Many businesses have faced major reputational and financial damage from General Data Protection Regulation (GDPR) violations. Don’t let yours become the next cautionary tale. GDPR has significant implications for many companies, even those without a physical EU presence. If your website collects personal data from EU visitors, it’s important to take proactive steps to comply. Our 10-step GDPR Compliance Checklist is here to help you get ahead of potential issues.

What is GDPR?

The General Data Protection Regulation (GDPR) is a comprehensive data protection and privacy regulation enacted by the European Union (EU). It came into effect on May 25, 2018, replacing the Data Protection Directive 95/46/EC. GDPR is designed to harmonize data privacy laws across Europe, strengthen the rights of EU citizens regarding their personal data, and reshape the way organizations approach data privacy.

Who does GDPR apply to?

GDPR applies to a broad range of entities that process personal data, regardless of whether they are based within the EU or not. The regulation has extraterritorial scope, meaning it can apply to organizations outside the EU if they process the personal data of EU residents. The primary entities to which GDPR applies include:

  1. Data controllers: These are organizations or individuals that determine the purposes and means of processing personal data. They are responsible for ensuring that any data processing activities comply with GDPR.
  2. Data processors: These entities process personal data on behalf of data controllers. They are bound by GDPR and must implement appropriate security measures to protect the data.
  3. Data subjects: GDPR is ultimately focused on protecting the rights and privacy of individuals, referred to as data subjects. Any individual whose personal data is collected and processed by an organization falls under the purview of GDPR.

What are the key requirements of GDPR?

  • Lawful processing: Organizations must have a lawful basis for processing personal data. This includes obtaining explicit consent from the data subject or demonstrating that processing is necessary for the performance of a contract, compliance with a legal obligation, protection of vital interests, the performance of a task carried out in the public interest, or the exercise of official authority, or legitimate interests pursued by the data controller or a third party.
  • Consent: Explicit GDPR consent from the data subject is a crucial element of lawful processing. Organizations must ensure that individuals provide a clear and informed agreement for the processing of their personal data.
  • Data subject rights: GDPR grants several rights to individuals, including the right to access, rectify, and erase their personal data. Data subjects also have the right to object to certain types of processing, restrict processing, and data portability.
  • Data protection impact assessments (DPIAs): Organizations are required to conduct DPIAs for processing activities that are likely to result in a high risk to the rights and freedoms of data subjects. This involves assessing the necessity, proportionality, and risks of the processing.
  • Data breach notification: Organizations must notify the relevant supervisory authority of a data breach within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.
  • Privacy by design and default: GDPR encourages the integration of data protection measures into the development of systems, products, and services. Organizations are required to implement privacy by design and default principles to ensure that data protection is considered from the outset.
  • Data protection officer (DPO): In certain cases, organizations are required to appoint a Data Protection Officer who oversees GDPR compliance, advises on data protection impact assessments, and serves as a contact point for data subjects and the supervisory authority.
  • International data transfers: If personal data is transferred outside the EU, organizations must ensure that an adequate level of protection is maintained. This may involve implementing standard contractual clauses, binding corporate rules, or relying on frameworks like the EU-US Data Privacy Framework.

Why is GDPR compliance important for your business?

GDPR protects users’ privacy and ensures that their information is protected. The regulation applies to all companies, from large corporations to small businesses. Organizations should prepare for the change or risk severe consequences for failure to comply. If you are not compliant, your business can suffer a major GDPR fine, up to 4% of its annual global turnover or €20 million (whichever is higher).

Despite all the changes and challenges, there are some advantages to the new regulations. The GDPR is an opportunity for companies to re-evaluate the way they store, share, and protect customer data. By building trust and fostering customer loyalty, companies can position themselves as a trusted source. With proper preparation, businesses will be able to capitalize on new opportunities arising from the GDPR.

This 10-step GDPR checklist will hopefully help you get your website GDPR-compliant. There is no one-size-fits-all approach or solution when it comes to GDPR compliance. Each website (or company) has different business operations and needs to comply with GDPR in its own way. This means making sure you’re compliant involves some careful planning and analysis on your part—and then devising customized procedures specific to your company’s needs.

So, are you ready to tackle the GDPR requirements?

10-Step GDPR Compliance Checklist

Here is what you can do to ensure your website stays compliant with the GDPR.

#1 Know the data you hold

Getting ready for GDPR means you will need to know what personal data you hold, where it is stored, and who has access to it. The following checklist provides the questions you need to ask yourself and your staff to determine if you are ready for GDPR compliance.

