ComplianceDPDP India8 min read

GDPR Compliance Checklist for Websites: 20 Things You Must Do

A practical, article-referenced checklist covering every major GDPR requirement for websites — plus CCPA and India's DPDP Act 2023. Each item cites the specific regulation so you can understand why it matters.

Run Free Compliance Check →
5
Privacy Policy
4
Cookie Consent
4
Data Processing
4
Security
3
User Rights

5 checksPrivacy Policy

1
Privacy policy exists and is publicly accessible

Must be reachable from every page — typically linked in the footer. Not behind a login.

Required by: GDPR Art. 13 & 14, CCPA, DPDP
2
Privacy policy lists all data collected

Name, email, IP address, device type, analytics data, payment data — list everything. Vague language like 'we may collect information' is not sufficient.

Required by: GDPR Art. 13(1)
3
Privacy policy states purpose of processing

For each data type, explain why you collect it (e.g., 'email to send account notifications, not for marketing').

Required by: GDPR Art. 13(1)(c)
4
Privacy policy names data processors

List all third parties that receive user data: Stripe, Google Analytics, Intercom, Mailchimp, etc. Include links to their privacy policies.

Required by: GDPR Art. 13(1)(e)
5
Privacy policy explains data retention period

How long do you keep user data? When is it deleted? A policy that doesn't address this is non-compliant.

Required by: GDPR Art. 13(2)(a)

4 checksCookie Consent

6
Cookie banner appears before non-essential cookies are set

No analytics, advertising, or tracking cookies should fire until the user accepts. This is the most commonly violated GDPR requirement.

Required by: GDPR, ePrivacy Directive
7
Cookie banner offers a genuine 'Reject All' option

The reject button must be as prominent as the accept button. Hiding 'Reject' in settings or using smaller font is a dark pattern and GDPR violation.

Required by: GDPR, French CNIL guidelines
8
Cookie consent can be withdrawn as easily as it was given

If users can accept in one click, they must be able to revoke consent in one click — not buried in a 5-step settings menu.

Required by: GDPR Art. 7(3)
9
Cookie policy lists all cookies by name and purpose

A separate cookie policy (or section in privacy policy) should list each cookie: name, provider, duration, and purpose (functional, analytics, marketing).

Required by: ePrivacy Directive

4 checksData Processing

10
Legal basis documented for each data processing activity

GDPR requires one of six legal bases: consent, contract, legal obligation, vital interests, public task, or legitimate interests. Consent is NOT always required — processing for contract fulfillment has a different basis.

Required by: GDPR Art. 6
11
Data Processing Agreements (DPAs) signed with all processors

Every third-party tool that processes personal data on your behalf (hosting provider, analytics, CRM) requires a signed DPA. Most SaaS providers offer these in their terms.

Required by: GDPR Art. 28
12
No personal data transferred outside EEA without safeguards

Using US-based services (AWS, Google, Salesforce) means data leaves the EU. You need a legal transfer mechanism: Standard Contractual Clauses (SCCs), adequacy decision, or Binding Corporate Rules.

Required by: GDPR Chapter V
13
Record of Processing Activities (RoPA) maintained

Companies with 250+ employees must maintain a formal RoPA. Smaller companies are exempt unless processing is regular, high-risk, or includes special category data. Still best practice for all.

Required by: GDPR Art. 30

4 checksSecurity

14
HTTPS enforced on all pages, including checkout and forms

Transmitting personal data over HTTP is a GDPR violation under the 'appropriate security measures' requirement. SSL must be valid and not expired.

Required by: GDPR Art. 32
15
Passwords hashed with bcrypt, Argon2, or equivalent

Storing plaintext or MD5-hashed passwords is negligent security — and a reportable data breach waiting to happen. GDPR requires 'state of the art' security for personal data.

Required by: GDPR Art. 32(1)(a)
16
Data breach notification process documented

If a breach occurs, GDPR requires notifying the supervisory authority within 72 hours. You need a documented internal process before a breach happens, not after.

Required by: GDPR Art. 33
17
Access to personal data is role-restricted

Only staff who need access to personal data for their job should have it. Giving all employees access to the full user database violates the data minimization principle.

Required by: GDPR Art. 5(1)(c)

3 checksUser Rights

18
Users can request a copy of their data (Right of Access)

You must provide a way for users to request all data you hold about them, delivered within 30 days. A support email is sufficient; a dedicated data request form is better.

Required by: GDPR Art. 15
19
Users can request data deletion (Right to Erasure)

Also called 'Right to be Forgotten'. Users can request deletion of their personal data. You must comply unless you have a legal obligation to retain it (e.g., financial records).

Required by: GDPR Art. 17
20
Users can opt out of marketing emails

Every marketing email must include an unsubscribe link. Unsubscribe requests must be processed within 10 business days. This also applies to CCPA and CAN-SPAM.

Required by: GDPR, CAN-SPAM, CCPA
India-specific

DPDP Act 2023 (India) — Additional Requirements

India's Digital Personal Data Protection Act 2023 came into force and has specific requirements beyond GDPR. If your site collects data from Indian users, these apply to you regardless of where your company is registered.

The DPDP Act designates "Data Fiduciaries" (organizations that determine the purpose of data processing) and "Significant Data Fiduciaries" (large platforms, with stricter rules). Most startups fall in the first category.

  • Consent notice written in plain language (not legalese)DPDP § 7
  • Consent notice available in scheduled Indian languages if requestedDPDP § 7(2)
  • Mechanism for users to withdraw consent and request erasureDPDP § 12, 13
  • Data Fiduciary contact details publishedDPDP § 8(7)
  • Data retention limited to what's necessaryDPDP § 8(6)

Frequently Asked Questions

Do I need a cookie consent banner even if I use Google Analytics?+
Yes. Google Analytics sets cookies and collects personal data (IP addresses). Under GDPR, loading GA before getting user consent is a violation. Several EU data protection authorities (France's CNIL, Italy's Garante) have specifically fined websites for this. Use a consent management platform (CMP) like Cookiebot, Osano, or a self-hosted solution to gate GA loading behind consent.
What's the minimum GDPR requirement for a small website?+
At minimum: (1) a privacy policy explaining what data you collect and why, (2) a cookie consent banner if you use any non-essential cookies, (3) HTTPS on all pages, and (4) a way for users to request data deletion. If you only collect contact form submissions and use no analytics, your requirements are simpler, but a privacy policy is still mandatory.
How is India's DPDP Act different from GDPR?+
Both require consent before processing personal data. Key differences: DPDP applies only to Indian data (GDPR has extraterritorial reach), DPDP requires consent notices in Indian languages (not just English), DPDP doesn't have a legitimate interest basis for processing (GDPR does), and DPDP's enforcement body (Data Protection Board) is new as of 2024. Maximum DPDP fine is ₹250 crore (~$30M USD).

Related resources

GDPR Checker Tool →Security Scanner →Technical SEO Checklist →

Check your site's compliance now

AuditAI automatically checks for cookie banners, privacy policy links, HTTPS, and data exposure risks. Free in 30 seconds.

Run Compliance Check →