A GDPR Readiness Checklist for Mid-Market Companies

GDPR enforcement against mid-market companies rarely starts with a regulator. It starts with a customer security questionnaire, an M&A due-diligence request, or a breach you have 72 hours to report. Having led GDPR alignment for a European group in collaboration with Big Four audit firms, here is the short version of what “ready” actually means.

The seven questions

1. Do you know what personal data you hold, and where? A data inventory — systems, categories, locations, retention. If this doesn’t exist, everything else is guesswork.

2. Do you have a lawful basis documented for each processing activity? The processing register (Article 30) is the document auditors ask for first.

3. Can you honor a deletion or access request within a month? Not in theory — operationally. Who receives it, who executes it, and how do you prove completion?

4. Are your processors under contract? Every SaaS tool touching personal data needs a data processing agreement. Most companies are surprised by how many tools that is.

5. Would you detect a breach, and could you report it in 72 hours? Detection capability plus an incident-response plan with names, not just roles.

6. Is data leaving the EU/EEA, and on what terms? Transfer mechanisms for US-based tooling remain a moving target; someone has to track it.

7. Can you show your work? GDPR is an evidence regime. Policies nobody follows are worse than no policies — they document negligence.

Where to start

Don’t start with a 40-page policy. Start with the inventory (question 1) and the processing register (question 2) — two working sessions with the right people in the room. The rest builds on that foundation in priority order.

Governance & Compliance is one of the four pillars in my free IT maturity assessment — three minutes will tell you whether this checklist is urgent or merely important for you.