  • What personal data do you hold? 
  • Does the data include sensitive personal data? If yes, how do you keep it safe?
  • Does your website collect personal data from minors (below 16 years of age)?
  • Why does your website require this data?
  • How have you retained consent for processing this personal data?
  • Where is this personal data stored?
  • Who has access to this data?
  • Do any third parties hold this personal data? If yes, how do you control their processing of your data?
  • Are these third parties based outside the EEA? If yes, what mechanism do they have in place to protect your personal data from being accessed by foreign bodies or from being used for purposes other than those permitted under the contract with that third party?
  • How long does this personal data need to be kept? Can any of this information be deleted or anonymized?

#2 Secure your website

Website security is something that you cannot afford to ignore. As a website owner, you must ensure your website is secure. This means that the data stored on the website needs to be protected and that the website itself needs to be protected from outside attacks. Websites are regularly attacked by hackers and other people with malicious intent. 

Here are a few things you can do to secure your website and keep user data protected:

  • Install an SSL certificate (HTTPS website URL) that will encrypt any information sharing between the site and server.
  • Use strong passwords for admin accounts.
  • Add extra layers of protection to your server in case you allow users to share payment information.
  • Use a CDN provider that can improve security, e.g., by protecting websites against DDoS.
  • Use anti-virus software or services to protect against unauthorized access to the site.
  • Do not collect, use or store personal data more than what is necessary for your website.
  • Try not to send or share personal data, especially sensitive types to third-party services.
  • Pseudonymize or anonymize personal data before storing them to de-identify the users.
  • Remove personal data once your website does not need them.
  • Back up the data in multiple locations.

#3 Update privacy policy

A privacy policy should be an integral part of your overall website content. You will also need to ensure that it is easily accessible via a link on every page of your website (including those where no personal data collection takes place). 

The primary purpose of a privacy policy is to inform your site’s visitors about how you collect, use, store, and disclose their personal data. It should also explain the user’s rights and your obligations to them. Some of these rights include the right to access their personal data and the right to request the erasure of their data.

The policy must be written in clear language that is understandable by people. If a user has to go searching for it or click several times before they can find it, then this is not acceptable.

Checkout best Privacy Policy examples for GDPR compliance

Create Privacy Policy for FREE

Generate a privacy policy for your website in just a few clicks.


*no credit card required

#4 Get consent for emails

If you have a mailing list of EU citizens, you need to review it for GDPR compliance.

If you use email marketing services to send out newsletters or for any communication, you need permission from your users to send the emails. The recommended method is to use double opt-in, where users have to verify their email address after submitting it to the website. 

Users should be able to opt out of emails at any time. To do this, the user has to be able to click on an unsubscribe link found in your emails and it should take them to a page where they may easily unsubscribe without any difficulty. 

#5 Add a cookie banner

If your website uses non-necessary cookies (don’t know what they are? Read this to find out), then you should use a cookie banner to get GDPR cookie consent from users to store them on their devices. 

The banner informs visitors about how the website uses cookies and what information they store. It also informs them about their right to refuse the storage of cookies.

Here are the key points you can consider while adding a cookie banner:

  • The language used in the banner should be clear and concise by avoiding legal jargon and long sentences.
  • Describe what kind of cookies you are setting and why.
  • Explain why you need to set cookies. 
  • Explain how users can manage their cookie preferences.
  • Include an opt-in option for cookies where users can accept them.
  • Display an opt-out option for users who wish to block all cookies from your website. 
  • Add a third option for selective enabling of consent based on cookie category.
  • Include information about your privacy policy and a link to this page.
  • Closing or non-interaction with the banner should not mean the user has consented.
  • Do not load cookies without users’ explicit consent (opt-in).
  • Opt-out means the cookies should remain blocked, on subsequent visits as well.
  • There should be an option to recall the banner in case the user wants to withdraw or change consent status.

Let us take care of cookie compliance, so you can focus on your business

Sign up on CookieYes and make your website GDPR compliant for cookies.

Try free cookie banner

*14-day free trial *Cancel anytime

Here are 8 companies that paid the price for violating cookie laws: Cookie Consent Fines

#6 Check forms on your website

If your website has any kind of forms, e.g. inquiry, contact, or subscriptions, that collect personal data, you must ensure:

  • Include a privacy statement that explains why you’re asking for their details; what you’re going to do with them; and that they can withdraw consent at any time.
  • Add an opt-in option, such as an unticked checkbox or a disabled toggle switch to get user consent to collect data.
  • Add a checkbox (or similar option) so that people can choose whether to receive correspondence from you or related services.
  • Preferably, add a link to the Privacy Policy for further information.

#7 Review data processors or third-party services

The first thing you need to do is find out which of the services or companies your company uses directly are GDPR-compliant. You must be aware of the privacy policies of any third-party service or company you use directly (or indirectly).

