GDPR Compliance Checklist for Websites

Summary

GDPR compliance for websites involves more than just adding a cookie banner. This checklist covers the six key areas you need to address: data inventory, legal basis, consent collection, privacy policy, data subject rights, and third-party processors. Work through each section to identify gaps and build a remediation plan.

Prerequisites Checklist

• Your website is live and collects some form of personal data
• You have access to your website’s admin panel or code
• You know which third-party services your site uses (analytics, email, ads)
• You have authority to update your privacy policy

Section 1: Data Inventory

Before you can comply with GDPR, you need to know what data you collect.

Checklist

• List all personal data your site collects (names, emails, IP addresses, device IDs, cookie data)
• Identify where each data type is stored (database, email provider, analytics platform, CRM)
• Document how long you keep each data type (retention periods)
• Map data flows — where does data go after collection? (internal systems, third parties, other countries)
• Identify special-category data if any (health, biometric, political opinions, religious beliefs)

How to do it

1. Run a Cookie Audit to identify all cookies and trackers
2. Review your contact forms, signup forms, and checkout flows
3. Check your analytics, CRM, and email tools for what data they collect
4. Document everything in a spreadsheet with columns: data type, source, storage location, retention period, legal basis

Time estimate: 30-60 minutes

Section 2: Legal Basis

Every piece of personal data you process needs a legal basis under GDPR Article 6.

Checklist

• Consent — used for marketing emails, analytics cookies, ad tracking
• Contractual necessity — used for order processing, account creation
• Legitimate interest — used for fraud prevention, basic security logging
• Legal obligation — used for tax records, regulatory reporting
• Each data processing activity has a documented legal basis

How to do it

For each item in your data inventory, assign one of the six GDPR legal bases. Most websites will use:

• Consent for: marketing cookies, newsletter signups, ad tracking
• Contract for: account data, order processing, service delivery
• Legitimate interest for: basic analytics (with proper balancing test), security logs

Time estimate: 15-30 minutes

Section 3: Consent Collection

If consent is your legal basis, it must meet GDPR standards.

Checklist

• Cookie consent banner is implemented with accept and reject options
• No cookies fire before consent (except strictly necessary)
• Consent is freely given — no pre-ticked boxes, no bundled consent
• Consent is specific — separate consent for different purposes
• Consent is informed — users know what they’re agreeing to
• Consent can be withdrawn as easily as it was given
• Consent records are stored with timestamps for accountability
• Newsletter signup uses double opt-in (required in some EU countries)
• Marketing consent is separate from terms acceptance

How to do it

1. Use our Cookie Consent Banner Setup playbook
2. Implement a CMP — use the CMP Selector Tool to find the right one
3. Set up double opt-in for email signups
4. Ensure all forms have clear, unbundled consent checkboxes

Time estimate: 30-60 minutes (if using a CMP)

Section 4: Privacy Policy

Your privacy policy must be comprehensive, accurate, and understandable.

Checklist

• Privacy policy exists and is accessible from every page (footer link)
• Identity of the data controller — your company name, address, contact details
• DPO contact information (if applicable — required for large-scale processing)
• What data you collect — listed by category
• Why you collect it — purpose for each category
• Legal basis for each processing activity
• Who you share data with — third parties named or categorized
• International transfers — disclosed with safeguards explained (SCCs, adequacy decisions)
• Retention periods — how long you keep each data type
• User rights — how to exercise them (access, deletion, portability, etc.)
• Cookie information — either in the policy or a separate cookie policy
• Last updated date is shown and is current
• Written in plain language — not legalese

How to do it

1. Use a privacy policy generator (iubenda includes one) as a starting point
2. Customize it with your specific data processing activities from Section 1
3. Have it reviewed by someone with GDPR knowledge
4. Link it in your site footer, consent banner, and all forms that collect data

Time estimate: 30-60 minutes

Section 5: Data Subject Rights

GDPR gives individuals specific rights over their data. You need processes to handle these.

Checklist

• Right of access — users can request a copy of their data
• Right to rectification — users can correct inaccurate data
• Right to erasure — users can request deletion (“right to be forgotten”)
• Right to data portability — users can get their data in machine-readable format
• Right to restrict processing — users can limit how you use their data
• Right to object — users can object to processing based on legitimate interest
• You have a process to respond within 30 days
• You have a contact method for requests (email, form, or portal)
• Your team knows how to handle requests

How to do it

1. Add a “Data Rights” or “Privacy Requests” contact method to your privacy policy
2. Create an internal process document for handling requests
3. Set up email templates for common responses (access, deletion confirmation)
4. Ensure you can actually export and delete user data from all systems where it’s stored
5. Test the process end-to-end with a sample request

Time estimate: 30-45 minutes (process setup)

Section 6: Third-Party Processors

Any service that processes personal data on your behalf must be managed under GDPR.

Checklist

• List all third-party services that handle personal data (analytics, email, hosting, payment, ads, CRM)
• Data Processing Agreements (DPAs) are in place with each processor
• Third parties are GDPR-compliant (check their privacy pages)
• International transfers are covered — EU-hosted services or SCCs/adequacy decisions in place
• Sub-processors are documented — know who your processors share data with
• You review processors periodically — at least annually

Common third-party services to check

How to do it

1. List every third-party service from your data inventory
2. Check each provider’s GDPR/privacy page for DPA availability
3. Sign DPAs where you haven’t already (most offer them as self-service downloads)
4. For US-based services, verify they offer EU hosting or have adequate transfer mechanisms
5. Use the EU Data Residency Tool to assess whether EU-only hosting would simplify your setup

Time estimate: 30-60 minutes

Failure Modes

”We added a cookie banner so we’re GDPR-compliant”

Reality: A cookie banner is one small piece. GDPR covers all personal data processing, not just cookies. You still need a proper privacy policy, data subject rights processes, DPAs, and more.

Relying on “legitimate interest” for everything

Reality: Legitimate interest requires a documented balancing test. It cannot be used for marketing cookies, ad tracking, or data sharing with third parties without proper justification.

Privacy policy copied from another site

Reality: Your privacy policy must accurately reflect your specific data processing. A copied policy will likely contain inaccurate information, which itself is a GDPR violation.

Downloadable Resources

• GDPR Compliance Checklist (PDF)
• Data Inventory Template (Spreadsheet)
• Data Subject Request Template

Related Playbooks

• Cookie Consent Banner Setup
• Consent Mode v2 Setup

Sources

• GDPR Full Text (EUR-Lex)
• EDPB Guidelines on Consent
• ICO Guide to GDPR
• CNIL GDPR Guide

Disclosure: We may earn a commission if you sign up for recommended tools through our links. This never affects our recommendations or methodology.