GDPR Compliance Checklist: 15 Steps for Website Owners

GDPR compliance is not a single task you complete once and forget. It is an ongoing programme that touches how you collect data, how you store and process it, what rights you give your users, and how you respond when things go wrong. This checklist covers the 15 most critical areas for website owners — from solo operators with a contact form to mid-sized businesses running marketing automation and CRM systems.

Work through each step. Some will take minutes; others will require legal review or technical changes. The goal is not perfection on day one — it is a clear picture of where you stand and a prioritised list of what to fix.

Step 1: Understand your legal basis for processing

• Consent — the user has given explicit, informed agreement
• Contract — processing is necessary to fulfil a contract with the user (e.g., order fulfilment)
• Legal obligation — you are required to process data by law (e.g., tax records)
• Vital interests — processing is necessary to protect someone's life
• Public task — processing is necessary for a task in the public interest
• Legitimate interests — your interests (or a third party's) outweigh the individual's privacy interests

For most website owners, the relevant bases are consent (for marketing and analytics), contract (for purchases and account management), and legitimate interests (for fraud prevention, security monitoring). Document your legal basis for each processing activity. This documentation is required if you are ever audited.

Step 2: Complete a data mapping exercise

• What personal data you collect (name, email, IP address, browsing behaviour, etc.)
• Where you collect it (contact forms, checkout, newsletter signup, analytics, etc.)
• Where it is stored (your database, a CRM, an email marketing platform, a cloud storage bucket)
• Who has access to it (your team, third-party vendors, processors)
• How long you keep it
• Where it flows outside the EU (if relevant)

• Email marketing platforms (Mailchimp, Klaviyo, etc.)
• CRM systems (Salesforce, HubSpot, etc.)
• Customer support tools (Intercom, Zendesk)
• Analytics platforms (Google Analytics, Mixpanel)
• Error monitoring tools (Sentry, Datadog)
• Payment processors (Stripe, Adyen)

Step 3: Audit and categorise your cookies

• Identify the name, domain, and purpose
• Determine whether it is essential (no consent required), functional, analytics, or marketing
• Note its lifetime (session vs. persistent, and if persistent, the expiry duration)
• Identify the vendor who sets it

This audit feeds directly into your cookie banner configuration (Step 4) and your cookie policy (Step 6).

Step 4: Implement a compliant cookie consent mechanism

• Blocks non-essential cookies until the user actively consents
• Offers granular category controls (not just "accept all")
• Provides equally prominent accept and reject options
• Stores consent records with timestamps
• Allows users to withdraw consent at any time

This is a technical requirement, not just a visual one. A banner that looks compliant but does not actually block scripts from loading is still non-compliant. Regulators check for actual cookie firing, not just banner presentation.

ShieldPage's consent widget handles all of this on the free tier for a single website — it blocks scripts by category and stores consent records. Install the embed snippet as the first script in your <head> element, before any other scripts.

Step 5: Update your privacy policy

• Written in plain language that a non-lawyer can understand
• Comprehensive — covering every processing activity you identified in Step 2
• Easily accessible — linked from your footer, your cookie banner, and any data collection form

• Identity and contact details of the data controller (you)
• Contact details of your Data Protection Officer, if you have one
• The purposes and legal basis for each processing activity
• Legitimate interests relied upon (if applicable)
• Any third parties you share data with
• Transfers to countries outside the EU and the safeguards in place
• How long you retain data
• The rights of data subjects (see Step 8)
• The right to withdraw consent
• The right to lodge a complaint with a supervisory authority

Review your privacy policy at least annually and update it whenever you add new data processing activities.

Step 6: Publish a cookie policy

Your cookie policy can be part of your privacy policy or a separate page. It must cover every cookie your site sets — name, purpose, category, duration, and the third party responsible for any third-party cookies. Update it whenever your cookie inventory changes.

Step 7: Implement data subject rights

• Right of access (Article 15): Users can request a copy of all data you hold about them.
• Right to rectification (Article 16): Users can request corrections to inaccurate data.
• Right to erasure (Article 17): The "right to be forgotten" — users can request deletion of their data (subject to certain exceptions).
• Right to restriction (Article 18): Users can request that you stop processing their data while a dispute is resolved.
• Right to data portability (Article 20): Users can request their data in a machine-readable format.
• Right to object (Article 21): Users can object to processing based on legitimate interests or for direct marketing.
• Rights related to automated decision-making (Article 22): Users can contest purely automated decisions that significantly affect them.
• Right to withdraw consent: Must be as easy as giving it.

You have one month to respond to a data subject request (extendable to three months for complex requests, with notification). Add a clearly labelled contact method — typically a dedicated email address — for subject access requests. Document your process and train anyone who might receive such a request.

