Do I need to implement all 28 items?

Not all items apply to every organization. Some (like Article 37, DPO appointment) depend on your size and processing type. But the core items — data inventory, erasure capability, security measures, consent tracking, and audit trail — apply to virtually every organization processing EU personal data.

How do I demonstrate compliance to an auditor?

Run pgcomply.checklist('gdpr') to show your current status. For each implemented item, the evidence column links to the SQL function that demonstrates compliance. The auditor can verify by running the function. The immutable audit trail provides historical evidence of ongoing compliance.

The Complete GDPR Compliance Checklist for PostgreSQL (2026)

The Complete Checklist

Data Processing Principles (Article 5)

| # | Requirement | pgcomply Function | Status | |---|-------------|------------------|--------| | 1 | Data minimization — collect only necessary data | minimization_report() | | | 2 | Storage limitation — retention policies for all PII | retain(), enforce_retention() | | | 3 | Accuracy — PII is current and correct | schema_drift(), pii_registry | | | 4 | Accountability — prove compliance | verify_audit(), checklist() | |

Lawful Processing (Articles 6-7)

| # | Requirement | pgcomply Function | Status | |---|-------------|------------------|--------| | 5 | Document legal basis per processing purpose | define_purpose() | | | 6 | Record consent with evidence | grant_consent() | | | 7 | Enable consent withdrawal | withdraw_consent() | | | 8 | Check consent before processing | has_consent() | |

Data Subject Rights (Articles 12-20)

| # | Requirement | pgcomply Function | Status | |---|-------------|------------------|--------| | 9 | Right of access (Subject Access Request) | inspect() | | | 10 | Right to rectification | Standard SQL UPDATE | | | 11 | Right to erasure | forget(), verify_forget() | | | 12 | Right to data portability | export_user_data() | | | 13 | Right to restriction of processing | grant_consent() / withdraw_consent() | |

Security (Articles 25, 32)

| # | Requirement | pgcomply Function | Status | |---|-------------|------------------|--------| | 14 | Data protection by design | health_check(), quick_setup() | | | 15 | Encryption in transit | health_check() SSL_ENFORCED | | | 16 | Access control | access_map(), enable_rls() | | | 17 | Data masking | mask() | | | 18 | Password policy | set_password_policy() | | | 19 | Regular security assessment | schedule_jobs() | |

Records and Documentation (Article 30)

| # | Requirement | pgcomply Function | Status | |---|-------------|------------------|--------| | 20 | PII inventory | classify(), pii_registry | | | 21 | Data classification | auto_classify(), classification_map() | | | 22 | Data lineage | pii_lineage() | | | 23 | Processing records | consent_purposes(), audit_log | |

Breach Management (Articles 33-34)

| # | Requirement | pgcomply Function | Status | |---|-------------|------------------|--------| | 24 | Breach detection | schema_drift(), health_check() | | | 25 | Breach documentation | report_breach() | | | 26 | 72-hour DPA notification | breach_status() | | | 27 | Subject notification (high risk) | update_breach() | |

Impact Assessment (Article 35)

| # | Requirement | pgcomply Function | Status | |---|-------------|------------------|--------| | 28 | Data Protection Impact Assessment | classification_map(), access_map() | |

Tracking Progress

SELECT * FROM pgcomply.checklist('gdpr');
SELECT * FROM pgcomply.checklist_progress('gdpr');

Summary

This checklist maps every database-relevant GDPR requirement to a specific pgcomply function. Use it as your compliance roadmap: implement the highest-priority items first (erasure, security, audit trail), then work through the remaining items systematically. Track progress via pgcomply.checklist('gdpr').