Skip to content
Guide 8 min read

From intake to audit trail: the complete compliance checklist for your platform

As a lead generator you are not running a single process: you are running a platform where publishers supply and buyers receive, and at every node it must be clear on which legal basis you process, what you share and what you can demonstrate. One weak link, at a single publisher or a single buyer, makes the whole operation vulnerable.

This guide walks through that chain step by step, from the perspective of the operator running the platform. For each phase we explain what is at stake from a compliance standpoint and give a concrete checklist you can tick off straight away, platform-wide, across all your publishers and labels. It is written from the practice of lead processing under the GDPR: not as theory, but as a workable overview of what must be demonstrably in order.

The common thread is the accountability that sits with you as the operator. The GDPR requires not only that you do it right, but that you can prove it, for every lead that passes through your platform. Anyone who only tries to reconstruct provenance and consent, quality and delivery afterwards is, by definition, missing the steps that were not recorded. So build accountability into your platform, at exactly the moments covered below.

1

Intake & sources

Compliance does not start at delivery to a buyer: it starts the first second a request lands on your platform. That is the moment you determine whether a lead can be processed lawfully at all, and anything you miss here can never be reconstructed later. A request without a recorded source is a request without evidence, no matter how many publishers are active on your platform.

Start by mapping the channels through which leads reach your operation: your own forms, publisher landing pages, partner APIs, import files or telephony. Each channel has its own risk profile. A publisher you have onboarded and manage yourself is easier to account for than a batch import from an unknown third party. Make sure you know, per channel and per publisher, who supplies the data and under which agreements.

Checklist

  • All intake channels (form, publisher landing pages, API, import, telephony) are inventoried and documented.
  • For each channel and each publisher it is known who the supplying party is and which agreements apply.
  • Import files and API deliveries are validated on arrival for format and required fields.
  • Unknown or unonboarded sources are rejected rather than silently processed.
  • The intake moment (time and channel) is automatically recorded for every request, platform-wide.
Read more about lead intake
2

Recording provenance

Provenance is the answer to the question: where does this request come from and how did it come about? For a supervisory authority, a buyer, or a data subject asking for an explanation, this is the heart of your accountability as a lead generator. Without traceable provenance, a lead is, in legal terms, a black box, and that risk sits with you as the operator of the platform, not with the individual publisher.

So record more than just a source name. Think of the specific landing page or campaign, the publisher that supplied the request, the time, the IP address or the technique used to make the request, and any intermediaries involved. The richer your provenance data per publisher, the stronger your position when a lead is disputed or a complaint comes in.

Checklist

  • For each request the exact source is recorded: channel, campaign, landing page or publisher.
  • The time of arrival is recorded immutably.
  • When passed on via a publisher or partner, the full chain is traceable back to the original source.
  • Technical context (such as origin URL or referrer) is retained where relevant and proportionate.
  • Provenance data is linked to the lead and cannot be altered unnoticed afterwards, not even by the publisher itself.
View consent & provenance
4

Verification & quality

A lawful lead is not automatically a usable lead. Verification checks whether the data is correct and consistent before it is routed to a buyer: does the email address exist, is the phone number valid, does the request match the source, and are there signals of fraud or duplicate entry? Quality at the gate prevents you from passing on incorrect or fraudulent data under your own label, which is both a compliance and a reputational risk for your entire lead network.

The accuracy principle of the GDPR requires that you work with data that is correct and traceable. So record not only the outcome of a check, but also that a check was performed, and which publisher supplied the lead. That way you can demonstrate later, to a buyer or a supervisory authority, that every delivered lead met a quality threshold, regardless of which publisher supplied it.

Checklist

  • Email and phone number are validated on format and, where possible, on existence.
  • Requests are checked for consistency and for signals of fraud or duplicate entry, including across publishers.
  • Leads that do not meet the quality threshold are rejected rather than delivered.
  • The outcome of each verification step is recorded with the lead.
  • Validation rules are documented platform-wide, so rejections are explainable and repeatable.
More about verification & consent
5

Matching & data minimisation

Matching determines which buyer receives a lead. From a compliance perspective the central rule here is: do not share more than necessary and not with more parties than the consent was given for. Data minimisation means a buyer only receives the fields they need for their purpose, not the full profile just because it happens to be available in your system.

Also guard purpose limitation: a lead collected via a publisher for purpose A may not simply be passed to another buyer for purpose B. Matching rules should stay within the bounds of the consent given. Make those bounds explicit in your routing logic, so a processing operation never accidentally steps outside the agreed framework, not even when you run multiple labels or verticals on a single platform.

Checklist

  • Buyers receive only the data fields that are necessary for their purpose.
  • Matching rules respect the bounds of the consent given and the original purpose.
  • A lead is not shared with more or different recipients than communicated, regardless of how many buyers are active on the platform.
  • Non-essential fields are not sent along or are anonymised beforehand.
  • The applied matching rules are documented and traceable per delivery.
View matching & routing
6

Routing

Routing is the actual moment of sharing: the lead leaves your platform and reaches a buyer. This is a processing operation with legal weight, because this is where the transfer you promised the data subject takes place. Every delivery must therefore be traceable: who received what, when, via which publisher it was supplied, and on which basis.

Treat a failed or duplicate delivery just as carefully as a successful one. A lead that accidentally goes to two different buyers can be a breach of purpose limitation and directly affects the reliability of your entire lead network. Record the status of every delivery (delivered, rejected, in dispute) so your accountability matches what actually happened, platform-wide and per buyer.

