GDPR self-audit for SMEs: 30 actionable checklist items 2026

GDPR turned 8 in 2026 but many SMEs are in partial non-compliance. This self-audit in 30 points allows you to quickly identify your gaps to implement a corrective action plan.

Section 1 — Records of processing (5 points)

• 1. Written records of processing exist and are up to date (downloadable CNIL template)
• 2. All processing identified (HR, customers, prospects, suppliers, video surveillance, vehicle geolocation)
• 3. For each processing: purpose, legal basis, data categories, recipients, retention period, transfers outside EU
• 4. Registry reviewed at least annually
• 5. Registry available immediately in case of CNIL inspection

Section 2 — Information of individuals (5 points)

• 6. Complete legal notices on website (editor, host, contact)
• 7. Privacy policy accessible from footer (direct link)
• 8. GDPR mention on all collection forms (contact, newsletter, quote)
• 9. GDPR mention on invoices (mention "Your data is processed for accounting purposes…")
• 10. GDPR mention on team email signatures (option recommended by CNIL)

Section 3 — Cookies & trackers (3 points)

• 11. Consent banner on website (refusal as simple as agreement)
• 12. Cookies blocked before consent (except strictly necessary + anonymized analytics)
• 13. "Cookie policy" page listing each cookie + purpose + duration

Section 4 — Rights of individuals (5 points)

• 14. Documented procedure to manage access, rectification, erasure, portability, opposition requests
• 15. Dedicated email address (rgpd@... or dpo@...) publicly communicated
• 16. One-month response deadline respected (proof: request registry)
• 17. Identity verification procedure for requestor
• 18. Effective deletion verifiable (including backups)

Section 5 — Security (6 points)

• 19. MFA mandatory on all admin accounts (M365, AD, VPN, hoster)
• 20. Encryption of data at rest on servers and workstations (BitLocker, FileVault)
• 21. Encryption of data in transit (TLS 1.2+ on all services)
• 22. Backup tested monthly (at least one file restore)
• 23. Procedure for CNIL notification within 72h in case of documented breach
• 24. Antivirus / EDR up to date on all workstations

Section 6 — Subprocessors (3 points)

• 25. List of subprocessors up to date (hoster, CRM, ERP, payroll, office software, etc.)
• 26. Standard GDPR contract (DPA) signed with each subprocessor
• 27. Verification that subprocessors are EU or have guarantees (standard contractual clauses for USA)

Section 7 — Governance (3 points)

• 28. DPO designation (mandatory if large-scale processing or sensitive data, recommended otherwise)
• 29. Annual team awareness training (proof: attendance sheet or e-learning certificate)
• 30. Impact assessment (DPIA) for high-risk processing (e.g. video surveillance, customer scoring)

Score & prioritization

Count your compliant points:

• 27-30: advanced compliance. External audit recommended for validation
• 20-26: partial compliance. 90-day action plan to close gaps
• 10-19: fragmented compliance. CNIL risk if audited. Urgent action
• < 10: critical non-compliance. Stop and restart immediately

Conclusion

This self-audit takes 2 hours. It does not replace an external audit by a certified DPO, but allows you to quickly identify priority actions. KOLOSALTech supports SMEs in GDPR compliance: audit, registry, procedures, team training, outsourced DPO. See also /security for our internal commitment.