GDPR Website Compliance Checklist for Small Businesses
Is your website GDPR compliant? A practical checklist covering consent, cookies, privacy policies, data access, and cross-border data transfers for small business websites.
The General Data Protection Regulation (GDPR) applies to any website that collects data from EU residents—regardless of where your business is based. Non-compliance can result in fines up to 20 million EUR or 4% of annual turnover.
1. Have a Clear Privacy Policy
Your privacy policy must explain: what data you collect, why you collect it, how long you keep it, who you share it with, and what rights users have. It must be written in clear, plain language—not legal jargon. Link to it from every page.
2. Obtain Proper Cookie Consent
You need explicit consent before setting non-essential cookies (analytics, advertising, tracking). A pre-ticked checkbox is not valid consent. Users must be able to reject cookies as easily as they accept them. Essential cookies (login sessions, shopping carts, language preferences) do not require consent.
3. Secure Data Transfers
If data leaves the EU, you need a legal basis for the transfer (adequacy decision, standard contractual clauses, or binding corporate rules). Check where your hosting provider, CDN, analytics, and email services store data.
4. Provide Data Access and Deletion
Users have the right to: access their data, correct inaccurate data, delete their data (right to be forgotten), and export their data in a portable format. You must respond to requests within 30 days.
5. Report Data Breaches
If personal data is breached, you must notify your supervisory authority within 72 hours. If the breach poses a high risk to individuals, you must also notify the affected users directly.
6. Minimize Data Collection
Only collect data you actually need. Do not collect data "just in case." The GDPR principle of data minimization applies to every form, analytics tool, and third-party integration on your website.
7. Document Everything
Keep records of: what data you process, why, where it is stored, who has access, your legal basis for processing, and data retention periods. If a supervisory authority asks, you need to demonstrate compliance.
Use our free AI Privacy Check to see how your website handles data collection and cross-border data flows.