GDPR Compliance implementation checklist

Block all non-essential scripts (marketing, tracking, non-anonymized analytics) from loading until the user explicitly clicks 'Accept' on the consent banner.

Ensure the 'Reject All' button is visually identical in prominence, size, and color to the 'Accept All' button to avoid dark patterns.

Store a timestamped record of the user's consent choice and the specific version of the privacy policy they agreed to in a tamper-evident log.

If using Plausible or Fathom, verify that IP hashing is enabled and that no persistent cookies are being dropped on the client side.

Provide users with a toggle menu to enable or disable specific categories of data processing (e.g., functional vs. marketing) independently.

Create a script or background job that identifies and deletes all database records associated with a user_id across all tables, including metadata.

Provide a machine-readable export (JSON or CSV) of all personal data stored about a user, accessible via their account settings.

Ensure that data deleted from production is also purged from database backups within 30 days, or implement a process to skip restoring deleted IDs.

Configure webhooks to trigger data deletion in integrated third-party tools (e.g., Intercom, Stripe, Postmark) when a user deletes their account.

Document a standard operating procedure for verifying the identity of a user making a manual data request via email before releasing data.

Configure cloud provider regions to store primary databases and object storage (S3) within the European Economic Area (e.g., eu-central-1).

Verify that AES-256 encryption is enabled for all database volumes, backups, and cloud storage buckets.

Disable legacy SSL/TLS versions; configure load balancers to only accept TLS 1.2 or 1.3 for data in transit.

Implement a pipeline to scrub or mask PII (emails, names, IPs) when syncing production data to staging or development environments.

Deploy databases in private subnets with no public IP addresses, accessible only via a VPN or an internal application gateway.

Configure application loggers to redact email addresses, passwords, and authorization headers before they are sent to external logging services.

Set a TTL (Time To Live) on application and access logs to automatically delete data older than 30-90 days.

Truncate or hash the last octet of user IP addresses in server access logs unless specifically required for security forensics.

Maintain a non-mutable log of every instance where an internal employee accesses a user's personal data via an admin panel.

Configure automated alerts for unusual spikes in data egress or multiple failed login attempts to detect potential breaches early.

Maintain a public-facing list of all third-party services that process user data, including their location and purpose.

Verify that a Data Processing Agreement (DPA) is signed and on file for every third-party service in the stack (e.g., AWS, Supabase, Postmark).

For US-based vendors, ensure Standard Contractual Clauses (SCCs) are included in the DPA to address Schrems II requirements.

Audit all client-side SDKs to ensure they do not automatically collect device identifiers or location data without explicit user consent.

Ensure that 'Unsubscribe' actions in marketing emails immediately sync to the user's status in the primary application database.