Template

Product Compliance Checklist GDPR, HIPAA, SOC2

A comprehensive compliance checklist covering the three most common regulatory frameworks for product teams. Use it to check your product requirements before development starts, verify your implementation before launch, or let Vantage automate compliance checking against your actual specifications.

Why product teams need to own compliance

Compliance is traditionally owned by legal or security teams. But the decisions that determine whether a product is compliant happen during product development: what data to collect, how to store it, who can access it, and how long to retain it. By the time a compliance officer reviews the product, these decisions are already baked into the code. Changing them after launch is expensive and disruptive.

Product managers who understand compliance requirements can build them into PRDs from the start. When a user story says "As a user, I want to export my data," that is not just a feature request. It is a GDPR Article 20 requirement (right to data portability). When a requirement says "Log all access to patient records," that is a HIPAA technical safeguard. Knowing this during planning means the engineering team builds it right the first time.

This checklist covers GDPR (data protection for EU residents), HIPAA (healthcare data protection in the US), and SOC2 (security trust principles for service organizations). Each section includes specific, actionable items that product and engineering teams can evaluate against their own product. Use it as a planning tool during PRD creation, a verification tool before release, or a baseline for ongoing compliance monitoring.

$4.45M

Average cost of a data breach in 2023 (IBM Security)

5-10x

Cost multiplier of fixing compliance issues after launch vs. during planning

277 days

Average time to identify and contain a data breach (IBM Security)

The complete compliance checklist

Three regulatory frameworks with categorized requirements. Review each item against your product specifications and implementation.

GDPR (General Data Protection Regulation)

Lawful Basis for Processing

  • Identify and document the lawful basis for each type of personal data processing
  • Implement consent collection mechanisms where consent is the lawful basis
  • Provide a clear and accessible privacy notice explaining data processing activities
  • Ensure consent is freely given, specific, informed, and unambiguous
  • Implement mechanisms for users to withdraw consent at any time

Data Subject Rights

  • Right to access: Users can request a copy of their personal data
  • Right to rectification: Users can correct inaccurate personal data
  • Right to erasure: Users can request deletion of their personal data
  • Right to data portability: Users can export their data in a machine-readable format
  • Right to restriction: Users can limit how their data is processed
  • Right to object: Users can object to processing based on legitimate interests
  • Respond to all data subject requests within 30 days

Data Protection by Design

  • Minimize personal data collection to what is strictly necessary
  • Implement pseudonymization or anonymization where possible
  • Encrypt personal data in transit (TLS 1.2+) and at rest (AES-256)
  • Implement access controls limiting who can view personal data
  • Conduct Data Protection Impact Assessments (DPIAs) for high-risk processing
  • Maintain a Record of Processing Activities (ROPA)

Data Transfers

  • Identify all cross-border data transfers
  • Implement Standard Contractual Clauses (SCCs) for transfers outside the EEA
  • Conduct Transfer Impact Assessments for each cross-border transfer
  • Document the legal mechanism used for each international transfer

Breach Notification

  • Implement a data breach detection and response plan
  • Notify the supervisory authority within 72 hours of becoming aware of a breach
  • Notify affected data subjects without undue delay when there is high risk
  • Document all breaches, including those that do not require notification

HIPAA (Health Insurance Portability and Accountability Act)

Administrative Safeguards

  • Designate a Security Officer responsible for HIPAA compliance
  • Conduct a comprehensive risk analysis of all systems handling PHI
  • Implement a risk management plan addressing identified vulnerabilities
  • Develop and enforce workforce security policies and procedures
  • Implement workforce training on HIPAA requirements and security practices
  • Establish sanctions for workforce members who violate HIPAA policies
  • Review information system activity logs regularly

Physical Safeguards

  • Implement facility access controls for areas where PHI is stored or processed
  • Maintain policies for workstation use and physical security
  • Implement device and media controls for hardware containing PHI
  • Ensure proper disposal of hardware and electronic media containing PHI

Technical Safeguards

  • Implement unique user identification for all users accessing PHI
  • Implement emergency access procedures for PHI during emergencies
  • Enable automatic logoff after periods of inactivity
  • Encrypt all PHI in transit and at rest
  • Implement audit controls recording access to PHI
  • Implement integrity controls ensuring PHI is not improperly altered or destroyed
  • Implement person or entity authentication for PHI access

Business Associate Agreements

  • Identify all business associates who handle PHI on your behalf
  • Execute Business Associate Agreements (BAAs) with all business associates
  • Review BAAs annually and update when relationships change
  • Ensure business associates implement appropriate safeguards

Breach Notification

  • Implement a breach notification policy compliant with the HITECH Act
  • Notify affected individuals within 60 days of discovering a breach
  • Notify HHS of breaches affecting 500+ individuals within 60 days
  • Notify HHS of breaches affecting fewer than 500 individuals annually
  • Notify prominent media outlets for breaches affecting 500+ individuals in a state

SOC2 (Service Organization Control 2)

Security (Common Criteria)

  • Implement logical and physical access controls
  • Define and enforce password policies (complexity, rotation, MFA)
  • Implement network security controls (firewalls, IDS/IPS, segmentation)
  • Perform regular vulnerability assessments and penetration testing
  • Implement change management procedures for all system changes
  • Establish incident response procedures and test them regularly
  • Monitor system components for security events and anomalies

Availability

  • Define and publish service level agreements (SLAs) for uptime
  • Implement monitoring and alerting for system performance
  • Establish disaster recovery and business continuity plans
  • Test backup and recovery procedures at least quarterly
  • Implement capacity planning to prevent resource exhaustion
  • Document system architecture and redundancy measures

Processing Integrity

  • Implement input validation for all data entry points
  • Establish quality assurance procedures for system outputs
  • Monitor processing for errors, omissions, and unauthorized modifications
  • Define and enforce data processing policies
  • Implement error handling and correction procedures

Confidentiality

  • Classify data by sensitivity level
  • Implement encryption for confidential data in transit and at rest
  • Restrict access to confidential data on a need-to-know basis
  • Implement secure data disposal procedures
  • Monitor for unauthorized access to confidential data
  • Include confidentiality obligations in employment and vendor agreements

Privacy

  • Publish a privacy notice describing data collection and use practices
  • Obtain consent for personal data collection where required
  • Implement mechanisms for individuals to access, correct, and delete their data
  • Limit data retention to the period necessary for the stated purpose
  • Implement procedures for responding to privacy inquiries and complaints

How Vantage automates compliance checking

Instead of manually reviewing a checklist, let Vantage analyze your product requirements against regulatory standards automatically.

01

Requirement-level analysis

Vantage checks each requirement in your PRD against GDPR, HIPAA, SOC2, CCPA, PCI-DSS, and WCAG standards. It flags specific requirements that may not meet regulatory standards and explains why.

02

Traced to your data

Every compliance flag traces to the specific requirement and data source in your decision graph. You can see exactly which PRD section triggered the concern and what data is involved.

03

Pre-development checking

Run compliance checks before development starts, not after. Catching a missing data retention policy in the PRD stage costs hours. Catching it after launch costs weeks and legal fees.

04

Continuous monitoring

When requirements change or new regulations are published, Vantage flags affected items in your decision graph. You review the changes, update your requirements, and maintain compliance without starting from scratch.

Related templates

Frequently asked questions

Automate compliance checking with Vantage

Check your product requirements against GDPR, HIPAA, SOC2, and more before development starts. Every flag traces to the requirement that triggered it. Free to start.

Free to start. No credit card required.