Data Privacy & Security Compliance Checklist

Map personal data flowsDue: Before launching a product or feature

Inventory systems that collect, process, and store customer or employee data.

Publish a compliant privacy policyDue: Before collecting personal data

Disclose collection practices, lawful bases, and user rights for key jurisdictions.

Implement cookie consent controlsDue: Before enabling tracking technologies

Configure banners and preference centers for analytics and advertising tools.

Execute data processing agreementsDue: Before sharing data with each vendor

Sign DPAs with vendors that access or store regulated personal data.

Set up data subject request workflowsDue: Within 30 days of launch

Create intake forms and response playbooks for access, deletion, and opt-out requests.

Enable MFA and role-based accessDue: Immediately for critical accounts

Protect admin tools and production systems with multi-factor authentication.

Perform security risk assessmentsDue: Annually or after major changes

Review technical and organizational safeguards to close high-risk gaps.

Document an incident response planDue: Before storing sensitive data

Define roles, communications, and escalation paths for potential breaches.

Set retention and deletion schedulesDue: Before storing regulated data

Specify how long to keep different data categories and automate purges.

Log and report security incidentsDue: Within 72 hours of discovering a reportable breach

Track incidents and notify regulators or users within statutory timeframes.