Data protection is not an optional nice-to-have -- it is a legal obligation with fines of up to 20 million EUR. Especially for projects that process personal data (and that is almost all of them), project managers must consider data protection from the start. This checklist gives you 15 concrete points to check in every project.

The 15-Point GDPR Checklist

1. Check and Update the Processing Register

What: Every processing of personal data must be documented in the processing register (Art. 30 GDPR).

Why: The processing register is mandatory and is the first thing the supervisory authority requests during an inspection.

How: Check whether your project introduces new processing activities. If so, add to the register: purpose, categories of data subjects, data categories, recipients, deletion periods, and technical/organisational measures.

2. Determine the Legal Basis

What: Every data processing needs a legal basis (Art. 6 GDPR): consent, contract, legal obligation, vital interests, public interest, or legitimate interest.

Why: Without a legal basis, the processing is unlawful – no matter how well-intentioned.

How: For every data processing activity in the project, document the chosen legal basis and the justification.

3. Assess the Need for a Data Protection Impact Assessment (DPIA)

What: A DPIA (Art. 35 GDPR) is mandatory for high-risk processing – e.g. systematic monitoring, automated decisions, or large-scale processing of special categories of data.

Why: A DPIA helps identify risks early and take appropriate measures.

How: Use your supervisory authority’s blacklist and the Article 29 Working Party guidelines to check whether a DPIA is required.

4. Conclude Data Processing Agreements (DPA)

What: When external service providers process personal data on your behalf, you need a DPA (Art. 28 GDPR).

Why: Without a DPA, you as the controller are liable for the processor’s data protection breaches.

How: List every service provider with access to personal data. Check whether current DPAs are in place.

5. Ensure Data Subject Rights

What: Data subjects have rights to access, rectification, erasure, restriction, portability, and objection (Art. 15–21 GDPR).

Why: You must be able to fulfil these rights within one month.

How: Make sure your project team knows how data subject requests are handled and who is responsible.

6. Create a Deletion Concept

What: Personal data may only be stored for as long as the purpose requires (Art. 5(1)(e) GDPR).

Why: „We’ll delete the data at some point“ is not a permissible strategy.

How: Define concrete deletion periods for each data category and document them.

7. Involve the Data Protection Officer (DPO)

What: For high-risk processing or a DPIA, the DPO must be involved.

Why: The DPO spots risks the project team may overlook.

How: Inform the DPO about the project early and involve them in relevant decisions.

8. Define Technical and Organisational Measures (TOMs)

What: Appropriate technical and organisational measures to protect the data (Art. 32 GDPR).

Why: TOMs are your insurance against data breaches and a central checkpoint in audits.

How: Encryption, access controls, pseudonymisation, and regular security testing.

9. Privacy by Design and Privacy by Default

What: Data protection must be considered as early as development and configuration (Art. 25 GDPR).

Why: Retrofitting data protection later is more expensive and often incomplete.

How: Use privacy-friendly defaults: minimal data collection as standard, no superfluous fields.

10. Train the Project Team

What: Everyone involved in the project must know the data protection requirements relevant to them.

Why: Ignorance is no protection against fines.

How: Short, project-specific data protection briefings at project start. Document attendance.

11. Review and Update the Privacy Notice

What: Information obligations under Art. 13/14 GDPR must be met.

Why: Data subjects must be transparently informed about the data processing.

How: Check whether the existing privacy notice covers the new processing activities introduced by the project.

12. Check Third-Country Transfers

What: Are data transferred to countries outside the EEA?

Why: Third-country transfers require additional safeguards (adequacy decision, standard contractual clauses, etc.).

How: Check all tools and service providers in use for server locations and data flows.

13. Set Up a Data Breach Notification Process

What: Data breaches must be reported to the supervisory authority within 72 hours (Art. 33 GDPR).

Why: Late notifications can be sanctioned in their own right.

How: Make sure the project team knows the internal reporting process and who the point of contact is.

14. Ensure Documentation

What: Accountability (Art. 5(2) GDPR): you must be able to demonstrate that you comply with the GDPR.

Why: In case of doubt, the burden of proof lies with you, not the supervisory authority.

How: Document all data-protection-relevant decisions, measures, and considerations. Tools like PathHub AI help keep documentation as part of the project plan.

15. Plan Regular Reviews

What: Data protection is not a one-time activity. Measures must be reviewed and updated regularly.

Why: Projects change – and with them the data protection requirements.

How: Schedule at least quarterly data protection reviews for ongoing projects.

Summary: The 15 GDPR Points as Quick Check

1. Processing register • 2. Legal basis • 3. DPIA • 4. DPA • 5. Data subject rights • 6. Deletion concept • 7. DPO involvement • 8. TOMs • 9. Privacy by Design • 10. Training • 11. Privacy notice • 12. Third-country transfers • 13. Breach notification • 14. Documentation • 15. Regular reviews

Frequently Asked Questions

A DPIA is required when processing poses a high risk to individuals' rights. Typical cases: systematic monitoring, automated decisions with legal effect, large-scale processing of special categories, or scoring/profiling.
Ultimately, the controller under GDPR is responsible -- the company, represented by management. The project manager bears operational responsibility. The DPO advises and monitors.
The GDPR provides for fines of up to 20 million EUR or 4% of global annual revenue. In practice, fines range from a few thousand to several million EUR.
Use a project management tool with integrated compliance function. PathHub AI automatically recognises data protection requirements and integrates them into the project plan.
Yes. The GDPR does not distinguish between internal and external projects. As soon as personal data is processed -- including employee data -- the same requirements apply.