GDPR Compliance Checklist for Your Website (2026)

The GDPR has been in effect since 2018, but most small business websites still have compliance gaps. Not because owners are careless, but because web designers and hosting providers rarely handle these details.

Here is a practical checklist. Go through it point by point. Most issues take less than an hour to fix.

Cookie consent

Your website probably sets cookies. If it does, you need proper consent before most of them activate.

• Do you have a cookie consent banner? Not just a notice that says "we use cookies" but an actual choice between Accept and Reject. A simple informational bar with an "OK" button does not count as valid consent. The visitor needs a genuine choice. If you're unsure whether you even need a banner, read do I need a cookie banner?
• Do cookies load before the visitor clicks Accept? This is the most common violation. Google Analytics, Facebook Pixel, and marketing tools often fire immediately on page load. Your consent tool must block these scripts until the visitor makes a choice. If tracking starts before consent is given, the consent is meaningless.
• Can visitors reject cookies and still use your site? The Reject button should be as easy to find as the Accept button. See the full cookie banner requirements for what regulators expect.
• Is the Reject button equally prominent? The Dutch Autoriteit Persoonsgegevens (AP) has been clear on this: if your Accept button is a large, colored button and the Reject option is a small text link or hidden behind a "Manage preferences" menu, that is not valid consent. One click to accept means one click to reject. The AP has been sending warnings to Dutch businesses specifically about this issue since late 2024.
• Do you have a cookie policy page? It should list every cookie, its purpose, and how long it stays. Include the cookie name, the domain it belongs to, what it does, and its expiration period.
• Can visitors withdraw consent later? GDPR Article 7(3) says withdrawing consent must be as easy as giving it. Your site should have a way for visitors to change their cookie preferences after the initial choice, usually through a link in the footer or a small icon on every page.

Privacy policy

Every website needs a privacy policy. It doesn't have to be 20 pages of legal text. But it does need to cover specific points required by GDPR Articles 13 and 14.

Article 13 applies when you collect data directly from the person (through forms, cookies, account creation). Article 14 applies when you get personal data from a third party. Most small business websites only need to worry about Article 13, but if you buy mailing lists or get customer referrals with contact details, Article 14 applies too.

• Is your privacy policy accessible from every page? Put a link in your footer.
• Does it explain what data you collect? Contact forms, newsletter signups, analytics, payment data. Be specific. "We collect personal data" is not enough. List the actual categories: name, email, IP address, payment details, browsing behavior.
• Does it name your legal basis? Consent, contract, or legitimate interest for each type of processing. Article 13(1)(c) requires this. You can't just pick one legal basis for everything. Analytics might rely on consent, while processing an order relies on contract performance.
• Does it list your data processors? Your hosting provider, email service, analytics tool, payment processor. Article 13(1)(f) requires you to name the categories of recipients. Best practice is to name them specifically: "We use Mailchimp (The Rocket Science Group LLC, USA) for email newsletters."
• Does it explain visitor rights? Access, correction, deletion, data portability, and the right to complain to the data protection authority. Article 13(2)(b) requires you to inform people about every right they have. Don't just list them. Explain briefly how to exercise them, like providing an email address for requests.
• Does it include your contact details? Article 13(1)(a) requires the identity and contact details of the controller. That means your business name, address, and a way to reach you. If you have a Data Protection Officer, their contact details must be listed too.
• Does it state retention periods? Article 13(2)(a) requires you to state how long you keep personal data, or the criteria you use to determine that period. "We keep your data as long as necessary" is too vague. Be specific: "We keep contact form submissions for 2 years."

Our guide on privacy policy requirements lists every element your policy must include.

Contact and newsletter forms

Forms that collect personal data need special attention.

• Do your forms have a privacy policy link? Add one near the submit button. Something like "By submitting this form, you agree to our [privacy policy]." This satisfies the GDPR requirement to inform people at the point of data collection.
• Are newsletter signups separate from other consent? You can't bundle "I agree to the terms" and "Sign me up for the newsletter" in one checkbox. Each purpose needs its own consent. Our newsletter signup GDPR guide covers exactly what your form needs.
• Are checkboxes unchecked by default? Pre-checked consent boxes are not valid under GDPR. The EU Court of Justice confirmed this in the Planet49 ruling. A pre-checked checkbox is illegal and any consent collected through one is invalid.
• Do you use double opt-in for newsletters? Required in many EU countries, and good practice everywhere. The subscriber enters their email, receives a confirmation email, and clicks a link to confirm. Without double opt-in, you can't prove the person actually wanted to subscribe.

