A condensed list to attach to PR templates and IaC module READMEs. Each item maps back to a section above; failing one is not automatically a GDPR violation, but it is a question you will have to answer.
- No
*in IAM actions or resources on this change (3.1) - No standing human access to production personal data added (3.1)
- Workload identity used; no static cloud keys introduced (3.1, 3.3)
- TLS 1.2+ enforced on every new listener, mTLS where in-cluster (3.2)
- All new data stores encrypted with a CMK scoped to the data class (3.2)
- No secrets in code, images, Helm values, or CI variables (3.3)
- Secret rotation policy defined for any new secret (3.3)
- No personal data in new log lines, traces, or metric labels (3.4)
- Log retention configured explicitly on any new log group / workspace (3.4)
- If consent is the legal basis: ledger writes are server-side, versioned, append-only (3.5)
- If consent withdrawal is supported: downstream propagation tested (3.5)
- New external vendor: inventory updated, DPA confirmed, egress allow-listed (3.6)
- New LLM/AI dependency: training opt-out, retention, region verified at procurement (3.6)