GDPR Compliance Checklist: 10 Steps for Website Owners

What Is GDPR and Does It Apply to You?

The General Data Protection Regulation (GDPR) is the European Union's landmark privacy regulation that took effect in May 2018. It sets strict rules for how organizations collect, store, process, and share personal data of EU residents.

GDPR applies to you if your website receives visitors from the EU — regardless of where your business is located. Since most websites receive at least some EU traffic, GDPR compliance is relevant to virtually every website operator. The regulation covers any personal data, which includes names, email addresses, IP addresses, cookie identifiers, location data, and more.

Non-compliance carries serious consequences. Fines can reach up to 20 million euros or 4% of annual global turnover, whichever is greater. Regulators have demonstrated willingness to fine businesses of all sizes, not just large corporations.

Step 1: Conduct a Data Audit

Before you can comply with GDPR, you need to know exactly what personal data you collect, where it comes from, where it is stored, who has access to it, and how long you keep it. Perform a thorough audit of your entire website and associated systems.

Start by listing every data collection point: contact forms, signup forms, payment pages, analytics tools, comment systems, and third-party scripts. For each, document the specific data fields collected, the purpose of collection, the legal basis for processing, where the data is stored, and any third parties it is shared with.

GDPR Article 30 requires you to maintain a record of processing activities. This audit is the foundation of that record and informs every subsequent step in this checklist.

Step 2: Create or Update Your Privacy Policy

GDPR requires a clear, comprehensive privacy policy written in plain language. Your policy must cover what data you collect, how and why you process it, the legal basis for each processing activity, how long you retain data, who you share it with, what rights users have, and how to contact your Data Protection Officer (if applicable).

Avoid legal jargon and vague language. GDPR specifically requires that privacy information be provided in a concise, transparent, intelligible, and easily accessible form. The policy should be published on a dedicated page linked prominently from every page on your site.

If writing a privacy policy from scratch sounds daunting, PolicyForge can generate a GDPR-compliant privacy policy tailored to your website in minutes.

Step 3: Implement Cookie Consent

Under GDPR and the ePrivacy Directive, you must obtain informed consent before setting non-essential cookies. This means no analytics cookies, advertising cookies, or social media cookies can be loaded until the user actively opts in.

Implement a cookie consent banner that clearly explains what cookies you use and allows users to accept or reject different categories. Pre-checked boxes are not valid consent under GDPR — the default state must be opt-out. Users must be able to withdraw consent as easily as they gave it. Popular cookie consent solutions include Cookiebot, CookieYes, and Osano.

Remember that cookie walls — blocking access to content unless the user accepts all cookies — are generally not considered valid consent under GDPR guidance from most EU data protection authorities.

Step 4: Establish a Legal Basis for Each Processing Activity

GDPR requires a legal basis for every instance of personal data processing. The six legal bases are: consent, contractual necessity, legal obligation, vital interests, public task, and legitimate interests. For most websites, the relevant bases are consent (for marketing emails, analytics cookies), contractual necessity (for providing a purchased service), and legitimate interests (for security and fraud prevention).

Document which legal basis applies to each processing activity identified in your data audit. This is a critical step because the legal basis determines what obligations you have and what rights users can exercise. For example, if you rely on consent, users can withdraw it at any time and you must stop processing immediately.

Step 5: Set Up Data Processing Agreements

If any third party processes personal data on your behalf — and for most websites, several do — GDPR Article 28 requires you to have a Data Processing Agreement (DPA) in place with each of them. This includes your hosting provider, analytics service, email marketing platform, payment processor, customer support tools, and any other service that handles your users' data.

Most major service providers offer standard DPAs. Check for a DPA in the settings or legal section of each service you use. Review the DPA to confirm it covers the required elements: subject matter of processing, duration, nature and purpose, type of personal data, and categories of data subjects. Keep signed copies accessible for your records.

Step 6: Honor Data Subject Rights

GDPR grants individuals specific rights over their personal data. You must have processes in place to handle requests to exercise these rights within the required timeframe (generally one month).

The key rights include: the right of access (users can request a copy of their data), the right to rectification (users can correct inaccurate data), the right to erasure (the "right to be forgotten"), the right to restrict processing, the right to data portability (provide data in a machine-readable format), and the right to object to processing based on legitimate interests.

Set up a clear process for receiving, verifying, and responding to these requests. Document how you will fulfill each type of request and train anyone who handles user data on the procedures.

Step 7: Implement Data Minimization and Retention Policies

GDPR's data minimization principle requires that you only collect personal data that is necessary for the specific purposes you have identified. Do not collect data "just in case" — every field on every form should have a clear justification.

Similarly, establish retention schedules for all personal data. Define how long you keep each type of data and set up processes to delete or anonymize it once the retention period expires. For example, you might retain customer account data for the duration of the relationship and a defined period after account closure, while retaining transaction records for the period required by tax law.

Step 8: Secure Personal Data

Article 32 of GDPR requires you to implement appropriate technical and organizational measures to protect personal data. What counts as "appropriate" depends on the nature of the data and the risks involved, but baseline measures for any website include:

• HTTPS/TLS encryption for all pages, not just login or checkout pages
• Encryption of personal data at rest in your databases
• Strong access controls limiting who can access personal data within your organization
• Regular software updates and security patches
• Secure password storage using modern hashing algorithms
• Regular backups stored securely and tested for restoration
• Security awareness training for anyone who handles personal data

Conduct regular security assessments and address vulnerabilities promptly. Document your security measures as part of your GDPR compliance records.

Step 9: Prepare a Data Breach Response Plan

GDPR requires you to notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach that poses a risk to individuals' rights and freedoms. If the breach poses a high risk, you must also notify affected individuals without undue delay.

Prepare a breach response plan before an incident occurs. The plan should define what constitutes a breach, who is responsible for assessing and responding, how to document the breach, the process for notifying the supervisory authority, and the criteria and process for notifying affected individuals.

Test the plan periodically to identify gaps. Even small websites can experience breaches through compromised third-party services, exposed databases, or stolen credentials.

Step 10: Review International Data Transfers

If you transfer personal data outside the European Economic Area (EEA), you need a lawful mechanism for doing so. This is relevant to most websites because common services like Google Analytics, AWS, Mailchimp, and Stripe are based in the United States.

The primary mechanisms for international transfers include: adequacy decisions (the European Commission has recognized certain countries as providing adequate protection), Standard Contractual Clauses (SCCs) included in your DPAs, and the EU-US Data Privacy Framework for transfers to certified US organizations.

Check that each of your third-party processors has an appropriate transfer mechanism in place. Most major US-based services now support SCCs or are certified under the Data Privacy Framework. Document the transfer mechanisms for your records.

Putting It All Together

GDPR compliance is not a one-time project — it is an ongoing commitment. Schedule regular reviews of your data practices, privacy policy, and security measures. When you add new features, tools, or integrations to your website, assess the GDPR implications before going live.

The good news is that each step in this checklist builds on the last. Once you have completed your initial data audit and established the foundational elements, maintaining compliance becomes a manageable part of your regular operations.

Start with the step that has the highest impact and the most visibility: your privacy policy. It is the public face of your compliance efforts and the first thing regulators, users, and partners will look for.