What's the difference between ROPA and DPIA?

Both are Article 30 + Article 35 documentation obligations, but they answer different questions. The ROPA (Records of Processing Activities, Article 30) is an inventory, every processing activity you run, with controller/processor distinction, purposes, data categories, recipients, retention, cross-border flows, and security measures. Every controller and most processors must maintain a ROPA. The DPIA (Data Protection Impact Assessment, Article 35) is a risk assessment, required only when processing is likely to result in high risk to rights and freedoms, per the EDPB 9-criteria threshold (two criteria met = DPIA required). The ROPA is your inventory; the DPIA is your risk analysis on the high-risk subset. The checklist covers both: the Article 30 ROPA fields and the Article 35 + EDPB threshold engine.

How do cross-border transfers work, SCCs vs the EU-US Data Privacy Framework?

Three transfer mechanisms cover most situations. (1) Article 45 adequacy, transfers to countries the European Commission has decided provide an adequate level of protection (UK, Switzerland, Japan, South Korea, Canada commercial, NZ, Israel, Argentina, Uruguay, Andorra, Faroe Islands, Guernsey, Isle of Man, Jersey). No additional safeguards required. (2) Article 46 SCCs 2021, Standard Contractual Clauses signed between exporter and importer, with one of four modules (C2C, C2P, P2P, P2C), supplementary measures, and a Schrems II Transfer Impact Assessment for the importer's jurisdiction. (3) EU-US Data Privacy Framework (effective July 2023), self-certification programme for US-headquartered recipients, verified on dataprivacyframework.gov. The DPF is an adequacy decision specifically for certified US recipients; for non-certified US recipients, you fall back to SCCs 2021 + supplementary measures. The checklist walks through all three with selection criteria.

Is Article 33 breach notification covered in detail?

Yes. The Article 33 controller-to-supervisory-authority notification timeline (72 hours from becoming aware), the Article 34 controller-to-data-subject high-risk-only notification, and the Article 33(2) processor-to-controller without-undue-delay notification are all in the breach-playbook section. Cross-border breaches affecting multiple supervisory authorities trigger lead-DPA + Article 56 one-stop-shop coordination, covered with the steps to identify the lead-DPA and the cross-border notification template. The 72-hour clock starts from awareness, not discovery, with reasoned delay justification permitted under Article 33(1).

How does the EU AI Act 2024 overlap with GDPR?

The EU AI Act 2024 (in force August 2024) is a regulatory regime distinct from GDPR but with significant overlap for AI processing of personal data. Overlap points: (1) Article 22 GDPR (automated decision-making with significant effect) maps directly to AI Act high-risk AI obligations, the same human-review requirement applies. (2) Article 35 GDPR DPIA and the AI Act's Fundamental Rights Impact Assessment (FRIA) for high-risk AI overlap substantially, the EDPB has issued guidance recommending integrated DPIA + FRIA for AI use cases. (3) AI Act risk-tier classification (Prohibited / High-Risk / Limited / Minimal) is now a required input to GDPR Article 35 DPIAs for AI processing. The checklist flags AI-relevant items throughout and includes a one-page AI Act + GDPR cross-walk in the appendix. Prohibited practices are effective February 2025; high-risk AI obligations roll through August 2026.

Free Download · GDPR (EU + UK)

The complete GDPR compliance audit checklist, Articles, ROPA, DPIA, DSAR, and cross-border in one pack.

Q: Does the checklist cover both EU GDPR and UK GDPR?

Yes. The checklist is built against EU GDPR (Regulation 2016/679) as the spine because the article numbering is identical, but every UK GDPR + Data Protection Act 2018 reference is called out where the regimes diverge. The UK Data (Use and Access) Act 2025 introduced changes around automated decision-making, scientific research, smart-data sharing, and cookie + similar-technology rules, those are flagged in the appendix with a separate UK GDPR posture column for multinational controllers running both regimes. The Information Commissioner's Office (ICO) is the UK supervisory authority; the checklist references the ICO Guide to GDPR throughout.

Articles 5–6 lawful basis, the Articles 12–22 data-subject rights workflow, the Articles 24–28 controller + processor obligations, the Article 30 ROPA, the Article 35 DPIA, the SCC 2021 + EU-US Data Privacy Framework cross-border toolkit, and the Article 33 breach playbook, all in one supervisory-authority-ready download. Privacy-counsel reviewed against EU GDPR (Reg 2016/679), UK GDPR + Data Protection Act 2018, and the August 2024 EU AI Act overlay. Free.

