GDPR Compliance Checklist for Your Website (2026)

The GDPR has been in effect since 2018, but most small business websites still have compliance gaps. Not because owners are careless, but because web designers and hosting providers rarely handle these details.

Here is a practical checklist. Go through it point by point. Most issues take less than an hour to fix.

Cookie consent

Your website probably sets cookies. If it does, you need proper consent before most of them activate.

• Do you have a cookie consent banner? Not just a notice that says "we use cookies" but an actual choice between Accept and Reject.
• Do cookies load before the visitor clicks Accept? This is the most common violation. Google Analytics, Facebook Pixel, and marketing tools often fire immediately on page load.
• Can visitors reject cookies and still use your site? The Reject button should be as easy to find as the Accept button.
• Do you have a cookie policy page? It should list every cookie, its purpose, and how long it stays.

Privacy policy

Every website needs a privacy policy. It doesn't have to be 20 pages of legal text.

• Is your privacy policy accessible from every page? Put a link in your footer.
• Does it explain what data you collect? Contact forms, newsletter signups, analytics, payment data.
• Does it name your legal basis? Consent, contract, or legitimate interest for each type of processing.
• Does it list your data processors? Your hosting provider, email service, analytics tool, payment processor.
• Does it explain visitor rights? Access, correction, deletion, data portability, and the right to complain to the data protection authority.

Contact and newsletter forms

Forms that collect personal data need special attention.

• Do your forms have a privacy policy link? Add one near the submit button.
• Are newsletter signups separate from other consent? You can't bundle "I agree to the terms" and "Sign me up for the newsletter" in one checkbox.
• Are checkboxes unchecked by default? Pre-checked consent boxes are not valid under GDPR.
• Do you use double opt-in for newsletters? Required in many EU countries, and good practice everywhere.

Third-party services

Every external service your website loads transfers visitor data to that service.

• Google Fonts: If loaded from Google's servers, every visitor's IP address goes to Google. Host the fonts locally instead.
• YouTube embeds: Embedded videos load tracking cookies. Use the privacy-enhanced mode (youtube-nocookie.com) or load them only after consent.
• Google Maps embeds: Similar to YouTube. Load only after consent.
• Social media widgets: Facebook Like buttons, Twitter embeds, and Instagram feeds all track visitors.

Technical measures

GDPR requires "appropriate technical measures" to protect personal data.

• Is your site on HTTPS? No exceptions. Every page.
• Are contact form submissions encrypted? Check that your form doesn't submit over HTTP.
• Do you have a data processing agreement with your hosting provider? Most reputable hosts provide one automatically.
• When was your CMS last updated? Outdated WordPress or Joomla installations are security risks that also affect GDPR compliance.

What happens if you're not compliant

The Dutch Autoriteit Persoonsgegevens (AP) has issued fines to small businesses. In 2024, a dental practice was fined 12,000 euros for an inadequate privacy policy and cookie violations.

Fines for small businesses typically range from 1,000 to 10,000 euros. But even without a fine, a complaint can lead to a time-consuming investigation.

The good news: fixing most issues is straightforward and doesn't require a lawyer.

Frequently asked questions

Do I need a cookie banner if I only use necessary cookies?

If your website only uses strictly necessary cookies (like session cookies for a shopping cart), you don't need a consent banner. But most websites also use analytics or marketing cookies, which do require consent.

Is Google Analytics allowed under GDPR?

Google Analytics 4 can be configured to be GDPR-compliant, but only with proper consent. You must get consent before the tracking script loads, not after.

How often should I review my GDPR compliance?

Check your website whenever you add a new feature, plugin, or third-party integration. A quarterly review is a reasonable minimum.

Can I write my own privacy policy or do I need a lawyer?

For a straightforward small business website, a well-written template is usually sufficient. If you process sensitive data (health, financial) or handle large volumes of personal data, get professional legal advice.