To make your website GDPR compliant, work through seven steps in order. Map your data, pick a lawful basis, publish plain-language policies, fix cookie consent, honor visitor rights, secure the data, and vet your processors.
None of this requires a lawyer for a simple site. It is a finite, ordered project, not an open-ended liability. Below are the seven steps in the order that actually gets a small or mid-sized website compliant.
Does Your Website Even Need to Be GDPR Compliant?
GDPR applies to any website, EU-based or not, that processes the personal data of people in the EU or offers them goods or services. A US blog with no EU visitors is out of scope. A US e-commerce store shipping to Germany is in scope, even without an EU office. A site running Google Analytics on European visitors is in scope too.
Four signals put your site in scope.
- Tracks visitors located in the EU or UK, including through analytics tools
- Collects names, emails, or other personal data from EU or UK residents
- Offers goods or services to people in the EU or UK
- Monitors the behavior of people inside the EU or UK, such as through ad retargeting
Most sites that serve a global audience, even unintentionally, match at least one of these. You are generally out of scope only if you deliberately block EU and UK traffic and never process data from those regions.
For the full in-scope test with edge cases, see who has to comply with GDPR. If you want the plain-English rundown of what the GDPR actually is and its core principles, start there first. US sites should also check the wider map of global privacy laws. GDPR is rarely the only regime a US-facing site has to satisfy.
What You Need Before You Start
The prerequisite most owners skip is an honest inventory of what data their site actually collects and through which tools. Without that list, every later step is guesswork.
Roles: Usually just the site owner. A small site rarely needs a dedicated privacy team. One person with access to the CMS, analytics dashboard, and email tool can complete every step below.
Time: A focused afternoon for a simple brochure site with a contact form and analytics. A site with e-commerce, multiple third-party embeds, or international traffic runs longer, closer to a few days spread across a week.
Inputs: A list of every form on the site (contact, newsletter, checkout). Every analytics or marketing tool installed (Google Analytics, Meta Pixel, email platform). Every embed that can set cookies (video, chat widget, maps), plus access to server or hosting logs.
Tools: A consent tool to manage cookie banners and blocking, and a policy generator to draft the privacy and cookie policy. Neither has to be from the same vendor. Many small sites still prefer one tool that does both.
Step 1: Map the Personal Data Your Website Collects
You cannot protect or disclose data you have not found. Start by inventorying every form field, cookie, script, and log file that captures personal data, then cut what you do not need.
To map your data:
- List every input field on every form (name, email, phone, address, payment details)
- List every analytics and marketing tool installed and what it captures
- Check server and hosting logs for IP addresses and timestamps
- List every embed (chat widgets, video players, maps) that can set cookies or load scripts
- Document the flow end to end: where each piece of data goes from signup, to storage, to backups, to deletion
Small sites often skip that last step. They then discover during an access request that they cannot say where a visitor's data actually lives.
Once you have the list, delete what you do not need. Minimal data collection accounts for most of the practical compliance work at small-site scale. A contact form asking only for a name and email carries less liability. One that also asks for a phone number, birthdate, and unused company size fields carries more.
A formal Article 30 Record of Processing Activities (ROPA) is only mandatory for organizations with 250 or more employees, or those doing higher-risk processing. Higher-risk processing means large-scale monitoring or special-category data. Most small sites are exempt from the formal record. Keeping a simple internal list is still good practice, and it speeds up every later step.
Knowing what counts as personal data, names, emails, IP addresses, and cookies among it, tells you exactly what to look for during this inventory.
Step 2: Pick a Lawful Basis for Every Type of Data You Use
Consent is not always required. GDPR gives you six lawful bases, and contract or legitimate interest often fit a website's data processing better than consent does.
The six lawful bases under Article 6 are:
- Consent: the person has actively agreed to the specific processing
- Contract: the processing is necessary to deliver something the person requested
- Legal obligation: a law requires you to process the data
- Vital interests: processing protects someone's life
- Public task: the processing serves an official or public function
- Legitimate interests: the processing serves a genuine business need that does not override the person's rights
For a checkout, "contract" covers the shipping address you need to deliver an order. For fraud prevention logging, "legitimate interest" often applies. Consent is the correct basis mainly for non-essential cookies, marketing emails, and anything the visitor could reasonably say no to.
Consent is also the lawful basis you can lose fastest. A visitor can withdraw it at any time. An invalid consent mechanism, a pre-checked box or a banner with no real reject option, invalidates the whole basis. Contract and legitimate interest do not carry that same fragility. Picking the right basis per data type is worth the extra five minutes per form.