Step 8: Review your third-party processors

Every third-party tool you use that processes personal data on your behalf is a data processor under GDPR. You are required to have a Data Processing Agreement (DPA) in place with each one. Most major vendors (Google, Mailchimp, Stripe, HubSpot) make their DPAs available and allow you to accept them through their dashboards or via a signed document.

• Is a DPA in place with every vendor that processes EU personal data?
• Do their DPAs cover the specific data you share with them?
• For vendors outside the EU, are appropriate transfer safeguards in place (see Step 9)?

Step 9: Address international data transfers

• Adequacy decision: The EU Commission has deemed the destination country adequate (e.g., UK, Canada, Japan, US under the EU-US Data Privacy Framework).
• Standard Contractual Clauses (SCCs): Updated 2021 SCCs are the most common mechanism for transfers to countries without adequacy decisions.
• Binding Corporate Rules: For intra-group transfers within multinationals.
• Derogations: Limited exceptions for explicit consent, contract performance, etc. — not a sustainable primary mechanism.

US-based services are common: Google Workspace, AWS, Salesforce, Slack, and hundreds of SaaS tools all process EU data on US infrastructure. For most, the EU-US Data Privacy Framework adequacy decision covers this — but verify that the vendor is certified under the framework.

Step 10: Appoint a Data Protection Officer if required

• You are a public authority or body
• You carry out large-scale systematic monitoring of individuals
• You carry out large-scale processing of special categories of data (health, criminal records, etc.)

Most small and medium-sized website owners are not required to appoint a DPO, but it is good practice to designate a privacy contact internally. If you are required to appoint a DPO, they must be registered with your national supervisory authority.

Step 11: Conduct a Data Protection Impact Assessment for high-risk processing

• Systematic and extensive profiling
• Large-scale processing of special category data
• Systematic monitoring of publicly accessible areas (e.g., CCTV, tracking pixels across the web)
• New technologies or novel uses of existing technologies

If you are launching a new feature involving user profiling, behavioural analytics, or processing of sensitive data, assess whether a DPIA is required before going live. A DPIA documents the purpose of the processing, the necessity and proportionality, the risks to individuals, and the measures taken to mitigate those risks.

Step 12: Establish a breach notification procedure

GDPR Article 33 requires you to notify your supervisory authority within 72 hours of becoming aware of a personal data breach — a breach being any event that leads to unauthorised access, disclosure, loss, or destruction of personal data. If the breach is likely to result in high risk to individuals, you must also notify affected individuals directly (Article 34).

• How breaches are detected and reported internally
• Who is responsible for assessing severity
• The 72-hour clock and who files the supervisory authority notification
• Template notification documents
• Your breach register (you must document all breaches, even those you do not notify to the authority)

Step 13: Secure your website technically

• HTTPS with a valid certificate (HTTP sites processing any personal data are indefensible)
• Software and plugin updates applied promptly
• Strong password and MFA policies for anyone with access to personal data
• Input validation and protection against common web vulnerabilities (SQL injection, XSS, CSRF)
• Regular backups stored securely
• Access logs for sensitive data systems

The standard is proportionate to the risk — a small blog with a contact form has different obligations than a platform storing health data. But "we did not know" is not a defence.

Step 14: Handle employee and contractor data

If you have employees, contractors, or even just a virtual assistant, you are processing their personal data. This requires its own privacy notice explaining what data you collect, how it is used, and their rights. Recruitment data, payroll information, and performance records all fall within GDPR's scope.

Employment data is typically processed on the basis of contract (for payroll and HR administration) or legal obligation (for tax and employment law compliance). Marketing to former candidates without consent is a common compliance failure.

Step 15: Train your team and establish an ongoing programme

• Annual training: Everyone who handles personal data should receive basic GDPR training annually.
• Privacy by design: New features and systems should be assessed for privacy impact before development, not after launch.
• Vendor reviews: Reassess your data processors when you add new tools or renew major contracts.
• Policy reviews: Privacy policy, cookie policy, and internal procedures should be reviewed at least annually.
• Incident drills: Run a tabletop exercise covering a data breach scenario at least once a year.

Putting it together

Use this checklist as both a diagnostic and a roadmap. For each step, assess your current state (compliant, partial, not started), identify the specific gap, assign an owner, and set a deadline. A realistic timeline for completing all 15 steps for a small to medium website is 4-8 weeks, with ongoing quarterly reviews thereafter.

The most common critical failures are Steps 4 (cookie consent without real script blocking), 7 (no mechanism to handle subject access requests), and 12 (no breach notification procedure). Start with those if you need to triage.

ShieldPage addresses several of these steps directly: the consent widget covers Step 4, the trust center and privacy page tools help with Steps 5 and 6, and the security page covers the public-facing aspects of Step 13. The free tier covers a single website; multi-site and enterprise features are available on the Starter ($49/month), Professional ($149/month), and Business ($349/month) plans.