TermsBox
PricingBlog
LoginGet Started
PricingBlogLogin
Get Started
  1. Home
  2. Blog
  3. GDPR Compliance Checklist for Websites (2026)
GDPR

GDPR Compliance Checklist for Websites (2026)

Use this GDPR compliance checklist to audit your website. Covers lawful basis, consent, data rights, DPIAs, and breach procedures.

TermsBox Team|April 4, 2026Updated July 17, 202611 min read

A GDPR compliance checklist gives you a structured way to verify that your website meets every requirement of the General Data Protection Regulation. Whether you are launching a new site or auditing an existing one, working through each item systematically reduces the risk of enforcement action.

This article is educational content, not legal advice. Consult a qualified attorney or data protection professional for guidance specific to your situation.

What GDPR Compliance Means for Websites

The General Data Protection Regulation (Regulation (EU) 2016/679) applies to any website that collects or processes personal data from individuals in the European Union or European Economic Area. Personal data includes names, email addresses, IP addresses, cookie identifiers, and any information that can identify a natural person directly or indirectly.

Non-compliance carries significant consequences. Under Article 83 of the GDPR, supervisory authorities can impose fines of up to 20 million EUR or 4% of global annual turnover, whichever is higher. Beyond fines, enforcement actions can include processing bans, mandatory audits, and reputational damage that erodes customer trust.

GDPR Compliance Checklist: Lawful Basis

Before processing any personal data, you must identify and document a lawful basis under Article 6 of the GDPR. The six lawful bases are:

  1. Consent: The individual has given clear, affirmative consent for a specific purpose
  2. Contract: Processing is necessary to perform a contract with the individual
  3. Legal obligation: Processing is required to comply with a law
  4. Vital interests: Processing is necessary to protect someone's life
  5. Public task: Processing is necessary for a task in the public interest
  6. Legitimate interests: Processing is necessary for your legitimate interests, balanced against the individual's rights

For most websites, the relevant bases are consent (for marketing emails, analytics cookies, and advertising), contract (for account creation and order fulfillment), and legitimate interests (for fraud prevention and basic security).

Action items

  • List every processing activity on your website
  • Assign a lawful basis to each activity
  • Document why each basis applies
  • If relying on legitimate interests, complete a Legitimate Interests Assessment (LIA)

Privacy Policy and Notices

Articles 13 and 14 of the GDPR require you to inform individuals about your data processing at the point of collection, a duty that flows directly from how data protection law shapes your privacy policy. Your privacy policy must include:

  • Your identity and contact details (and your DPO's contact details if you have one)
  • The categories of personal data you collect
  • The purposes and lawful basis for each processing activity
  • Any recipients or categories of recipients who receive the data
  • Details of international data transfers and safeguards
  • Data retention periods or criteria for determining them
  • Individual rights (access, rectification, erasure, restriction, portability, objection)
  • The right to withdraw consent at any time
  • The right to lodge a complaint with a supervisory authority

Use the privacy policy generator to create a baseline document that covers these requirements, then customize it to match your specific processing activities.

Action items

  • Publish a privacy policy that covers all Article 13 requirements
  • Link the privacy policy from your website footer, signup forms, and checkout
  • Review the policy whenever you add a new data collection point
  • Provide layered notices (short notice at point of collection, full policy accessible via link)

Cookie Consent and Tracking

The ePrivacy Directive (2002/58/EC), enforced alongside GDPR, requires prior consent before placing non-essential cookies or similar tracking technologies on a user's device. Strictly necessary cookies, such as session cookies for login functionality, are exempt.

Your cookie consent mechanism must meet these criteria:

  • Prior consent: Non-essential cookies must not fire until the user gives consent
  • Granular choices: Users must be able to accept or reject cookies by category (analytics, marketing, functional)
  • No dark patterns: The reject option must be as easy to select as the accept option
  • Record keeping: Store proof of consent (timestamp, version of the prompt, choices made)
  • Easy withdrawal: Users must be able to change their cookie preferences at any time

Action items

  • Implement a consent management platform (CMP) that blocks non-essential cookies by default
  • Categorize all cookies on your site (strictly necessary, analytics, marketing, functional)
  • Create a cookie policy that lists each cookie, its purpose, and duration
  • Test that scripts respect user choices (verify no analytics or ad cookies fire when rejected)
  • Provide a persistent link to reopen cookie preferences

GDPR Compliance Checklist: Data Subject Rights

Chapter III of the GDPR grants individuals eight rights over their personal data. Your website must have procedures to handle requests for each:

