What types of compliance documents can ComplianceIQ generate?

ComplianceIQ generates privacy policies, terms of service, employee handbooks, data handling policies, OSHA compliance documents, acceptable use policies, HIPAA compliance docs, information security policies, and more — all tailored to your industry.

Are the generated documents legally valid?

ComplianceIQ generates comprehensive, industry-standard compliance documents informed by current regulations. While they provide an excellent foundation, we recommend having critical documents reviewed by legal counsel for your specific jurisdiction.

How does ComplianceIQ stay current with regulations?

Our AI models are continuously updated with the latest regulatory frameworks including GDPR, CCPA, HIPAA, SOC 2, OSHA, and more. Pro and Enterprise plans include regulatory update alerts.

Do I need GDPR compliance if I'm a US company?

Yes if you offer goods/services to EU residents OR monitor their behaviour. No exception for size or industry.

What's the difference between Controller and Processor?

Controller decides purposes/means of processing. Processor processes on Controller's behalf (e.g., your SaaS = Processor for customer data, Controller for your own employees).

When is a DPO mandatory?

Public authority, large-scale systematic monitoring, or large-scale special-category processing. Many companies appoint voluntarily for credibility.

Can I transfer data to US vendors?

Yes — via 2021 SCCs + Transfer Impact Assessment, or by relying on the EU–US Data Privacy Framework (where the vendor is certified).

GDPR Compliance Checklist 2026 — 35 Steps (Articles 5–49) Audit-Ready

The checklist

Foundations

1

Determine if GDPR applies (territorial scope)

critical

Art. 3 — applies if established in EU, OR processing EU residents' data via offer of goods/services OR monitoring behaviour.

→ Art. 3

2

Appoint a Data Protection Officer (DPO) if required

high

Art. 37 — required for public authorities, large-scale monitoring, or large-scale special-category processing.

→ Art. 37–39

3

Appoint an Article 27 representative if you're outside EU

high

Required for non-EU controllers/processors offering goods/services to EU residents.

→ Art. 27

Records

4

Maintain a Record of Processing Activities (ROPA)

critical

Art. 30 — list every processing activity: purpose, lawful basis, categories of data/subjects, recipients, transfers, retention, security.

→ Art. 30

5

Document lawful basis for every processing activity

critical

Art. 6 — one of: consent, contract, legal obligation, vital interests, public task, legitimate interests.

→ Art. 6

6

Conduct a Legitimate Interests Assessment (LIA) where used

high

3-part test: legitimacy, necessity, balancing. Document the analysis.

→ Art. 6(1)(f)

Special Categories

7

Identify special-category data and second lawful basis (Art. 9)

critical

Race, health, biometrics, etc. require Art. 6 AND Art. 9 basis (e.g., explicit consent).

→ Art. 9

Transparency

8

Publish a layered, plain-language privacy notice (Art. 13/14)

critical

Identity, contact, DPO, purposes, lawful basis, recipients, retention, rights, complaints.

→ Art. 13, 14

9

Just-in-time notices at collection points (signup, checkout, forms)

high

Short notice + link to full notice; consent boxes unticked by default.

→ Art. 13, Art. 7(2)

Consent

10

Cookie banner: granular, reject-all equally prominent, no pre-ticked boxes

critical

Required by e-Privacy + GDPR; CNIL & ICO have fined for non-compliance.

→ Art. 7, e-Privacy

11

Maintain proof of consent (timestamp, version, mechanism)

high

Required to demonstrate Art. 7(1) — you must be able to show how consent was obtained.

→ Art. 7

Rights

12

Documented DSAR workflow with 1-month SLA

critical

Right of access, rectification, erasure, restriction, portability, objection. 1 month extendable to 3.

→ Art. 12–22

13

Identity verification process for DSARs (no over-disclosure)

high

Reasonable means to verify; avoid demanding passport scans unless justified.

→ Art. 12(6)

14

Erasure workflow includes deletion from backups + third-party processors

high

Document any technical limits (e.g., immutable backups rotate within X days).

