Website GDPR compliance comes down to six things: know your data, get consent right, and publish accurate policies. It also means honoring data rights, securing the data, and controlling your vendors. The checklist below breaks each into checkable actions.
Below: the full seven-part checklist, what each section means, who it fits, and how to work through it.
Copy the checklist: the full checklist is rendered below, free and copyable with no email required. Grab it as a trackable Google Sheet or a print-ready PDF from the "Download the Checklist" section once you reach it.
The GDPR Website Compliance Checklist
Work through these seven areas in order. Each item is one action you can verify or complete on your own site.
1. Map the personal data your website collects
Start here because every later section references this map. You cannot secure, disclose, or delete data you have not inventoried.
- [ ] List every place your site collects personal data: contact forms, newsletter signups, account registration, checkout, live chat, comments, analytics, and ad pixels.
- [ ] For each source, record what you collect (name, email, IP address, location, behavior), why you collect it, where it is stored, and how long you keep it.
- [ ] Note which third parties receive each data type: analytics tools, email platforms, CRMs, ad networks, hosting providers, and payment processors.
- [ ] Set a retention period for each data type and a process to delete it once that period expires.
A data map is the reference you will use for your privacy policy, your consent categories, and any right to be forgotten request. Larger operations formalize this map as a Record of Processing Activities (ROPA) under Article 30. If you decide whether you are the data controller or a processor for a given data type, record that here too, since your obligations differ.
2. Establish a lawful basis for every data use
GDPR Article 6 requires a valid lawful basis for every processing activity. Consent is only one of six options.
- [ ] Assign one of six lawful bases to each use of data: consent, contract, legal obligation, vital interests, public task, or legitimate interests.
- [ ] Use consent for non-essential cookies, marketing emails, and anything optional. Do not default to consent when contract or legitimate interests fits better.
- [ ] For marketing consent, use an unticked opt-in checkbox. Never use pre-ticked boxes, silence, or "by using this site you agree" language.
- [ ] Record when and how each person gave consent, and make withdrawing consent as easy as giving it.
Consent that is not freely given, specific, informed, and unambiguous is not valid consent under GDPR. The opt-in mechanism you choose here feeds directly into the cookie consent implementation in the next section.
3. Fix your cookie consent: banner, blocking, records
This is where most website owners actually fail GDPR, and the section a consent management platform automates.
- [ ] Show a cookie consent banner before any non-essential cookie or tracker loads. Do not pre-load analytics or ad pixels.
- [ ] Give equal, clear Accept and Reject options. Accept must not be easier or more visually prominent than Reject.
- [ ] Block non-essential cookies, scripts, and third-party embeds until the visitor consents. Prior blocking, not just a notice, is the requirement.
- [ ] Offer granular control by category (essential, analytics, advertising) through a preference center.
- [ ] Let visitors change or withdraw consent at any time through a revisit link or a floating button.
- [ ] Keep a dated record of each consent choice as evidence you can produce if challenged.
Cookie consent is the most visible and most audited part of website GDPR compliance. Meet the full GDPR cookie consent requirements before you consider this section done.
4. Publish a compliant privacy policy and cookie policy
Transparency under Articles 13 and 14 is a hard requirement. Your site must disclose what it does with personal data.
- [ ] Publish a privacy policy naming what you collect, why, your lawful basis, retention periods, third parties, and how to exercise rights.
- [ ] Publish a cookie policy listing the cookies you use, their purpose, and their duration.
- [ ] Link both policies from your site footer and from the consent banner.
- [ ] Add an effective or last-updated date, and review the policy whenever your data practices change.
A stale or missing policy is the fastest way to fail a basic compliance check. Start from a cookie policy template or a privacy policy template instead of drafting from scratch.
5. Make it easy to exercise data subject rights
GDPR gives individuals enforceable rights: access, rectification, erasure, portability, objection, and restriction. Your site needs a working route to each one.
- [ ] Give people a clear way to request access, correction, deletion, or a portable copy of their data, through an email address or a form.
- [ ] Respond within one month of a verified request (Article 12), extendable by two further months for complex requests.
- [ ] Verify the requester's identity before releasing or deleting any data.
