GDPR Compliance Checklist for Website Owners (2026 Edition): From Data Mapping to Cookie Consent

GDPR (the General Data Protection Regulation) is still the benchmark privacy law for modern websites. If you process personal data of EU residents—whether you’re in the EU or not—GDPR compliance is mandatory, and the downside of getting it wrong is real: fines can reach €20 million or 4% of global annual turnover, whichever is higher.

This post is a publication-ready, practical checklist you can apply to a typical website or WordPress stack. It covers the governance side (roles, contracts, breach processes), the product/UX side (consent, forms, email marketing), and the operational side (data mapping, retention, security). It also preserves the key Article references so you can tie tasks back to the regulation.

What GDPR is (and when it applies to your site)

GDPR is an EU privacy law in force since May 25, 2018. It defines rules for how organizations collect, use, store, and share personal data. The scope is intentionally broad: it applies to organizations inside and outside the EU if they process the personal data of EU residents.

Know your role: Controller vs Processor (you might be both)

GDPR obligations depend on what role you play in the processing chain—so the first step is classification.

• Data Controller: You determine why and how personal data is processed. This role carries primary responsibility for GDPR compliance.
• Data Processor: You process personal data on behalf of a controller (think: SaaS vendors, email providers, hosting providers, analytics platforms). Processors must implement appropriate technical and organizational measures too.
• Data Subject: The individual whose personal data is processed. GDPR’s purpose is to protect their rights.

A common website-owner reality: you’re typically a controller for your own site (forms, accounts, orders), and also a processor in other contexts (for example, if you operate a service that processes customer data on their behalf).

The 7 GDPR principles (use these as your decision filter)

Before you start checking boxes, align your implementation with the principles GDPR expects you to follow and demonstrate:

1. Lawfulness, fairness, and transparency: Process personal data legally and keep people informed about usage.
2. Purpose limitation: Collect data only for specific, legitimate purposes.
3. Data minimization: Collect only what you actually need.
4. Accuracy: Keep personal data accurate and up to date.
5. Storage limitation: Don’t keep data longer than necessary.
6. Integrity and confidentiality: Protect data with appropriate security measures.
7. Accountability: Be able to demonstrate compliance (documentation matters).

Complete GDPR compliance checklist (with Article references)

Use the sections below as a working compliance tracker. Each item includes who it applies to and the relevant GDPR Article(s).

Data

1) Maintain an inventory of the personal data you hold (types, source, sharing, purpose, retention)

Applies to: Data Controller, Data Processor

You need a list of the actual types (columns) of personal data you store—e.g., name, social security number, address. For each type, document:

• The source of the data
• Who you share it with
• What you do with it (the purpose)
• How long you keep it (retention period)

Reference: GDPR Article 30 – Records of processing activities

2) Map where personal data lives and how it flows

Applies to: Data Controller, Data Processor

Create a list of places you store personal data and the data flows between them. This can include online systems (like a MySQL database) and offline stores (like paper records).

Reference: GDPR Article 30 – Records of processing activities

3) Publish a privacy policy that describes your personal-data processes

Applies to: Data Controller, Data Processor

Your privacy policy must be publicly accessible and outline the processes related to handling personal information. It should include (or link to) the types of personal data you hold and where you store it.

Reference: GDPR Article 30 – Records of processing activities

4) State your lawful basis for processing in the privacy policy

Applies to: Data Controller

Your privacy policy should clearly explain the lawful basis (for example, processing required for fulfillment of a contract).

Reference: GDPR Article 6 – Lawfulness of processing

Accountability & management

5) Appoint a Data Protection Officer (DPO) when required

Applies to: Data Controller, Data Processor

A DPO is required only in these scenarios:

1. The processing is carried out by a public authority or body, except for courts acting in their judicial capacity
2. The core activities involve processing operations that, by their nature, scope, and/or purposes, require regular and systematic monitoring of data subjects on a large scale
3. The core activities involve large-scale processing of special categories of data (sensitive data) pursuant to Article 9, or personal data relating to criminal convictions or offenses pursuant to Article 10

When a DPO is required, that person should understand GDPR guidelines and your internal processes involving personal data.

Reference: GDPR Article 37 – Designation of the data protection officer

6) Create GDPR awareness among decision makers

Applies to: Data Controller, Data Processor

Key people need up-to-date knowledge of data protection legislation so privacy-by-design is a default, not an afterthought.