Get the checklist See the GDPR platform

Articles

Art. 5–6 · 12–22 · 24–28

ROPA + DPIA

Art. 30 · Art. 35

Transfers

SCCs 2021 · DPF · UK IDTA

Audit-ready

30 / 30

Audit-ready in 30 minutes

items mapped

EU GDPR · UK GDPR · EDPB · DPFReady

Built by RiskWatch, the team running EU GDPR + UK GDPR + EDPB Guidelines + SCCs 2021 + EU-US Data Privacy Framework + EU AI Act 2024 scoring inside the platform DPOs and Privacy Counsel use across 18 EU countries.

What's Inside · 31 audit items across 7 article groups

Every Article a supervisory authority asks about, in one walkthrough.

The download is structured the way EU + UK supervisory authorities run inquiries: lawful basis first, then rights, then controller/processor obligations, then the Article 30 ROPA, then the Article 35 DPIA threshold, then transfers, then breach. Each item carries the article reference, an owner-prompt, and an evidence column.

Lawfulness + Consent

Articles 5–6 · special category data under Article 9

Article 5 principles documented (lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, accountability) for every processing activity
Article 6 lawful basis selected per processing activity (consent, contract, legal obligation, vital interests, public task, legitimate interests) with documented LIA where Art. 6(1)(f) is used
Article 7 consent records, freely given, specific, informed, unambiguous, with the same standard for withdrawal as for grant
Article 9 special category data triggers identified (health, biometrics, racial origin, religion, sexual orientation, etc.) with the Art. 9(2) condition documented
Article 8 children's consent thresholds applied per Member State (13–16 years across the EU)

Subject Rights

Articles 12–22 · DSAR, erasure, portability, objection

Article 15 right of access, verifiable request workflow with 1-month response clock + 2-month extension under Art. 12(3)
Article 16 right to rectification, correction workflow with notification cascade to recipients under Art. 19
Article 17 right to erasure (right to be forgotten), deletion workflow including processor cascade and exceptions under Art. 17(3)
Article 20 right to data portability, structured, commonly used, machine-readable format ready (JSON / CSV)
Article 21 right to object, opt-out workflow for direct marketing (absolute) and legitimate-interests processing (balanced)
Article 22 automated decision-making, human-review workflow + meaningful information about the logic where Art. 22 applies

Controller + Processor

Articles 24–28 · accountability, DPA, sub-processors

Article 24 controller accountability, documented technical and organisational measures, reviewed and updated
Article 25 data protection by design + by default, applied to systems, products, services from inception
Article 26 joint-controller arrangements, written agreement under Art. 26(1) with essence available to data subjects
Article 28 written processor contract with the eight mandatory clauses (subject matter, duration, nature + purpose, data types, obligations + rights of controller, etc.)
Article 28(2)–(4) sub-processor authorisation, prior specific or general written authorisation with information of intended changes

ROPA, Records of Processing

Article 30 · controller + processor records

Article 30(1) controller ROPA fields complete, name + contact details, purposes, categories of data subjects + personal data, categories of recipients (incl. third-country recipients), retention, security measures
Article 30(2) processor ROPA fields complete, name + contact, categories of processing carried out, third-country transfers, technical + organisational measures
ROPA living-document discipline, field-level change history, source-event linkage (product launch, vendor change, retention update), reviewed at minimum quarterly
ROPA available to the supervisory authority on request under Article 30(4), export-ready in CSV / Excel / supervisor template

DPIA, Article 35 Threshold

Article 35 · EDPB 9-criteria DPIA Guidelines

EDPB 9-criteria DPIA threshold test run for every high-risk processing activity (evaluation/scoring, automated decisions, systematic monitoring, sensitive data, large-scale, dataset matching, vulnerable subjects, innovative tech, rights-blocking), two criteria met = DPIA required
Article 35(7) DPIA contents documented, systematic description, necessity + proportionality assessment, risks to rights + freedoms, mitigation measures
Article 36 prior consultation with supervisory authority where residual high risk remains after mitigation
DPIA cross-mapped to EU AI Act 2024 risk tiers (Prohibited / High-Risk / Limited / Minimal) for AI use cases

Cross-border Transfers

Chapter V · SCCs 2021 · EU-US DPF · adequacy

Article 45 adequacy decision check, current adequate countries list maintained (UK, Switzerland, Japan, South Korea, Canada commercial, NZ, Israel, Argentina, Uruguay, Andorra, Faroe Islands, Guernsey, Isle of Man, Jersey)
Article 46 SCCs 2021 module selected per processor (C2C, C2P, P2P, P2C) with supplementary measures + Schrems II Transfer Impact Assessment
EU-US Data Privacy Framework (effective July 2023), recipient certification verified on dataprivacyframework.gov, with ongoing self-recertification monitored
UK transfers, UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs in place

Breach Notification

Articles 33–34 · 72-hour clock

Article 33 controller-to-supervisory-authority notification within 72 hours of becoming aware (or reasoned delay justification documented)
Article 34 communication to data subjects without undue delay where the breach is likely to result in high risk to rights + freedoms
Article 33(2) processor-to-controller notification without undue delay, incident channel + escalation chain agreed in the Article 28 contract

31 items · 7 article groups · EU GDPR + UK GDPR + EDPB + EU AI Act

Why Run a GDPR Audit Now

GDPR enforcement keeps escalating. UK GDPR keeps diverging. The DPF is in scope.