- [ ] Build a way to actually find and delete a person's data across your tools, using the data map from Part 1.
You have a legal clock: one month from a valid request, with a documented extension only for complexity or volume. Cover the full mechanics of a data subject access request and the data subject rights each request can invoke before you build this workflow.
6. Secure the data and plan for a breach
Security of processing (Article 32) and breach notification (Article 33) apply to sites of every size, not just enterprises.
- [ ] Run HTTPS across the whole site and keep your platform, plugins, and dependencies updated.
- [ ] Encrypt or pseudonymize personal data where you can, and limit who can access it.
- [ ] Confirm your hosting provider and key vendors are themselves GDPR-ready.
- [ ] Build a breach plan: how you detect, contain, and report a breach to the supervisory authority without undue delay and, where feasible, within 72 hours (Article 33). Notify affected people directly if the risk to them is high.
A breach you cannot detect or report on time turns a security incident into a compliance failure on top of it. Follow the breach notification rules in full before you need them.
7. Lock down third parties, processors, and transfers
You are responsible for the processors you use (Article 28) and for any lawful transfer of data outside the EU or EEA (Chapter V).
- [ ] List every third party that processes personal data on your behalf: analytics, email, CRM, hosting, ads, and payment tools.
- [ ] Sign a data processing agreement with each processor.
- [ ] For data sent outside the EU or EEA, for example to US-based tools, confirm a valid transfer mechanism such as Standard Contractual Clauses or an adequacy framework.
- [ ] Re-check this list every time you add a new tool to your site.
Every tool you plug in inherits your GDPR obligations. A signed data processing agreement is how you formally pass part of that responsibility to the vendor. Confirm the legal mechanism behind any transfer outside the EU or EEA, using Standard Contractual Clauses or a valid adequacy decision. Check EU-US data transfers specifically if any vendor is US-based.
When this checklist is not enough: treat it as a starting point for special-category data, large-scale monitoring, or high-risk profiling. Health, biometric, political, and sexual-orientation data all count as special categories. Get professional legal advice on your DPIA and DPO obligations before you launch.
Download the Checklist (Google Sheet, PDF)
Download the checklist to track your progress against each section.
- Google Sheet (make a copy): the same seven sections with a Status column (Done, In progress, N/A, Needs legal review) and a Notes column for tracking.
- PDF: a print-ready one-to-two-page version for reviewing or signing off offline.
This on-page checklist covers the cookie, consent, and policy items without naming any specific tool. Guidance only, not legal advice.
What This GDPR Checklist Covers (and What It Does Not)
This checklist covers every action a website owner can complete directly on their own site: data collection, consent, policies, data subject rights, security, and vendors. It flags, rather than fully builds, the items that apply at the organization level.
- Covers: cookie consent, privacy and cookie policies, data subject request handling, security basics, and vendor DPAs.
- Beyond this checklist: a formal Record of Processing Activities (ROPA, Article 30), a full Data Protection Impact Assessment (DPIA, Article 35), appointing a Data Protection Officer (DPO, Articles 37 to 39), staff training programs, and a written incident-response runbook.
Treat the items marked "beyond this checklist" as a signal to loop in legal or compliance expertise, not as optional line items you can skip.
Who This Checklist Is For
This checklist fits five specific roles, each with a different reason GDPR applies to their site.
- Small business or website owner with no legal team: you need a plain-language path through GDPR without hiring outside counsel for every question.
- Solo founder or blogger: your site collects at least an email address or a contact form submission, which is enough to trigger GDPR obligations.
- Web agency or freelancer setting up client sites: you need a repeatable checklist to hand off compliant sites to non-technical clients.
- E-commerce store owner on Shopify or WooCommerce: checkout and marketing cookies both need lawful basis and clear consent.
- SaaS founder with EU users or visitors: GDPR can apply even if your company is based outside the EU, once you have EU-based users.
When to Use This GDPR Checklist
Run this checklist at the moments your site's data practices actually change, not on a fixed calendar.
Use it when you launch or redesign a site, add a new form or analytics tool, or land your first EU customer, client, or complaint. Run it again during an annual privacy review or before connecting any new third-party tool.