Reference: GDPR Article 25 – Data protection by design and by default

7) Keep your technical security current

Applies to: Data Controller, Data Processor

Especially for SaaS-style systems, start from security checklists to ensure the right technical measures are in place.

Reference: GDPR Article 25 – Data protection by design and by default

8) Train staff on data protection risks

Applies to: Data Processor

Many incidents rely on human error or social engineering. Anyone with access to internal systems should be trained to recognize and avoid those risks.

Reference: GDPR Article 25 – Data protection by design and by default

9) Track sub-processors and disclose them in your privacy policy

Applies to: Data Processor

If you use sub-processors, inform customers and ensure they consent by accepting your privacy policy.

Reference: GDPR Article 28 – Processor

10) If you operate outside the EU, appoint an EU representative

Applies to: Data Controller, Data Processor

Organizations outside the EU that collect data about EU citizens should designate a representative in a member state. Local authorities must be able to contact this person regarding processing issues.

Reference: GDPR Article 27 – Representatives of controllers or processors not established in the Union

11) Report personal data breaches to authorities and affected people

Applies to: Data Controller, Data Processor

Report personal data breaches to the local supervisory authority within 72 hours. The report should cover what data was lost, consequences, and countermeasures taken. Unless the leaked data was encrypted, also inform the affected data subjects.

Reference: GDPR Article 33 – Notification of a personal data breach to the supervisory authority; GDPR Article 34 – Communication of a personal data breach to the data subject

12) Put contracts in place with any processors you share data with

Applies to: Data Controller

If you share data with a processor (for example, your hosting provider), you need a contract with explicit instructions. It must set out:

• The subject matter and duration of processing
• The nature and purpose of processing
• The type of personal data and categories of data subjects
• The obligations and rights of the controller

The same requirements apply when a processor engages a sub-processor to help deliver processing on behalf of the controller.

Reference: GDPR Article 28 – Processor; GDPR Article 29 – Processing under the authority of the controller or processor

New rights (the UX + operations you need to support data subject rights)

13) Provide an easy way for users to request access to their data

Applies to: Data Controller, Data Processor

You need a clearly defined process to handle access requests from data subjects.

Reference: GDPR Article 15 – Right of access by the data subject

14) Let users update their personal data to keep it accurate

Applies to: Data Controller, Data Processor

Provide a mechanism for correcting inaccurate data.

Reference: GDPR Article 16 – Right to rectification

15) Automatically delete personal data you no longer need

Applies to: Data Controller, Data Processor

Automate deletion based on retention rules. A common example: automatically delete data for customers whose contracts weren’t renewed.

Reference: GDPR Article 5 – Principles relating to processing of personal data

16) Provide a simple way to request deletion (right to be forgotten)

Applies to: Data Controller, Data Processor

Implement a process to handle erasure requests.

Reference: GDPR Article 17 – Right to erasure (‘right to be forgotten’)

17) Provide a way to request that processing stops (restriction)

Applies to: Data Controller, Data Processor

Users can restrict how their data is processed; you need an operational path to enforce that restriction.

Reference: GDPR Article 18 – Right to restriction of processing

18) Support data portability (deliver data to the user or a third party)

Applies to: Data Controller, Data Processor

Data portability means providing the user’s data in a structured, commonly used, machine-readable format.

Reference: GDPR Article 20 – Right to data portability

19) Allow objection to profiling / automated decision-making (if applicable)

Applies to: Data Controller

This applies only if you do profiling or other automated decision-making that may impact a user.

Reference: GDPR Article 22 – Automated individual decision-making, including profiling

Consent

20) If you rely on consent, ensure consent is freely given, specific, informed, and revocable

Applies to: Data Controller

Where your processing is based on consent, you should make your privacy policy easy to find and require users to confirm acceptance of terms. Consent must be an affirmative action—pre-ticked checkboxes are not permitted.

Reference: GDPR Article 7 – Conditions for consent

21) Write the privacy policy in clear, understandable language

Applies to: Data Controller

The policy should be clear and simple and not hide intent. If it’s unclear, the agreement may be void. If you provide services to children, language must be easy enough for them to understand.