  1. Right of access (Article 15): Provide a copy of their personal data within one month
  2. Right to rectification (Article 16): Correct inaccurate data without undue delay
  3. Right to erasure (Article 17): Delete data when there is no compelling reason to keep it
  4. Right to restrict processing (Article 18): Limit how you use data while a dispute is resolved
  5. Right to data portability (Article 20): Provide data in a structured, machine-readable format
  6. Right to object (Article 21): Stop processing based on legitimate interests upon objection
  7. Right related to automated decision-making (Article 22): Allow human review of automated decisions
  8. Right to withdraw consent: Allow consent withdrawal as easily as it was given

Action items

  • Create an internal procedure for verifying and responding to data subject requests
  • Set up a dedicated contact channel (email address or web form) for rights requests
  • Train staff to recognize and route requests within the one-month response deadline
  • Test your erasure process end-to-end, including backups and third-party vendors

Records of Processing Activities

Article 30 of the GDPR requires organizations to maintain a Record of Processing Activities (ROPA). While there is a partial exemption for organizations with fewer than 250 employees, it only applies if processing is occasional, low-risk, and does not involve special category data. In practice, most websites that use analytics, marketing, or customer accounts should maintain a ROPA.

Your ROPA should document:

  • The name and contact details of the controller (and DPO if applicable)
  • The purposes of each processing activity
  • Categories of data subjects and personal data
  • Categories of recipients
  • International transfers and safeguards
  • Retention periods
  • A general description of technical and organizational security measures

Action items

  • Create a ROPA spreadsheet or use a dedicated tool
  • Include every processing activity from your data mapping exercise
  • Assign an owner responsible for keeping the ROPA current
  • Review and update the ROPA at least annually

Data Protection Impact Assessments

Article 35 of the GDPR requires a Data Protection Impact Assessment (DPIA) before any processing that is likely to result in a high risk to individuals. Common triggers for websites include:

  • Large-scale profiling or tracking of user behavior
  • Systematic monitoring of publicly accessible areas
  • Processing special category data (health, biometric, political opinions)
  • Combining datasets from multiple sources in ways individuals would not expect
  • Using new technologies for data collection

A DPIA must describe the processing, assess its necessity and proportionality, evaluate risks to individuals, and identify measures to mitigate those risks. If residual risk remains high after mitigation, you must consult your supervisory authority before proceeding.

Action items

  • Identify processing activities that require a DPIA
  • Complete DPIAs before launching high-risk features
  • Document the outcome and any mitigations applied
  • Revisit DPIAs when processing changes significantly

Breach Notification Procedures

Articles 33 and 34 of the GDPR establish strict timelines for data breach notification:

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.

Generate Now
  • Supervisory authority: Notify within 72 hours of becoming aware of a breach that poses a risk to individuals' rights and freedoms
  • Affected individuals: Notify without undue delay if the breach is likely to result in a high risk to their rights and freedoms

Your breach response plan should include:

  • A clear definition of what constitutes a personal data breach
  • An internal escalation procedure with named responsible contacts
  • A template notification for the supervisory authority that includes the nature of the breach, categories and approximate number of individuals affected, likely consequences, and measures taken
  • A template notification for affected individuals in plain language
  • A breach register to document all incidents, even those that do not require notification

Action items

  • Draft a breach response plan with roles, timelines, and escalation paths
  • Create notification templates for supervisory authorities and individuals
  • Maintain a breach register for all incidents
  • Run a tabletop exercise at least once per year

Vendor and Processor Agreements

Article 28 of the GDPR requires a written contract with every data processor that handles personal data on your behalf. This includes analytics providers, email marketing platforms, hosting companies, payment processors, and any SaaS tool that touches user data.

Each Data Processing Agreement (DPA) must specify:

  • The subject matter, duration, nature, and purpose of processing
  • The type of personal data and categories of data subjects
  • The controller's obligations and rights
  • Requirements for the processor regarding confidentiality, security, sub-processors, audits, and data return or deletion

Action items

  • List all third-party vendors that process personal data for your website
  • Verify that a signed DPA is in place with each vendor
  • Review DPAs for compliance with Article 28 requirements
  • Establish a process for approving new sub-processors

International Data Transfers

Chapter V of the GDPR restricts transfers of personal data to countries outside the EEA unless adequate safeguards are in place. Common transfer mechanisms include:

  • Adequacy decisions: The European Commission has recognized certain countries as providing adequate protection (including the EU-US Data Privacy Framework since July 2023)
  • Standard Contractual Clauses (SCCs): Pre-approved contract terms for transfers to non-adequate countries
  • Binding Corporate Rules (BCRs): For intra-group transfers within multinational organizations

If you use US-based services like Google Analytics, AWS, or Cloudflare, verify that transfers are covered by the Data Privacy Framework or SCCs. Document the transfer mechanism for each vendor in your ROPA.

