On October 14, 2025, the European Data Protection Board announced what it would be spending 2026 looking for: transparency violations. Specifically, the EDPB selected compliance with Articles 12, 13, and 14 of the GDPR — the transparency and information obligations — as the focus of its fifth coordinated enforcement action. Data protection authorities across EU member states are now jointly investigating whether organizations are actually telling people what they do with their data.
This isn't academic. Insufficient information obligations have already resulted in over €252 million in GDPR fines as of early 2025. Total penalties across all violation types hit €1.2 billion in 2024 alone, and €5.88 billion since the regulation took effect. The enforcement has teeth, it's active, and this year the teeth are pointed at your privacy notice.
This checklist covers everything your company needs to be GDPR-compliant in 2026 — privacy notices, lawful basis, data subject rights, technical controls, and third-party processors. Work through it section by section. If you want to run your actual documents against these requirements automatically, PolicyAudit checks your privacy policy and other documents against GDPR and 12 other frameworks in minutes.
Section 1: Privacy Notice / Privacy Policy
This is the 2026 enforcement priority. Articles 12, 13, and 14 require that you tell people — clearly, in plain language, at the time you collect their data — exactly what you're doing with it. "Clear and plain language" is a direct GDPR requirement, not a UX suggestion. Your privacy notice needs to be easy to find, easy to read, and complete.
Privacy Notice Requirements
- Identity and contact details of the data controller are clearly stated
- Contact details of the Data Protection Officer (if you're required to have one)
- Purposes of processing described for each category of personal data
- Legal basis stated for each processing purpose (consent, contract, legitimate interest, legal obligation, vital interest, or public task)
- If relying on legitimate interests, those interests are explicitly described
- Categories of personal data collected are listed
- Recipients or categories of recipients who receive the data
- International transfer details — including the country and safeguards in place (SCCs, adequacy decision, BCRs)
- Retention periods stated for each data category, or the criteria used to determine them
- All data subject rights are described: access, rectification, erasure, restriction, portability, objection
- Right to withdraw consent (if consent is the legal basis) explained, with instructions
- Right to lodge a complaint with a supervisory authority mentioned
- Whether providing data is a statutory or contractual requirement, and consequences of not providing it
- Existence of automated decision-making or profiling, including logic and consequences
- Privacy notice is easy to find (linked from every page of your website, not buried in terms)
- Language is plain and accessible — not legal jargon that requires a lawyer to parse
The EDPB's 2026 coordinated enforcement specifically targets whether organizations comply with Articles 12–14. DPAs are actively investigating. If your privacy notice is incomplete, vague about legal basis, or doesn't describe all data subject rights, expect this to be flagged. Insufficient information obligations have resulted in €252 million in cumulative GDPR fines.
Section 2: Lawful Basis Documentation
Every processing activity needs a legal basis. Most companies pick "consent" as a default because it sounds the most legitimate — but it's often the hardest to maintain correctly. Consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes don't work. Bundled consent (one tick for everything) doesn't work. And you have to be able to prove it if challenged.
Lawful Basis Requirements
- A lawful basis has been identified and documented for each processing activity
- Consent mechanisms are granular — separate consent for separate purposes
- Consent is recorded with timestamp, mechanism, and version of notice shown
- Withdrawing consent is as easy as giving it (one click, no dark patterns)
- Where legitimate interests is the basis, a Legitimate Interests Assessment (LIA) is documented
- Special category data (health, biometrics, religion, etc.) has an Article 9 basis documented in addition to Article 6
- Cookie consent is obtained before non-essential cookies are set (not just on first visit — every session until consent is given)
Section 3: Records of Processing Activities
Article 30 requires most organizations to maintain a written record of all processing activities. This is the internal document that maps everything: what data you process, why, how long you keep it, who has access, and where it goes. If a DPA asks for it during an investigation, you need to be able to produce it immediately.
ROPA Requirements
- A Record of Processing Activities (ROPA) exists and is kept up to date
- Each entry includes: name and contact of controller, processing purpose, data categories, data subject categories, recipients, transfers, retention periods, and security measures
- ROPA is reviewed and updated when processing activities change
- If a processor (not just controller), you maintain a processor-side ROPA covering all categories of processing carried out on behalf of controllers
Section 4: Data Subject Rights
People have the right to know what data you hold about them, correct it, delete it, export it, and object to how you use it. You have to respond to requests within 30 days (extendable to 90 days with notice for complex requests). Most companies have a policy that says they honor these rights. Far fewer have an operational process to actually do it within the deadline.
Data Subject Rights Fulfillment
- A clear, accessible mechanism exists for data subjects to submit requests (email, form, or portal)
- An internal process routes DSR requests to the right team and tracks the 30-day deadline
- Right of access (Article 15): you can produce a full copy of all data held about an individual
- Right to rectification (Article 16): incorrect data can be corrected across all systems
- Right to erasure (Article 17): a deletion process exists that covers backups, logs, and downstream processors
- Right to restriction (Article 18): you can flag an individual's data as restricted without deleting it
- Right to data portability (Article 20): you can export data in a machine-readable format (JSON, CSV)
- Right to object (Article 21): opt-out mechanisms exist for direct marketing and profiling
- Identity verification process exists to prevent fraudulent DSR requests without being unreasonably burdensome
- Responses to DSRs are logged with timestamps for audit evidence
See exactly where your privacy policy falls short
Instead of working through this checklist manually, upload your privacy policy to PolicyAudit. It checks your document against GDPR's transparency requirements — including Articles 12, 13, and 14 — and flags what's missing. Free to start, no sales call required.