GDPR is Regulation (EU) 2016/679, the world's most prescriptive data-protection regime, in force since May 2018 across all 27 EU Member States plus the EEA. Total cumulative fines exceeded €4.5B between 2018–2024, with Meta's €1.2B fine in 2023 for SCC violations the single largest. There are 90+ supervisory authorities across the EU + EEA, each with the power to investigate, audit, fine up to 4% of global annual turnover, and order processing to stop. The Article 30 ROPA is non-negotiable. The Article 35 DPIA threshold is non-negotiable. The Article 33 72-hour breach clock is non-negotiable. The audit walkthrough in this checklist is the same structure most supervisory authorities use to open inquiries.

UK GDPR + Data Protection Act 2018 govern UK processing post-Brexit, with the ICO as supervisory authority. UK GDPR is diverging from EU GDPR through the Data (Use and Access) Act 2025, covering automated decision-making, scientific research, smart-data sharing, and cookie + similar-technology rules. ICO enforcement remains active: Clearview AI, TikTok (£12.7M for children's data), Easylife (£130K under PECR), and ongoing investigations into ad-tech and biometrics. Multinational controllers running both regimes need parallel posture: where EU and UK converge, the same evidence applies; where they diverge, per-jurisdiction artefacts are required.

Two new cross-cutting regimes overlay GDPR. The EU-US Data Privacy Framework (effective July 2023, replacing the invalidated Privacy Shield) is the primary self-certification path for US-headquartered controllers receiving EU personal data, recipient certification is verifiable on dataprivacyframework.gov and the EDPB's adequacy decision is in effect, but Schrems III is already in motion. The EU AI Act 2024 (in force August 2024, prohibited practices effective February 2025, high-risk obligations rolling through August 2026) overlays GDPR for AI use cases, Article 22 automated-decision-making and the AI Act's risk-tier classification are now linked obligations. The checklist flags both throughout.

Who It's For

Built for the three teams that own the GDPR program.

Data Protection Officer (DPO)

DPOs designated under Article 37 own the GDPR program end-to-end, the Article 30 ROPA, the Article 35 DPIA threshold, supervisory-authority correspondence, and lead-DPA + one-stop-shop coordination across multi-jurisdiction processing.

Use the checklist as a quarterly cadence: ROPA freshness, DPIA threshold, DSAR SLA, transfers posture.

Privacy Counsel · Chief Privacy Officer

Privacy Counsel + CPOs own the legal strategy, DPA negotiation, SCC 2021 module selection, EU-US Data Privacy Framework certification, UK GDPR divergence, and EU AI Act 2024 + GDPR overlap for AI products.

Use the checklist as the auditor-ready walkthrough before any board, board committee, or M&A diligence.

B2B SaaS Serving the EU

B2B SaaS handling EU resident data sit on both sides of the controller/processor line, controller for marketing + sales data, processor for customer-tenant data. Articles 24–28, SCC 2021 modules, and the EU-US DPF certification path are the load-bearing obligations.

Use the checklist as your security + customer-trust artefact, pair with the SOC 2 + ISO 27001 evidence.

FAQ

Common questions on the GDPR audit checklist

ROPA vs DPIA, EU vs UK GDPR coverage, the SCCs vs Data Privacy Framework choice, the Article 33 breach clock, and the EU AI Act overlap.

Platform

GDPR Compliance Software

Articles + Living ROPA + EDPB DPIA threshold + DSAR + SCCs 2021 + EU AI Act on one survey-based platform for DPOs and US-EU multinational controllers.

Free Checklist

Free CCPA + CPRA Checklist

Running CCPA in parallel? 6 consumer rights, the §1798.140(ag) service-provider 6 contract terms, and the new January 2026 CPPA regs.

Industry

GDPR for SaaS + IT

B2B SaaS with EU customers, controller + processor obligations, sub-processor cascade, EU-US Data Privacy Framework, and the security-trust evidence stack.

30 frameworks beyond GDPR

Run GDPR + 39 other frameworks on the same platform?

30-minute walkthrough of the GDPR + UK GDPR + EU AI Act + ROPA + DPIA + DSAR engine on the same library that runs ISO 27001, SOC 2, HIPAA, PCI DSS, NIST, and 35 more frameworks. No slideware, no consulting upsell.

Book a 30-minute walkthrough Talk to a GDPR specialist

Or call US: +1 401 884 5236