Data protection is not an optional nice-to-have -- it is a legal obligation with fines of up to 20 million EUR. Especially for projects that process personal data (and that is almost all of them), project managers must consider data protection from the start. This checklist gives you 15 concrete points to check in every project.

The 15-Point GDPR Checklist

1. Check and Update the Processing Register

What: Every processing of personal data must be documented in the processing register (Art. 30 GDPR).

How: Check whether your project introduces new processing activities. If so, supplement the register with purpose, categories of data subjects, data categories, recipients, deletion periods, and technical/organisational measures.

2. Determine the Legal Basis

What: Every data processing needs a legal basis (Art. 6 GDPR): consent, contract, legal obligation, vital interests, public interest, or legitimate interest.

3. Assess Need for Data Protection Impact Assessment (DPIA)

What: A DPIA (Art. 35 GDPR) is mandatory when processing poses high risk: systematic monitoring, automated decisions, or large-scale processing of special categories.

4. Conclude Data Processing Agreements (DPA)

What: When external service providers process personal data on your behalf, you need a DPA (Art. 28 GDPR).

5. Ensure Data Subject Rights

What: Data subjects have rights to access, rectification, erasure, restriction, portability, and objection (Art. 15-21 GDPR). You must be able to fulfil these within one month.

6. Create a Deletion Concept

What: Personal data may only be stored as long as the purpose requires (Art. 5(1)(e) GDPR). Define concrete deletion periods for each data category.

7. Involve the Data Protection Officer (DPO)

What: For high-risk processing or a DPIA, the DPO must be involved. Inform them early about the project.

8. Define Technical and Organisational Measures (TOMs)

What: Appropriate measures to protect data (Art. 32 GDPR): encryption, access controls, pseudonymisation, regular security testing.

9. Privacy by Design and Privacy by Default

What: Data protection must be considered during development and configuration (Art. 25 GDPR). Use privacy-friendly defaults.

10. Train the Project Team

What: All project participants must know the data protection requirements relevant to them. Document participation.

11. Check and Update Privacy Notice

What: Information obligations under Art. 13/14 GDPR must be fulfilled. Check whether the existing privacy notice covers the new processing.

12. Check Third-Country Transfers

What: Are data transferred to countries outside the EEA? This requires additional safeguards (adequacy decision, standard contractual clauses, etc.).

13. Establish Data Breach Notification Process

What: Data breaches must be reported to the supervisory authority within 72 hours (Art. 33 GDPR). Ensure the team knows the internal process.

14. Ensure Documentation

What: Accountability principle (Art. 5(2) GDPR): You must be able to demonstrate GDPR compliance. Tools like PathHub AI help maintain documentation as part of the project plan.

15. Plan Regular Reviews

What: Data protection is not a one-time activity. Plan at least quarterly reviews for ongoing projects.

Summary: The 15 GDPR Points as Quick Check

1. Processing register • 2. Legal basis • 3. DPIA • 4. DPA • 5. Data subject rights • 6. Deletion concept • 7. DPO involvement • 8. TOMs • 9. Privacy by Design • 10. Training • 11. Privacy notice • 12. Third-country transfers • 13. Breach notification • 14. Documentation • 15. Regular reviews

Frequently Asked Questions

A DPIA is required when processing poses a high risk to individuals' rights. Typical cases: systematic monitoring, automated decisions with legal effect, large-scale processing of special categories, or scoring/profiling.
Ultimately, the controller under GDPR is responsible -- the company, represented by management. The project manager bears operational responsibility. The DPO advises and monitors.
The GDPR provides for fines of up to 20 million EUR or 4% of global annual revenue. In practice, fines range from a few thousand to several million EUR.
Use a project management tool with integrated compliance function. PathHub AI automatically recognises data protection requirements and integrates them into the project plan.
Yes. The GDPR does not distinguish between internal and external projects. As soon as personal data is processed -- including employee data -- the same requirements apply.