→ Art. 17

DPIA

15

Conduct a DPIA for any high-risk processing

critical

Art. 35 — required for systematic monitoring, large-scale special category, automated decision-making.

→ Art. 35

16

Consult supervisory authority if DPIA shows unmitigated high risk

high

Art. 36 — prior consultation; response within 8 weeks.

→ Art. 36

Controller/Processor

17

Sign Data Processing Agreements (DPAs) with every Processor

critical

Art. 28 — written contract with mandatory terms (security, subprocessors, breach, audit, deletion).

→ Art. 28

18

Maintain subprocessor list — notify Controllers of changes (Art. 28(2))

high

Public page or change-log; allow Controllers to object.

→ Art. 28(2)

Security

19

Implement Article 32 technical & organisational measures

critical

Encryption, pseudonymisation, integrity, availability, resilience, testing.

→ Art. 32

20

Test, assess & evaluate security measures regularly

high

Pen test, vulnerability scans, table-tops — documented results + remediation.

→ Art. 32(1)(d)

Breach

21

72-hour breach notification process to supervisory authority

critical

Art. 33 — even partial info; full investigation can follow.

→ Art. 33

22

Communicate to data subjects 'without undue delay' for high-risk breaches

critical

Art. 34 — plain language; mitigation actions; contact for questions.

→ Art. 34

23

Maintain internal breach register (even sub-72h breaches)

high

Art. 33(5) — facts, effects, remedial action; auditor will request the log.

→ Art. 33(5)

Transfers

24

Map all international transfers (where data physically goes)

critical

Schrems II — adequacy decision, SCCs (2021), BCRs, or derogations (Art. 49).

→ Ch. V

25

Execute 2021 SCCs / UK IDTA / Swiss-SCC addendum

high

Old 2010 SCCs invalid since Dec 27 2022. Use modular 2021 SCCs.

→ Art. 46

26

Conduct a Transfer Impact Assessment (TIA)

high

Schrems II — assess third-country law + supplementary measures (encryption, pseudo).

→ Art. 46

Vendors

27

Annual vendor security/privacy review with documented evidence

high

Tier-1 vendors: SOC 2 / ISO 27001 / pen test on file.

→ Art. 28(1)

Children

28

Age-verification + parental consent for under-16s (under-13 in UK)

high

Art. 8 — under-16 default; member states can lower to 13.

→ Art. 8

Automated

29

Document logic, significance & consequences for any automated decisions

high

Art. 22 — including profiling with legal/significant effects.

→ Art. 22

Governance

30

Privacy training for all employees annually

high

Particularly customer-facing and engineering teams.

→ Accountability principle

31

Privacy-by-design & default embedded in product/feature reviews

high

Art. 25 — minimisation, purpose limitation built into specs.

→ Art. 25

32

Data retention policy with auto-deletion implemented

high

Art. 5(1)(e) — storage limitation; orphan-data sweeps documented.

→ Art. 5(1)(e)

Marketing

33

B2C marketing: prior opt-in; B2B: legitimate interest + unsubscribe in every email

high

PECR / e-Privacy + GDPR. Honor unsubscribe within 24h.

→ e-Privacy

Documentation

34

Maintain a Data Protection by Design record per product feature

high

Specs note: lawful basis, data categories, retention, transfers, deletion paths.

→ Art. 25

Continuous

35

Annual GDPR audit + monthly DPO/Privacy Council review

high

Standing agenda: open DSARs, breaches, vendor changes, new processing.

→ Accountability

GDPR Compliance Checklist — 35 Steps (Articles 5–49)

The checklist

Foundations

Records

Special Categories

Transparency

Consent

Rights

DPIA

Controller/Processor

Security

Breach

Transfers

Vendors

Children

Automated

Governance

Marketing

Documentation

Continuous

Pitfalls — where teams actually fail

Real enforcement actions for GDPR

FAQ

Other checklists