Checklist

  • Every delivery is recorded with recipient, time, delivered fields and status.
  • Duplicate or unintended deliveries are prevented or flagged, including across publishers and labels.
  • The basis on which delivery occurs is linked to every routing action.
  • Failed deliveries are recorded and not silently ignored.
  • The delivery status (delivered, rejected, in dispute) is visible at any moment in your dashboard.
How routing works
7

Audit trail

The audit trail is the backbone of your accountability as an operator. The GDPR requires not only that you process carefully, but that you can demonstrate it, for every lead, from every publisher, to every buyer. An audit trail that records every processing step immutably, from intake and consent to matching, delivery and deletion, turns “we do it right” into “here is the evidence”, regardless of how many parties come together on your platform.

A usable audit trail is complete, immutable and exportable. Complete, so there are no gaps in the chain, not even between publisher and buyer. Immutable, so the evidence is reliable. Exportable, so you can actually produce it on request or under audit, to a buyer or a supervisory authority. Anyone who only tries to assemble the audit trail afterwards is, by definition, missing the steps they did not log.

Checklist

  • Every processing step (intake, consent, verification, matching, delivery, deletion) is logged.
  • Log entries are immutable and carry a timestamp and, where relevant, an actor or publisher.
  • The audit trail can be consulted per lead and across the entire chain, from publisher to buyer.
  • Logs are exportable as evidence towards a supervisory authority, buyer or data subject.
  • There are no gaps in the chain: from first arrival to final status, everything is traceable, platform-wide.
View the audit trail
8

Retention periods

The storage limitation principle requires that you do not keep personal data longer than necessary for the purpose. In practice that means: a period per lead status, and automatic deletion once that period is reached, across all your publishers and buyers. A rejected lead should not stay around as long as a delivered lead with an ongoing guarantee towards a buyer.

Make retention periods concrete and enforce them actively at the platform level. Manual cleanup is forgotten sooner or later, especially as volume grows; automated expiry runs according to policy. Deletion is a real processing operation: the data actually disappears from active storage, while the audit trail records that and when a record expired.

Checklist

  • Each lead status has a justified retention period attached.
  • Data is deleted automatically once the period is reached, with no manual cleanup, not even at high volume.
  • Deletion is an active operation: the data disappears from active storage.
  • The audit trail records that and when a record expired, without retaining the content.
  • Retention periods are set out in policy and explainable per category, publisher or label.
Retention periods under GDPR
9

Data breach procedure

A data breach is any incident in which personal data is unintentionally accessed, altered, leaked or destroyed. The GDPR obliges the controller to report a notifiable breach to the supervisory authority within 72 hours of discovery, and to inform the data subjects too where the risk is high. Under that time pressure, a pre-defined procedure always beats improvisation, especially when an incident affects multiple publishers or buyers.

Make sure the route is ready: how you detect, assess, escalate internally and report, including when an incident occurs at an onboarded publisher. As a processor you report an incident to the controller without undue delay, so they can make the legal notification in time. Keep the whole course of events traceable: handling a breach is itself something you must be able to demonstrate as the operator.

Checklist

  • There is a documented data breach procedure with clear steps and responsibilities.
  • Monitoring, access logs and the audit trail flag anomalous behaviour, platform-wide.
  • An incident is assessed on its nature, scope and risk to data subjects, including when it arrives via a publisher.
  • As a processor, an incident is reported to the controller without undue delay.
  • The 72-hour deadline and any information to data subjects are safeguarded and recorded traceably.
Data breach procedure under GDPR
10

Roles & processors

Who is responsible for what? The GDPR distinguishes the controller (who determines the purpose and means) from the processor (who processes on instruction). Lack of clarity about who holds which role is one of the most common compliance mistakes in lead chains, and precisely as an operator running multiple publishers, labels and buyers on a single platform, things go wrong quickly without clear agreements.

Record the division of roles explicitly and conclude a suitable agreement with every publisher, buyer and processor you onboard. In addition, work with role-based access within your platform: no one, whether publisher, buyer or team member, sees more data than their function requires. Keep an up-to-date register of processing activities and sub-processors, so you can show at any moment who is involved and under which conditions, regardless of how many parties your platform now serves.

Checklist

  • For each party (publisher, buyer, sub-processor) it is recorded whether they are controller or processor.
  • A data processing agreement is concluded with every (sub-)processor.
  • Access to data is arranged per role and context within your platform: no one sees more than necessary.
  • There is an up-to-date register of processing activities and sub-processors.
  • Processor agreements are reviewed periodically and can be requested as evidence towards a buyer or supervisory authority.
View roles & processors

The chain as a whole

The ten phases above should not exist as separate measures, but as one continuous chain that you, as the operator, keep watch over. The strength lies in the coherence: consent that stays linked to provenance, a verification outcome that travels along to delivery, a retention period that matches the status, and an audit trail that connects it all into evidence, across all your publishers and buyers. Once those links interlock, accountability becomes a by-product of your platform rather than a project in itself.

Use this checklist as a baseline measurement and as a recurring check. Legislation, publishers, channels and buyers change; your platform grows with them. By going through each phase periodically, you keep the chain closed and stay demonstrably in control, no matter how much volume runs through it or how many parties you now serve.

This is not legal advice

This guide offers a practical overview and is not legal advice. The application of the GDPR depends on your specific processing activities, roles and context as an operator. For your own situation, consult a qualified lawyer or data protection officer. OXIAE supports your compliance with technology, record-keeping and a clear division of roles within your platform, but does not replace a legal assessment.

Get the entire chain demonstrably in order

Book a demo and see how OXIAE delivers provenance, consent, verification, routing and an audit trail by default, from intake to retention period, across all your publishers and buyers.