Rules & Requirements —
Preparing for GDPR Compliance
GDPR data transfers require SCCs, BCRs, or adequacy, and must include impact assessments and updated safeguards.
Share this article
Preparing for GDPR Compliance
Most checklists list GDPR prep steps in a flat order, like they're all equally urgent. They're not. Almost everything else on the list depends on getting one step right first: knowing exactly what personal data you actually have. Skip that, and every later step is built on guesswork.
Step 1: Map Your Data Before You Do Anything Else
Here's a distinction worth knowing: GDPR doesn't technically require a "data inventory" by name. What it requires is a Record of Processing Activities (Article 30). But you can't realistically build an accurate RoPA without first doing the inventory and mapping work — so in practice, this is the non-negotiable first step everyone ends up doing anyway.
A real data inventory tracks, for each piece of personal data you hold:
Where it came from
Why you collected it
Where it flows internally (which teams, which systems)
Who outside your organization gets access to it
How long you keep it, and when it gets deleted
A simple example: someone applies for a job through your website. The source is the application form. The reason for collecting it is "submitted by the applicant." It flows to HR, maybe to a hiring manager, maybe into a recruiting tool. The disposal plan might be "keep the email for future opportunities, delete everything else after six months." That's one row in your inventory — and a real organization usually has hundreds of these.
This is also the step where you find things you didn't know existed. The marketing team's spreadsheet with lead contact info nobody told legal about. The support team pasting customer emails into a shared doc. The HR tool that's quietly storing health insurance data right next to salary data. You won't find these by reading a privacy policy — you find them by actually asking each team what they collect and where it goes.
A good way to test whether your inventory is actually accurate: run a mock breach drill. Pick a piece of data and ask your team to trace it — where does it live, who has access, which vendors touched it. If they can't answer fast, your inventory has a gap, and you just found it before a regulator did.
Step 2: Identify Your Lawful Basis for Each Processing Activity
Once you know what you're collecting and why, match each activity to an actual legal basis — consent, contract, legal obligation, legitimate interest, and a few others. Don't default to consent for everything; it's often not the right basis, and it comes with its own withdrawal mechanics you have to support.
Step 3: Update Privacy Notices to Match Reality
Your privacy notice should describe what you're actually doing, based on the inventory you just built — not a generic template that was accurate three reorganizations ago. If the inventory surfaced data flows you didn't know about, your notice probably needs updating to reflect them.
Step 4: Build a Real Process for Rights Requests
Once you know where data lives, you can actually build a working process for access, deletion, and correction requests. GDPR Data Subject Rights: All 8, Explained covers all eight rights and their deadlines — useful to read before building this process, not after.
Step 5: Put Real Safeguards in Place
Technical and organizational measures, based on what the inventory showed you actually needs protecting. This is also where privacy by design comes in — building safeguards into new systems from the start, instead of retrofitting them later.
Step 6: Review Every Vendor Contract
Any vendor touching personal data on your behalf needs a real Data Processing Agreement. Controller vs. Processor Responsibilities covers exactly what has to be in that agreement, including the part about sub-processors that catches people off guard.
Step 7: Sort Out Cross-Border Transfers, If They Apply
If your data inventory shows personal data moving outside the EU, you need a real mechanism backing that up — adequacy decisions, Standard Contractual Clauses, or Binding Corporate Rules. This isn't a step to handle informally; enforcement here has gotten serious.
Why the Order Actually Matters
Doing these out of order is the most common way GDPR prep stalls. You can't write an accurate privacy notice before you know what you collect. You can't build a working rights-request process before you know where data lives. You can't review vendor contracts properly before you know which vendors are actually touching personal data in the first place. The data inventory isn't just step one because it's easiest — it's step one because everything else depends on it being right.
Keeping the Inventory Current
A data inventory built once and never revisited goes stale fast — new vendors get added, systems change, teams start collecting things nobody flagged. Treat it as a living document with a named owner, not a one-time project you check off and forget.
Pairing This With Other Frameworks
If you're also working toward ISO 27001 or SOC 2, the data mapping work above does double duty — both frameworks expect you to know exactly what sensitive data you hold and where, before you can build the right controls around it.
In the Spotlight

Start your GDPR compliance journey with DSALTA's complete checklist.
The General Data Protection Regulation (GDPR) is Europe’s core privacy law, shaping how organizations collect, process, and protect the personal data of EU residents. Non-compliance can result in heavy fines, reputational damage, and loss of customer trust.
GDPR can feel complicated with its broad scope and strict requirements, but DSALTA® makes it manageable. With automated evidence collection, continuous monitoring, and AI- driven risk insights, you can maintain compliance without drowning in manual work. Use this checklist to guide your GDPR journey.
Read more about GDPR compliance with DSALTA.
Stop losing deals to compliance.
Get compliant. Keep building.
Join 100s of startups who got audit-ready in days, not months.




