Lawful basis (consent or legitimate interests), clear privacy notice, data minimisation, 12-36 month retention with review, data-processor contracts with all vendors.
Checklist
- Lawful basis declared per data flow - Privacy notice linked from every form - Data minimisation: only collect what you use - Retention policy: 12-36 months default, document exceptions - Processor agreements with Meta, Google, CRM, email - DSAR workflow under 30 days
Overlap with PECR
Email/SMS marketing rules are stricter than GDPR; get both right.