If they are doing work on behalf of your company then you should ensure they align with your privacy policy. This means that they should be GDPR compliant as well. 

#8 Review international data transfer 

If your business website relies on transferring personal data from EU to non-EU countries, then you should ensure the following:

  • Have you done the necessary risk assessments before transferring the data?
  • Does the recipient country or service provide an adequate level of data protection system in place?
  • Do you have all the necessary agreements with the recipient company/services?

#9 Provide data rights provision

Web users have a right to obtain information about the personal data you hold about them and to request that it be corrected or deleted at any time. They should be easily able to access the right options to exercise these rights.

Read more about Data Subject Access Request (DSAR).

The GDPR does not specify any method for disclosing this information. One way is to add a link or button in the footer of all your web pages, or by providing a page with more detailed information on how to manage their data. Some websites also prefer to provide email contact information to submit their requests.

Your privacy policy should describe how you meet this requirement.

#10 Analyze and mitigate data breach

Here is what you should do to prepare in the event of a data breach

  • Keep a record of your processing activities.
  • Block all access to your website until you fix the vulnerability.
  • Conduct a thorough investigation — where, when and how it happened, what data was involved, and who got affected and how.
  • Notify the appropriate supervisory authority about the breach within 72 hours with all the information you have. Usually, the breach notification must include the categories and the approximate number of users concerned; the categories and the approximate number of personal data records affected; any action taken, or measures planned, by the company in response to the breach, including measures to mitigate its possible adverse effects.
  • Notify the affected users if there is an increased risk to users’ rights and freedoms as a result of the breach, including what they can do to protect their data.
  • Update your policies and procedures to prevent future security breaches on your website.
  • Prepare a plan of action if another data breach happens or is likely to happen in the future.

Do you have a US-based business? Check this compliance checklist for GDPR in the US.

Here is a summarized GDPR compliance checklist for quick reference:

gdpr compliance checklist for website infographic

What’s next?

Read how CookieYes’ powerful features help your website tick off the GDPR cookie compliance checklist.

Frequently asked questions

What are the basic requirements of GDPR?

The basic requirement is to collect and process the personal data of users fairly, securely and lawfully for a lawful purpose and disclose details about how you handle the data to users. Data must be collected for specific, explicit and lawful purposes and not further processed in a way incompatible with those purposes. The data must be adequate, relevant and limited to what is necessary for the purpose for which it is processed. Organizations are responsible for allowing users to exercise their rights over their data and notify them about data breaches within 72 hours with relevant information.

What are the 7 principles of GDPR?

  1. Lawfulness, fairness, and transparency: Process personal data in a legal and fair manner, and inform individuals about how their data will be used.
  2. Purpose limitation: Collect data for specific and legitimate reasons only and do not use it for anything else.
  3. Data minimization: Organizations should only collect and use the minimum amount of personal data necessary for their intended purposes.
  4. Accuracy: Keep personal data accurate and up to date, and correct them if necessary.
  5. Storage limitation: Do not store data for longer than necessary and delete or anonymize them once their purpose is fulfilled.
  6. Integrity and confidentiality: Protect personal data from unauthorized access, loss, or disclosure through appropriate security measures.
  7. Accountability: Organizations are responsible for following the GDPR principles and should be able to demonstrate their compliance.

What is a GDPR compliance checklist?

A GDPR compliance checklist, such as the one provided in this article, is a list of things you need to do to be compliant with the GDPR. It is a useful tool for your business to ensure that all areas of your organization are complying with the law. It will help you identify the areas of improvement and highlight any areas where you might have gaps in information or data protection processes and procedures. 

What is the maximum penalty for non-compliance with the GDPR?

The maximum fine one can get for non-compliance with the GDPR is up to €20 million or 4% of the annual global turnover, whichever is greater. In some cases, it will not stop with a financial penalty. The authorities may ask you to delete the personal data you hold or stop processing it.

How to be GDPR compliant?

If you want to make sure that you are fully GDPR compliant, you need to take a privacy-first approach and keep the following checklist in mind:

  • Be transparent about your data processing practices
  • Collect and use personal data fairly and lawfully
    Get consent to collect data wherever relevant
  • Allow users to access, correct, and delete their data
  • Let users manage their data
    Ensure technology meets regulatory compliance requirements
  • Keep personal data safe and secure
  • Have a privacy policy that is easy to find and read
  • Review third-party services and vendors and ensure they are GDPR-compliant.

Disclaimer: This GDPR compliance checklist is intended as a general guide only. It should not be construed as legal advice, and readers should consult a lawyer in their jurisdiction with any specific legal questions they may have.