The Complete GDPR Compliance Checklist for Website Owners

GDPR compliance isn't a one-time project you can tick off and forget. It's an ongoing responsibility that requires regular check-ins as your website evolves, new tools are added, and regulations are clarified. Whether you're building a new site or auditing an existing one, this checklist covers every major GDPR requirement that applies to website operators.

1. Cookie Consent Banner

• A cookie consent banner or pop-up is displayed on first visit before any non-essential cookies are set
• The banner clearly explains the purpose of each cookie category
• Users can accept all, reject all, or customize their preferences
• The "reject all" option is as prominent and easy as "accept all"
• No cookies are set before consent is obtained (except strictly necessary ones)
• Analytics, advertising, and tracking scripts are blocked until consent is given
• A mechanism exists for users to withdraw consent as easily as they gave it (usually a link in the footer)
• Consent records are stored with timestamp, cookie version, and user preferences

2. Privacy Policy

• A privacy policy is accessible from every page (typically in the footer)
• The policy identifies the data controller and contact information
• All categories of personal data collected are listed (name, email, IP address, behavioral data, etc.)
• The legal basis for processing each category is stated (consent, contract, legitimate interest, or legal obligation)
• Data retention periods are specified for each data category
• All third-party data recipients are named (analytics providers, payment processors, email tools, etc.)
• Users are informed of their right to lodge a complaint with a supervisory authority
• The policy is written in clear, plain language—not dense legalese
• The policy is updated whenever data processing practices change

3. Data Processing Agreements (DPAs)

• A signed DPA is in place with every vendor that processes personal data on your behalf
• DPAs cover: Google (Analytics, Ads, Tag Manager, Firebase), Meta (Facebook Pixel, Instagram), Stripe, Mailchimp/Resend, Intercom or similar support tools, any CRM or marketing automation platform
• DPAs are reviewed and renewed annually or when vendor terms change
• The list of active processors is documented and available on request

4. Forms and User Inputs

• Every form field collecting personal data has a clear, descriptive label
• All consent checkboxes are unchecked by default
• Consent checkboxes use explicit opt-in language ("I agree to receive marketing emails") not pre-selected or implied
• No hidden form fields that collect data without disclosure
• Form submissions are only used for the stated purpose

5. Data Subject Rights Process

• A process exists to handle data subject access requests (DSARs) within 30 days
• Users can request: access to their data, correction of inaccurate data, deletion ("right to be forgotten"), restriction of processing, data portability, objection to processing
• Contact information for rights requests is clearly published (typically privacy policy or a dedicated email)
• A process exists to handle voluntary data disclosure to users upon request
• A process exists to erase user data upon request and from all connected systems (backup included)

6. Technical Security

• HTTPS is enforced site-wide (no mixed content issues)
• Form submissions are transmitted over encrypted connections
• Access to any admin or backend systems is restricted and logged
• Databases and file storage containing personal data are secured

7. Data Breach Preparedness

• A data breach response plan exists with defined steps and responsibilities
• Breaches affecting user rights must be reported to the relevant supervisory authority within 72 hours
• High-risk breaches must also be communicated to affected users without undue delay

8. Record of Processing Activities (Article 30)

• A written record of all data processing activities is maintained
• The record includes: purpose of processing, data categories, recipient categories, retention periods, and security measures

Automate Your GDPR Audit

Working through this checklist manually is time-consuming and error-prone. An automated GDPR compliance scanner can check your site against dozens of specific requirements in minutes, flagging issues before they become violations. ComplyScan audits your cookie consent implementation, privacy policy completeness, tracking script behavior, and more, delivering a structured report with fix recommendations.