Action items

  • Identify all international data transfers from your website
  • Verify the transfer mechanism for each (adequacy decision, SCCs, or BCRs)
  • Conduct a Transfer Impact Assessment where required
  • Monitor adequacy decisions for changes that could affect your transfers

Ongoing GDPR Compliance Monitoring

Compliance is not a one-time project. Schedule regular reviews to keep your website aligned with GDPR requirements:

  • Quarterly: Review consent rates, data subject request logs, and breach register
  • Biannually: Audit cookie scanning results and update your cookie policy
  • Annually: Full GDPR compliance checklist review, ROPA update, vendor DPA review, and staff training refresh

Automated tools can reduce the manual effort. A compliance scanner can detect new cookies and trackers added to your site, flag changes that require consent updates, and alert you to policy gaps. TermsBox provides automated website scanning and a cookie consent banner that keeps your privacy policy aligned with what your site actually does.

Frequently Asked Questions

How many GDPR compliance steps are there?

There is no fixed number. The regulation contains 99 articles, but a practical website compliance checklist typically covers eight to 12 areas: lawful basis, privacy notices, consent management, data subject rights, records of processing, data protection impact assessments, breach procedures, and vendor contracts.

Do small businesses need to comply with GDPR?

Yes. GDPR applies to any organization that processes personal data of individuals in the EU or EEA, regardless of company size or location. Fines can reach 20 million EUR or 4% of global annual turnover, whichever is higher, under Article 83.

How often should I review my GDPR compliance checklist?

Review at least once per year and after any significant change to your data processing activities, website features, or vendor relationships. Regulatory guidance also evolves, so monitoring supervisory authority updates is a best practice.

Is a cookie consent banner enough for GDPR compliance?

No. A cookie banner addresses only one part of GDPR, specifically consent for non-essential cookies under the ePrivacy Directive. Full compliance also requires a lawful basis for every processing activity, a complete privacy policy, data subject rights procedures, vendor agreements, and breach response plans.

Related Tools

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app

Related Articles

GDPR

AWS and GDPR: Compliance, DPAs & Data Transfers (2026)

How AWS and GDPR fit together: the shared responsibility model, the AWS Data Processing Addendum, transfer rules, and the config steps to stay compliant.

April 4, 202612 min read
GDPR

Cookie Compliance: A Complete Guide for Website Owners

Learn what cookie compliance requires, which laws apply, and how to implement consent banners and cookie policies to keep your website legally compliant.

April 4, 202612 min read
GDPR

Data Protection Compliance: A Complete Guide for Businesses

Master data protection compliance with this practical guide covering GDPR, CCPA, key requirements, enforcement, and steps to build a compliance programme.

April 4, 202615 min read

Ready to Create Your Legal Documents?

Generate professional privacy policies, terms of service, and more in minutes. Free to start, no credit card required.

View All Generators

On This Page

  • What GDPR Compliance Means for Websites
  • GDPR Compliance Checklist: Lawful Basis
  • Action items
  • Privacy Policy and Notices
  • Action items
  • Cookie Consent and Tracking
  • Action items
  • GDPR Compliance Checklist: Data Subject Rights
  • Action items
  • Records of Processing Activities
  • Action items
  • Data Protection Impact Assessments
  • Action items
  • Breach Notification Procedures
  • Action items
  • Vendor and Processor Agreements
  • Action items
  • International Data Transfers
  • Action items
  • Ongoing GDPR Compliance Monitoring
  • Frequently Asked Questions
TermsBox

Scan your website, auto-generate legal documents, add a consent banner, and stay compliant. One platform for everything.

Product

  • Cookie Scanner
  • Consent Banner
  • Cookie Policy Generator
  • Pricing

Generators

  • Privacy Policy Generator
  • Terms and Conditions Generator
  • EULA Generator
  • Disclaimer Generator
  • Return and Refund Policy Generator

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service
  • Cookie Policy
GDPR
ePrivacy
CCPA
LGPD
Google Consent Mode v2
IAB TCF 2.2
© 2026 TermsBox. All rights reserved.