Step 3: Write a Privacy Policy and a Cookie Policy in Plain Language
A cookie banner and cookie policy alone are never enough for GDPR compliance. You also need a privacy policy that discloses what data you collect, why, and for how long.
Your privacy policy must disclose several things in plain language, not legal boilerplate.
- What personal data you collect
- Why you collect it (the lawful basis from Step 2)
- How long you retain it
- Who else has access to it (processors, analytics vendors, email tools)
- What rights visitors have and how to exercise them
- A contact method for privacy questions
Your cookie policy covers the same disclosure specifically for cookies and similar tracking technologies. It states which cookies you set, their purpose, their category, and their duration.
A policy generator turns a guided questionnaire into a cookie policy, privacy policy, and terms and conditions you can embed directly on your site. Consently's privacy policy generator covers all three documents from one questionnaire, in multiple languages if you serve an international audience. Treat the output as a compliance starting point, not a legal guarantee. A generated policy still needs your own review for anything unusual about how your site processes data.
Step 4: Fix Your Cookie Consent (Banner, Blocking, and Records)
Cookie consent is one piece of GDPR, not the whole job, but it is the piece most sites get wrong. Non-essential cookies must be blocked until the visitor consents, and that consent has to be real: an active choice, not a default.
The rules for valid cookie consent:
- Block non-essential cookies (analytics, advertising, personalization) before consent is given, not after
- Make "Reject All" exactly as easy to click as "Accept All"
- Never use pre-checked consent boxes; the visitor must take an affirmative action
- Let visitors choose consent by category, not just an all-or-nothing toggle
- Keep a record of each visitor's choice, including timestamp and what they chose
Pre-ticked boxes invalidate consent outright, because GDPR requires an affirmative action, not a default the visitor has to undo. I see this one inherited from a template theme most often, set silently before the site owner ever looks.
A cookie consent banner that runs an automatic scan of your site handles rules 1 through 4 without custom code. It should block non-essential cookies before consent by default, and give visitors a preference center to choose by category. Consently logs every consent choice with a timestamp, which covers rule 5. That log gives you an audit trail if a regulator or a visitor ever asks what was agreed to and when. Consently is explicit-consent-only by design, so there is no implied or scroll-triggered consent path to accidentally rely on.
If you run Google Analytics or Google Ads, Google Consent Mode v2 passes each visitor's consent choice to Google automatically. You keep measurement for consenting visitors without hand-writing gtag('consent') calls yourself.
This step covers only the cookie-consent slice of GDPR. For the full banner rulebook, including region-specific opt-in and opt-out models, see exactly what a GDPR cookie banner must do. If your visitors span several legal regimes, not just the EU, see how to comply with cookie laws across regions.
Step 5: Make It Easy for Visitors to Exercise Their Rights
GDPR gives visitors specific rights over their data, and you must respond to a request within one month. Build a simple, findable way for them to ask.
The core rights to support:
- Access: see what data you hold about them
- Rectification: correct inaccurate data
- Erasure: delete their data (the "right to be forgotten")
- Portability: receive their data in a common, reusable format
- Restriction: limit how you process their data
- Objection: object to processing based on legitimate interest
You have one month from the request to respond, extendable by two further months for complex requests, under Article 12. A dedicated privacy email address or a simple contact form is enough for most small sites. You do not need a self-service portal unless request volume justifies building one.
For the full breakdown of each right and how to honor it, see the data subject rights in full.
Step 6: Secure the Data and Have a Breach Plan
GDPR requires data protection "by design and by default." You build in security rather than bolt it on. You also need a plan for what happens if a breach occurs.
A small site needs four baseline security measures.
- Enforce HTTPS across every page, not just checkout or login
- Encrypt or pseudonymize stored personal data where practical
- Restrict who has admin or database access, and use strong, unique passwords
- Keep regular backups, and confirm backups are as secure as the live data
You must report a qualifying breach to your supervisory authority within 72 hours of becoming aware of it, under Article 33. Have a plan before you need one. Decide who gets notified internally, how you assess whether the breach is reportable, and who drafts the regulator notification.
Step 7: Lock Down the Third Parties and Processors You Use
Every vendor that touches your visitors' data is a data processor under GDPR. That includes analytics, email, hosting, and payment vendors, and you need a data processing agreement with each one.
For every processor you use:
- List the vendor (hosting provider, email platform, analytics tool, payment processor)
- Confirm a data processing agreement (DPA) exists under Article 28
- Document that the DPA exists, even if you never need to produce it
- Check whether the vendor transfers data outside the EU, and confirm a safeguard covers that transfer
Standard Contractual Clauses (SCCs) are the most common safeguard for a transfer outside the EU. Solo site owners are the most likely to skip this whole step. It is easy to assume the vendor "handles that." AWS, hosting providers, and email tools all offer a DPA on request. You still have to ask for it and keep the record.