Reference: GDPR Article 7.2 – Conditions for consent

22) Make withdrawing consent as easy as giving it

Applies to: Data Controller

Users shouldn’t have to fight the UI to revoke what they could grant in one click.

Reference: GDPR Article 7.3 – Conditions for consent

23) If you process children’s data, verify age and collect guardian consent

Applies to: Data Controller

For children under 16, you must ensure a legal guardian consented. If consent is collected via your website, you should try to confirm it was actually given by the guardian (not the child).

Reference: GDPR Article 8 – Conditions applicable to child’s consent in relation to information society services

24) When you update your privacy policy, inform existing customers

Applies to: Data Controller

Notify existing customers (for example, by email) and explain changes in a simple way.

Reference: GDPR Article 7 – Conditions for consent

Follow-up

25) Regularly review policies, effectiveness, data handling changes, and international data-flow changes

Applies to: Data Controller

GDPR compliance is not a one-time project. Review how effective your policies are, what changed in your data handling, and what changed in other countries where data flows.

Reference: GDPR Article 25 – Data protection by design and by default

Special cases

26) Know when you must run a DPIA for high-risk processing

Applies to: Data Controller

A Data Protection Impact Assessment (DPIA) is required for certain high-risk processing—typically large-scale processing, profiling, or other activities that create high risk to people’s rights and freedoms.

Reference: GDPR Article 35 – Data protection impact assessment

27) Transfer personal data outside the EU only with appropriate protections

Applies to: Data Controller, Data Processor

If you transfer data outside the EU, ensure the destination provides an appropriate level of protection and disclose cross-border flows in your privacy policy. Use Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) when transferring to non-adequate countries.

Reference: GDPR Article 45 – Transfers on the basis of an adequacy decision

User rights (data subject rights) you must support

GDPR grants a set of rights to all data subjects. From a website-owner perspective, these rights translate into product requirements, support workflows, and documentation.

Right to transparent information

Controllers must provide processing information in a concise, transparent, intelligible, and easily accessible form using clear and plain language—especially when addressed to a child. The information can be provided in writing or by other means (including electronic).

Reference: GDPR Article 12

Right to receive specific information when personal data are collected directly

When you collect data directly, you must provide:

1. The identity and contact details of the controller
2. The contact details of the data protection officer (where applicable)
3. The purposes of the processing and the legal basis
4. The legitimate interests pursued by the controller (where applicable)
5. The recipients or categories of recipients of the personal data
6. Information about transfers to third countries

Reference: GDPR Article 13

Right to receive specific information when personal data are not collected directly

If data comes from sources other than the data subject, you must provide similar information and also include the categories of personal data concerned and the source of the data.

Reference: GDPR Article 14

Right of access

Data subjects can request confirmation of processing and access to:

• The purposes of the processing
• The categories of personal data concerned
• The recipients to whom data has been or will be disclosed
• The envisaged retention period
• The existence of rights to rectification, erasure, restriction, and objection
• The right to lodge a complaint with a supervisory authority
• Information about the source of data (if not collected from the subject)
• The existence of automated decision-making, including profiling

Reference: GDPR Article 15

Right to rectification

Data subjects have the right to correct inaccurate personal data without undue delay and to have incomplete data completed.

Reference: GDPR Article 16

Right to erasure (“right to be forgotten”)

Data subjects can request erasure when:

1. The data is no longer necessary for its original purpose
2. They withdraw consent and there’s no other legal ground for processing
3. They object to processing and there are no overriding legitimate grounds
4. The data has been unlawfully processed
5. The data must be erased for compliance with a legal obligation
6. The data was collected in relation to information society services offered to a child

Reference: GDPR Article 17

Right to restriction of processing

Data subjects can request restriction when:

1. They contest the accuracy of the data (for a period enabling verification)
2. The processing is unlawful and they oppose erasure
3. The controller no longer needs the data but they need it for legal claims
4. They have objected to processing pending verification of legitimate grounds

Reference: GDPR Article 18

Right to be notified regarding rectification, erasure, or restriction

Controllers must communicate rectification, erasure, or restriction to each recipient the data was disclosed to, unless it’s impossible or involves disproportionate effort.

Reference: GDPR Article 19

Right to data portability

Data subjects can receive their data in a structured, commonly used, machine-readable format and transmit it to another controller without hindrance.

