May 31, 2021

GDPR Website Checklist

GDPR Website Checklist

With new regulations coming into play, it can be difficult to define the basic steps your business should take in order to be compliant. Our GDPR Checklist can guide you through the process and show what you must look for and have on your website.


The General Data Protection Regulation (GDPR) was enforced on May 25th, 2018 with the goal to regulate the way personal data is collected. According to the regulation, any website offering services to EU-citizens must inform its users about personal data that is being collected.

Prior consent must be given by the user before any tracking technologies (e.g. cookies) are used. The user should have the ability to choose which personal information is gathered, with a simple opt-in function, and have an option to adjust their preferences at any point.

8 steps to make sure your website is compliant

1. Provide the identity and contact details of your data controller.
  • Inform users about who your data controller is. (If your data controller is a company, provide contact information of the relevant company representative.)
  • Provide the contact details of your Data Protection Officer (if applicable).
2. State the purposes for collecting personal data and the types of cookies being used.
  • Make sure you have a legitimate purpose to collect data.
  • Collect only the data that you need for such purposes.
  • Inform users about the purposes and the categories of personal data you intend to collect.

For example, when you collect any data to communicate with existing or potential customers, you need to inform the person that “communication” is the purpose, even if it seems obvious. This practice is to prevent companies from collecting any type of personal data without legitimate reasons.

3. Provide the legal bases for collecting personal data.
  • Consent - When a person gives consent to collect their data, e.g. for the use of cookies other than the strictly necessary or for the subscription to your newsletter.
  • Contractual obligation - data collected to fulfil a contract, e.g. if you operate a web shop, you need certain information to fulfill the delivery and payment of your goods / services.
  • Legitimate interests - the data must contribute to a legal interest while respecting the individual’s interests, rights, and freedoms, e.g. marketing communication to your existing customers.

Consent must be freely given, specific, informed and unambiguous. Scrolling or continued browsing, pre-ticked checkboxes and cookies walls (making consent conditional) do not constitute by any means valid consent.

4. State the retention time of personal data.
  • State the retention time of personal data.
  • Do not keep the data for longer than it is necessary for your processing purposes.
  • Storage times can often be indefinite, or it could be for a fixed amount of time due to legal reasons (e.g. employee data, business transactions for tax purposes), or until the person uses their right to have their data deleted.

5. Inform your users of their legal rights and provide them with the necessary contact details to exercise their rights.

Make sure you can fulfil the following upon request:

  • The right to access their data.
  • The right to have their data corrected.
  • The right to have their data deleted.
  • The right to restrict processing.
  • The right to have their personal data transmitted directly from one controller to another, where technically feasible.
  • The right to object to their data being used.
  • The right to withdraw consent at any time, freely and as easy as given (when consent is the legal basis for the data collection).
  • The right to make a complaint to a data protection authority.
  • The right to know if their data is being used for profiling.

6. Data protection by design and by default for websites.
  • Only collect the data that you need to run your business.
  • Make sure your website uses a valid SSL certificate (which you can obtain directly from a Certificate Authority) to ensure that all data is transferred in a secure manner.
  • Find the latest and best tools that can help you implement privacy by design and by default (meaning, organizations should be mindful of data protection whenever personal data is being processed, and that the strictest privacy settings should apply by default), that are within your budget.
7. Transfers to third parties.

Social media embeds or log in options from services such as Google, Facebook, Twitter might lead to information being sent to third party services in order to see the content.

  • Inform users in case partial or full personal information is being transferred to third parties.
  • Inform users about the purpose of collecting the specific information and for how long it would be stored.
  • Make sure to obtain users’ prior consent before placing third-party cookies on your website.

8. Provide easy-to-read information.
  • Provide all the information and the relevant explanations in a clear, simple and understandable way.