Consently is itself one of your processors if you use it. It offers a DPA covering EU (Frankfurt) hosting, with Standard Contractual Clauses available on request. That covers Consently's own role in your stack. It does not cover the DPAs you still need from your other vendors.
How Do You Know if Your Website Is GDPR Compliant?
No scanner or tool can certify you as compliant, and no official government GDPR certification exists to buy. You demonstrate compliance by being able to produce your records: your data map, your policies, your consent logs, and your processor DPAs.
A compliance scanner can flag cookies or trackers you missed, which is a useful directional check. It cannot verify your lawful basis choices, your DSAR process, or your processor contracts. Treat a clean scan result as one input, not a verdict.
The strongest evidence of compliance is being able to walk through each step above and point to the proof. That means the data inventory from Step 1, the consent logs from Step 4, and the DPAs from Step 7.
Common GDPR Compliance Mistakes to Avoid
The single most damaging mistake is treating a cookie banner as the whole of GDPR compliance. A banner handles consent; it does not write your privacy policy, pick your lawful basis, or answer a data access request.
- Treating the cookie banner as complete compliance: a banner covers consent, not policies, lawful basis, or visitor rights. Remedy: work through all seven steps, not just Step 4.
- Using pre-ticked consent boxes or a hidden reject option: this invalidates the consent itself. Remedy: make every consent action affirmative, and make reject as easy as accept.
- Defaulting to consent as the lawful basis for everything: contract and legitimate interest often apply, and consent is the basis most easily lost. Remedy: assign a specific basis per data type, per Step 2.
- Collecting data with no clear use: extra form fields and unused tracking scripts are pure liability with no compliance benefit. Remedy: apply data minimization, and delete what you do not use.
- Having no record of processors or data flows: not knowing which vendors touch visitor data leaves you unable to answer a regulator or a visitor. Remedy: document data flows and processor DPAs, per Steps 1 and 7.
FAQs
Does my US website really need to be GDPR compliant?
Yes, if it processes the personal data of people in the EU or UK, or targets them with goods or services. This holds regardless of where your business is registered. A US-only site with no EU visitors and no EU-facing offers is out of scope.
How much does it cost to make a website GDPR compliant?
A small site can largely do this yourself. A policy generator and a consent tool cover most of the work, so the real cost is mostly your time, not money. Enterprise-scale compliance programs run much higher. A Data Protection Officer, formal audits, and a full Article 30 record are usually not required at small-site scale.
Can I make my website GDPR compliant myself, without a lawyer?
Yes, for a simple site. The seven steps above form a finite checklist you can work through in an afternoon to a few days. Get legal review if your site processes special-category data, such as health or biometric information, or operates at a scale where the stakes are higher.
Is a cookie banner enough to be GDPR compliant?
No. A cookie banner covers valid consent for non-essential cookies. GDPR also requires a lawful basis for every type of data you process. It requires a privacy policy, a way to honor visitor rights, security measures, and processor agreements too. Step 4 above covers the banner-specific rules in more depth.
Do I need a Data Protection Officer for a small website?
Usually not. A DPO is mandatory only in three cases. You are a public authority, your core activity involves large-scale systematic monitoring of people, or your core activity involves large-scale processing of special-category data. Most small sites fall into none of these categories.
Is there an official GDPR certification I can get?
No official government GDPR certification exists to buy. Voluntary certification schemes under Article 42 exist but remain limited. No scanner, badge, or seal makes a site legally compliant on its own.
How long do I have to respond to a data access or deletion request?
Within one month of receiving the request, under Article 12. You can extend that by two further months for complex or numerous requests. You must tell the person about the extension within the first month.
What happens if my website is not GDPR compliant?
Regulators can fine the most serious infringements up to EUR 20 million or 4 percent of global annual turnover, whichever is higher. Less severe infringements carry fines up to EUR 10 million or 2 percent. See how large GDPR fines can get for the full penalty structure and real cases.
Working through these seven steps covers the cookie consent, policy, and consent-record slice of GDPR that a consent management platform can genuinely help with. The data-mapping, security, and governance work stays yours as the site owner. Consently scans your site for cookies, blocks non-essential ones before consent by default, and shows a compliant opt-in banner. It keeps the consent record and generates your cookie, privacy, and terms policies from a guided questionnaire. See Consently's GDPR cookie and consent tooling for the done-for-you side of Steps 3 and 4. Or start a free 14-day trial with no credit card required.

