------|-------------| | Privacy Policy (public) | ☐ Required | Legal | Annually + on change | | Cookie Policy (public) | ☐ Required | Legal | Annually | | Data Processing Agreement (DPA) template | ☐ Required | Legal | Annually | | Record of Processing Activities (ROPA) | ☐ Required | DPO | Quarterly | | Legitimate Interest Assessment (LIA) | ☐ Required | DPO | Per new processing activity | | Data Protection Impact Assessment (DPIA) | ☐ Required if high-risk | DPO | Per new high-risk processing | | Breach Response Plan | ☐ Required | Security Lead | Annually | | Data Retention Policy | ☐ Required | DPO | Annually | | Employee Data Handling Policy | ☐ Required | HR + DPO | Annually | --- ## 6. Third-Party Processor Assessment | Processor | Data Shared | DPA Signed? | EU Hosting? | SCCs Needed? | |-----------|------------|-------------|-------------|-------------| | Stripe | Payment data | ☐ Check | Yes (Ireland) | No | | AWS | All data | ☐ Check | Yes (Frankfurt) | No | | Mixpanel | Usage analytics | ☐ Check | Yes (EU option) | Verify | | Intercom | Support data | ☐ Check | No (US) | ☐ Yes — SCCs required | | SendGrid | Email addresses | ☐ Check | No (US) | ☐ Yes — SCCs required | | Cloudflare R2 | File attachments | ☐ Check | Yes (EU jurisdiction) | No | **For each processor:** - [ ] Data Processing Agreement (DPA) signed - [ ] Standard Contractual Clauses (SCCs) for non-EU processors - [ ] Verify sub-processor list annually - [ ] Verify deletion capabilities (can they delete on request?) - [ ] Security assessment (SOC 2 or equivalent) --- ## 7. Breach Notification Procedure ### Timeline (from discovery) | Time | Action | Responsible | |------|--------|-------------| | 0-1 hour | Contain the breach. Preserve evidence. Notify Security Lead. | On-call engineer | | 1-4 hours | Assess scope: what data, how many users, ongoing? | Security Lead | | 4-24 hours | Notify DPO. Begin documentation. | Security Lead → DPO | | 24-48 hours | Determine if supervisory authority notification required (72hr deadline). | DPO | | 48-72 hours | **Notify supervisory authority** if risk to individuals (Art. 33). | DPO | | ASAP after assessment | **Notify affected individuals** if high risk (Art. 34). | DPO + Comms | ### Notification Template (Supervisory Authority) Include: nature of breach, categories of data, approximate number of individuals, likely consequences, measures taken, contact details of DPO. --- ## 8. Priority-Ranked Remediation Plan | Priority | Item | Effort | Deadline | |----------|------|--------|----------| | 🔴 P0 | Sign DPAs with all processors | Low | 2 weeks | | 🔴 P0 | Implement cookie consent banner | Medium | 3 weeks | | 🔴 P0 | Add "Delete my account" flow | High | 6 weeks | | 🟡 P1 | Build "Download my data" export | Medium | 4 weeks | | 🟡 P1 | Create Record of Processing Activities | Medium | 3 weeks | | 🟡 P1 | Implement SCCs for US-based processors | Low | 2 weeks | | 🟡 P1 | Audit logging for PII access | Medium | 4 weeks | | 🟢 P2 | Automated data retention enforcement | Medium | 6 weeks | | 🟢 P2 | Privacy policy review and update | Low | 2 weeks | | 🟢 P2 | Employee GDPR training | Low | Ongoing quarterly |