Check your privacy policy free →Section 5: Technical and Organizational Measures
Article 25 requires "data protection by design and by default" — meaning privacy controls should be built into your systems, not bolted on afterward. Article 32 requires appropriate technical and organizational security measures. These aren't optional extras; they're core compliance requirements, and they're often where auditors find gaps because they require documentation of what you've actually implemented.
Technical & Organizational Measures
- Data is encrypted in transit (TLS) and at rest for sensitive categories
- Access controls are in place — principle of least privilege, role-based access
- Multi-factor authentication is enforced for systems that process personal data
- Data minimization is practiced — you only collect data actually needed for stated purposes
- Pseudonymization is used where feasible
- Regular security testing (penetration testing, vulnerability scanning) is conducted
- A Data Protection Impact Assessment (DPIA) process exists for high-risk processing activities
- A personal data breach notification procedure is documented: 72-hour DPA notification, individual notification when risk is high
- Breach response has been tested — don't find out your process is broken during an actual incident
- Staff who handle personal data receive GDPR awareness training
- Written security policies cover data handling, access management, and incident response
Section 6: Third-Party Processors and Transfers
Every vendor you share personal data with — cloud providers, email platforms, analytics tools, payment processors, HR systems — is a data processor under GDPR. You're responsible for ensuring they protect that data appropriately. This means written contracts with specific GDPR clauses (Data Processing Agreements), and due diligence on their security practices.
Third-Party Processor Requirements
- A list of all third-party data processors exists and is maintained
- A signed Data Processing Agreement (DPA) is in place with every processor
- DPAs include the mandatory Article 28 clauses: processing only on documented instructions, confidentiality, security measures, sub-processor restrictions, DPA audit rights, deletion/return of data on termination
- Sub-processors used by your processors are identified — you have the right to object to new sub-processors
- For data transfers outside the EU/EEA: Standard Contractual Clauses (SCCs), an adequacy decision, or another Article 46 safeguard is in place and documented
- Data transfer impact assessments are completed for transfers to countries without adequacy decisions
- US-based processors are verified under EU-U.S. Data Privacy Framework (if applicable) or have SCCs
Section 7: Data Protection Officer and Governance
Not every organization needs a DPO, but the ones that do often don't know it. Article 37 requires a DPO if you're a public authority, if you process data at large scale as a core activity, or if you process special category data at scale. Even if you're not required to have one, having designated responsibility for GDPR compliance inside your organization is a signal to regulators that you take this seriously.
Governance Requirements
- You've assessed whether a DPO is required for your organization (document this assessment either way)
- If required: DPO is formally designated, their contact details are published, and they're registered with the relevant DPA
- DPO (or equivalent privacy lead) is involved in all significant decisions affecting personal data processing
- An internal GDPR accountability framework is documented — who owns what
- Annual review of compliance posture is scheduled and occurs
The EU AI Act Intersection
August 2, 2026 is the compliance deadline for high-risk AI systems under the EU AI Act. If your products or operations use AI to process personal data in high-risk contexts — HR decisions, credit scoring, healthcare, biometric identification, or content moderation at scale — you now have dual compliance obligations that significantly overlap.
Specifically: the AI Act requires technical documentation, conformity assessments, and transparency notices for high-risk AI systems. GDPR requires Data Protection Impact Assessments for high-risk processing. These aren't the same document, but they cover much of the same ground. Companies that haven't started AI Act compliance work yet are running out of runway — August is five months away, and conformity assessments for high-risk systems take time.
High-risk AI systems under Annex III of the EU AI Act must comply by August 2, 2026. If your AI system processes personal data from EU residents, GDPR obligations apply in parallel. The DPIA you need for GDPR can serve as a starting point for the AI Act's risk assessment — but they're not interchangeable.
Using Automation to Stay on Top of It
The honest reality of GDPR compliance is that it's not a one-time project. Regulations change, your processing activities change, new regulators start prioritizing different violations (see: 2026's transparency focus). You need a repeatable way to check your current state.
For the policy documentation layer — privacy notices, security policies, DPA templates — PolicyAudit can scan your documents against GDPR requirements and flag what's missing or outdated. It checks against Articles 12–14 (the 2026 enforcement priority), data subject rights disclosures, and retention requirements. The free tier gives you a full analysis of your privacy policy. For teams that need continuous monitoring across multiple frameworks, it scales up from there.
For the broader compliance automation picture — continuous control monitoring, evidence collection for SOC 2 or ISO 27001 alongside GDPR, and vendor risk management — platforms like Drata and Vanta provide the infrastructure layer. See our Drata review and Vanta review for a breakdown of where each fits.
Bottom Line
GDPR compliance in 2026 isn't about whether you have a privacy policy — almost every company does. It's about whether your privacy notice is complete, accurate, and actually understandable. Whether your lawful basis documentation holds up to scrutiny. Whether you can respond to data subject requests in 30 days. Whether your processors have signed DPAs. These are the specifics regulators are checking.
Start with your privacy notice. Run it against the Article 13/14 checklist above. If you're not sure it passes, upload it to PolicyAudit and get an objective read in minutes. Then work through the rest of the checklist systematically. Compliance is a process, not a destination — but a solid privacy notice and documented lawful basis gets you most of the way through the 2026 enforcement focus before anyone asks.
Frequently Asked Questions
Don't guess whether your privacy policy is compliant
PolicyAudit checks your privacy policy and other documents against GDPR's transparency requirements — the 2026 enforcement focus — plus 12 other frameworks. Free to start, results in minutes.
Audit your privacy policy free with PolicyAudit →