- Launching or redesigning a website.
- Adding forms, analytics, or ad pixels for the first time.
- Getting an EU customer, a client request, or a compliance scare.
- Conducting an annual privacy review.
- Connecting a new third-party tool to your site.
This checklist is not enough on its own in three cases: special-category data, large-scale monitoring, or uncertainty over a formal DPO or DPIA. Those situations call for professional legal advice.
How to Use This GDPR Checklist
Work through the checklist in the same order it is written, since later sections depend on earlier ones.
- Copy the Google Sheet or open the on-page checklist: pick whichever format you will actually keep updated.
- Start with Part 1, mapping your data: every other section references this map, so skipping it creates rework later.
- Work down each section, marking Done, In progress, N/A, or Needs legal review: do not skip a section just because it feels less urgent.
- Fix the cookie and consent items in Part 3 first if you run ads or analytics: these are the most visible and most audited items on the entire checklist.
- Keep the completed checklist and your consent records as evidence of good-faith compliance: there is no official certificate, so your documentation is your proof.
- Re-run the checklist whenever you add a tool or change what data you collect: a one-time pass goes stale the moment your stack changes.
Two mistakes account for most compliance gaps. Pre-ticked consent boxes invalidate consent entirely. Forgotten vendors quietly receive visitor data through embeds and pixels.
FAQs
Is this GDPR checklist free?
Yes. The full checklist, the Google Sheet, and the PDF are all free with no email required. An optional Consently trial appears at the end for readers who want the cookie and consent items automated.
What should a GDPR compliance checklist include?
A complete checklist covers data mapping, lawful basis and consent, cookie compliance, and policies. It also covers data subject rights, breach response, and processor agreements. This page's seven sections mirror that structure.
Does my website really need to be GDPR compliant if I am based in the US?
Yes, if you target or monitor visitors in the EU or EEA. GDPR applies based on whose data you process, not where your company is registered. See who GDPR applies to for the full test.
Is a contact form enough to trigger GDPR?
Yes. A contact form collects personal data like a name and an email address, which is enough to bring GDPR's obligations into play.
Do I need a cookie banner to be GDPR compliant?
You need valid consent before any non-essential cookie loads. A compliant banner with clear Accept and Reject options is how most sites meet that requirement in practice.
How do I prove my website is GDPR compliant?
Keep your completed checklist, your published policies, and dated consent records as evidence. There is no government-issued GDPR certificate, so documentation is what you produce if challenged.
Is a GDPR checklist the same as being certified?
No. GDPR has no official certification scheme. A checklist is a self-assessment tool that helps you find and close gaps, not a credential.
Can I use this GDPR checklist for WordPress, Shopify, or Webflow?
Yes. The checklist is platform-agnostic. The cookie and consent items apply to any site that sets cookies or collects personal data, regardless of the platform behind it.
How Consently Handles the Cookie and Consent Items on This Checklist
Several checklist items are exactly what a consent management platform automates: the cookie banner, prior blocking, and granular preferences. Consent withdrawal, dated consent records, and your privacy and cookie policies fit the same pattern. Consently bundles them into one GDPR cookie consent solution instead of leaving you to wire each item by hand.
A hand-coded banner rarely blocks third-party scripts before consent is given. Consently's automatic cookie scanning and auto-blocking stop cookies, scripts, and iframes from loading until a visitor consents, closing the gap in Part 3.
A DIY banner almost never keeps a dated, exportable consent record. Consently's consent logs capture the timestamp, country, and status of every choice, giving you the audit evidence Part 3 and Part 5 both call for.
Writing a cookie policy and a privacy policy from scratch is slow, and both go stale fast. Consently's three policy generators, for cookie policy, privacy policy, and terms and conditions, produce and embed all three in 10+ languages.
Consently closes the cookie, consent, and policy items on this checklist. It does not build your data map, run your DPIA, or harden your server security. It does not manage breach response, fulfill DSAR workflows, appoint a DPO, or sign vendor DPAs for you. The policy generators are compliance assistance, not a substitute for legal advice.
Start your free Consently trial to automate the cookie banner, scanning, blocking, and consent logs from Part 3 of this checklist.