Third-party services

Every external service your website loads transfers visitor data to that service. Most of these transfers require consent before they happen. Read our full guide on third-party tracking and consent to understand the rules.

• Google Fonts: If loaded from Google's servers, every visitor's IP address goes to Google. Host the fonts locally instead to avoid this. A German court fined a website owner 100 euros per visitor for this exact issue in 2022.
• YouTube embeds: Embedded videos load tracking cookies. Use the privacy-enhanced mode (youtube-nocookie.com) or load them only after consent.
• Google Maps embeds: Similar to YouTube. Load only after consent.
• Social media widgets: Facebook Like buttons, Twitter embeds, and Instagram feeds all track visitors. They set cookies and send data to their servers as soon as they load. Use a two-click solution: show a placeholder first, load the actual widget only after the visitor clicks.

Technical measures

GDPR requires "appropriate technical measures" to protect personal data. Article 32 specifically calls for security measures that match the risk level. For a website, the basics matter most. Our guide on why GDPR requires a secure website explains the connection between security and data protection law.

• Is your site on HTTPS? No exceptions. Every page. This encrypts data in transit between your visitor's browser and your server.
• Are contact form submissions encrypted? Check that your form doesn't submit over HTTP. Also check that the data is stored securely on the server side.
• Do you have a data processing agreement with your hosting provider? Most reputable hosts provide one automatically. Article 28 requires a written contract with every processor that handles personal data on your behalf.
• When was your CMS last updated? Outdated WordPress or Joomla installations are security risks that also affect GDPR compliance. If a data breach happens because you didn't install a security update from six months ago, that's hard to defend.
• Are admin accounts secured? Use strong passwords and enable two-factor authentication for anyone who can access personal data through your CMS.

Data breach notification

If personal data is breached, GDPR Articles 33 and 34 set strict rules for what happens next.

A data breach is any security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data. This includes obvious scenarios like a hack, but also things like sending a newsletter with all recipients in the "To" field instead of "BCC," or losing an unencrypted laptop with customer data.

The 72-hour rule. Article 33 requires you to notify your data protection authority within 72 hours of becoming aware of a breach, unless the breach is unlikely to result in a risk to people's rights. The clock starts when you know about it, not when it happened. If your hosting provider tells you on Tuesday that your database was exposed on Sunday, the 72 hours start on Tuesday.

What to include in the notification. You must describe the nature of the breach, the approximate number of people affected, the likely consequences, and the measures you've taken or plan to take to fix it. Keep records of every breach, even ones you decide don't need to be reported.

When to notify individuals. Article 34 says you must notify the affected individuals directly if the breach is likely to result in a high risk to their rights and freedoms. This means if customer passwords, payment data, or health information was exposed, you need to tell the people involved. Not just the authorities.

Prepare in advance. Have a simple breach response plan. Know who to contact at the AP (or your national authority), what information you'll need to gather, and who in your organization is responsible for making the notification. Scrambling to figure this out during an active breach wastes hours you don't have.

Records of processing activities

Article 30 of the GDPR requires certain organizations to maintain a Record of Processing Activities (ROPA). This is a document that lists every type of personal data processing your organization does.

When is it required? Technically, the requirement applies to organizations with 250 or more employees. But there's a catch: it also applies to any organization if the processing is not occasional, if it could result in a risk to people's rights, or if it involves special categories of data. Since most business websites continuously process personal data through analytics, contact forms, and newsletters, the exception for small businesses rarely applies in practice.

What should it contain? For each processing activity, record: the purpose, the categories of data, who receives the data, any transfers outside the EU, retention periods, and a general description of your security measures. For a small business website, this might be a simple spreadsheet with entries like "Contact form submissions," "Newsletter subscribers," "Website analytics," and "Customer orders."

Keep it updated. Update your records when you add a new tool, change a processor, or start collecting new types of data. Data protection authorities ask for this document during investigations. Having one ready shows you take compliance seriously.

Children's data

If your website might attract visitors under 16, GDPR Article 8 sets additional rules. In the Netherlands, the age threshold is 16. Other EU countries have set it as low as 13 (Denmark) or 14 (Austria, Italy).