Reference: GDPR Article 20

Right to object

Data subjects can object at any time, on grounds relating to their particular situation, to processing based on legitimate interests or public interest—including profiling.

Reference: GDPR Article 21

Right not to be subject to automated decision-making

Data subjects have the right not to be subject to decisions based solely on automated processing (including profiling) that produce legal effects or similarly significant impacts.

Reference: GDPR Article 22

Practical implementation steps (what to change on a real website)

1) Secure your website

Security under GDPR isn’t a single feature—it’s a baseline expectation. The following hardening steps map cleanly to integrity/confidentiality and privacy-by-design practices:

• Install an SSL certificate (HTTPS) to encrypt data between site and server
• Use strong passwords for all admin accounts
• Add extra protection for payment information handling
• Use a CDN provider that protects against DDoS attacks
• Deploy anti-virus software to prevent unauthorized access
• Minimize data collection—only collect what’s necessary
• Pseudonymize or anonymize personal data before storage
• Back up data in multiple secure locations
• Delete data when it’s no longer needed

2) Add a cookie consent banner (and make it actually compliant)

If you use non-essential cookies, you need explicit consent before activating them.

Your cookie banner must:

• Block cookies until consent: Only load necessary cookies until the user opts in
• Use simple, clear language: Explain what cookies are used and why
• Show equal accept/reject buttons: Don’t hide the reject option
• Offer granular options: Let users choose specific cookie categories
• Allow consent withdrawal: Provide an easy way to change preferences later
• Record consent: Store choices with timestamps to prove compliance

3) Review every website form that collects personal data

Any form (contact forms, checkout, account registration, demo requests) must meet GDPR expectations:

• Include a privacy statement explaining why you need the data
• Add an unticked checkbox for consent
• Provide a separate opt-in for marketing communications
• Link to your Privacy Policy
• Use clear, simple language

4) Get explicit consent for marketing emails

For email marketing, treat consent as something you can evidence later—not just a checkbox in a UI:

• Use clear opt-in only: Unticked checkbox specifically for email consent
• Implement double opt-in: Confirm signup via email
• Maintain consent records: Log date, time, method, and purpose
• Include visible unsubscribe link: One-click unsubscribe in every email
• Process unsubscribes promptly: Within 24 hours ideally

5) Prepare for data breaches before they happen

A breach response plan is part of operational compliance. Make sure you can execute these requirements without improvising:

• Notify supervisory authority within 72 hours
• Notify affected users if there’s high risk to their rights
• Document everything for accountability
• Update policies to prevent future breaches

WordPress-specific considerations

If you run WordPress, GDPR compliance becomes a mix of core platform hygiene and plugin/vendor due diligence. Focus on the areas where WordPress sites commonly leak personal data or set cookies implicitly:

• Keep WordPress core, themes, and plugins updated
• Use GDPR-compliant contact form plugins (with consent checkboxes)
• Install a proper cookie consent solution
• Use a GDPR-compliant analytics solution
• Review plugin data collection practices
• Implement user data export/deletion functionality

GDPR penalties (and what else regulators can do)

GDPR enforcement isn’t just theoretical. The regulation defines two fine tiers:

• Lower tier violations: Up to €10 million or 2% of global annual turnover
• Upper tier violations: Up to €20 million or 4% of global annual turnover

Beyond fines, supervisory authorities may also:

• Issue warnings
• Temporarily or permanently ban data processing
• Order data deletion
• Restrict data transfers

Frequently asked questions

What is a GDPR compliance checklist?

A GDPR compliance checklist is a list of actions you need to take to comply with the General Data Protection Regulation. It helps identify areas of improvement in your data protection practices.

Who is responsible for GDPR compliance?

The data controller (typically the website/business owner) is primarily responsible. Data processors also have compliance obligations.

Does GDPR apply to US businesses?

Yes, if you process personal data of EU residents—regardless of where your business is located.

What is the maximum penalty for non-compliance?

Up to €20 million or 4% of annual global turnover, whichever is higher.

Do I need a cookie banner?

Yes, if your website uses any non-essential cookies and you have EU visitors.

Do I need a Data Protection Officer?

Only if: (1) you’re a public authority, (2) your core activities require large-scale, systematic monitoring of individuals, or (3) you process sensitive data on a large scale.