When does this apply? If you offer services directed at children or if you know that children use your service. A toy shop, a tutoring service, a children's clothing store, or any website with content aimed at young people needs to consider this.

Parental consent. For children below the age threshold, consent must be given or authorized by the person holding parental responsibility. You need to make reasonable efforts to verify this. Simply asking "Are you over 16?" with a checkbox is not enough if your service clearly targets younger users.

Keep language simple. If children might read your privacy policy or consent requests, the language must be clear and plain enough for them to understand. GDPR Recital 58 specifically says this.

Minimize data collection. Collect the minimum data necessary. If a child doesn't need to provide their date of birth or address to use your service, don't ask for it.

Most standard small business websites don't target children specifically. But if yours does, or if you run a webshop that sells children's products, review this area carefully.

What happens if you're not compliant

The Dutch Autoriteit Persoonsgegevens (AP) has issued fines to small businesses. In 2024, a dental practice was fined 12,000 euros for an inadequate privacy policy and cookie violations.

Spanish real estate agency: 3,000 EUR (2023). The Spanish data protection authority (AEPD) fined a small real estate agency for installing security cameras that also recorded public areas and neighboring properties. The agency had no privacy notices about the cameras and no record of processing activities. The total fine was 3,000 euros, split across multiple violations.

Greek company: 20,000 EUR for no legal basis (2022). The Hellenic Data Protection Authority fined a company 20,000 euros for sending marketing emails without a valid legal basis. The company had collected email addresses through their website but couldn't demonstrate that the people had actually consented to receive marketing.

Austrian website: 100 EUR per visitor for Google Fonts (2022). A Viennese court ruled that loading Google Fonts from Google's servers without consent violated GDPR. The website owner was ordered to pay 100 euros in damages to a single visitor. This case triggered thousands of copycat claims across Germany and Austria.

Fines for small businesses typically range from 1,000 to 10,000 euros. But even without a fine, a complaint can lead to a time-consuming investigation. You might need to hire a lawyer to respond, adjust your entire website, and document everything you changed. The cost of fixing things after a complaint is always higher than doing it right from the start. Our guide on GDPR fines for small businesses covers more real cases and amounts.

The good news: fixing most issues is straightforward and doesn't require a lawyer.

Frequently asked questions

Do I need a cookie banner if I only use necessary cookies?

If your website only uses strictly necessary cookies (like session cookies for a shopping cart), you don't need a consent banner. But most websites also use analytics or marketing cookies, which do require consent. Be honest with yourself about what your site actually loads. Check with a free website scan to see what cookies and scripts are running.

Is Google Analytics allowed under GDPR?

Google Analytics 4 can be configured to be GDPR-compliant, but only with proper consent. You must get consent before the tracking script loads, not after. You also need to mention Google Analytics specifically in your privacy policy as a data processor, explain what data it collects, and note that data may be transferred to the United States.

How often should I review my GDPR compliance?

Check your website whenever you add a new feature, plugin, or third-party integration. A quarterly review is a reasonable minimum. Pay special attention after CMS updates, theme changes, or adding new forms.

Can I write my own privacy policy or do I need a lawyer?

For a straightforward small business website, a well-written template is usually sufficient. If you process sensitive data (health, financial) or handle large volumes of personal data, get professional legal advice.

What's the difference between a data controller and a data processor?

You are the data controller: you decide why and how personal data is processed on your website. Your hosting provider, email service, and analytics tool are data processors: they process data on your behalf. As the controller, you are responsible for making sure your processors handle data correctly. That's why you need data processing agreements with each of them.

Do I need a Data Protection Officer?

Most small businesses don't. A DPO is required if your core activities involve regular and systematic monitoring of individuals on a large scale, or if you process special categories of data (health, religion, political opinions) on a large scale. A regular business website with a contact form and newsletter doesn't meet that threshold.

What counts as "personal data" under GDPR?

Any information that can identify a person, directly or indirectly. Obviously: names, email addresses, phone numbers. Less obviously: IP addresses, cookie identifiers, location data, device fingerprints. If your website collects it and it can be linked to a specific person, it's personal data.

Check your website now

Going through this checklist manually takes time. You can get an automated check of your cookie consent, privacy policy, third-party services, and security settings in about 60 seconds.

Scan your website for free and see exactly where you stand.