GDPR and Your Website
The General Data Protection Regulation (GDPR) applies to any website that collects data from EU residents, regardless of where your business is based. If you have European visitors (and you almost certainly do), GDPR applies to you.
Non-compliance can result in fines of up to 20 million euros or 4% of global annual revenue, whichever is higher. But GDPR compliance is not just about avoiding fines — it is about building trust with your users.
The 12-Step Compliance Checklist
Step 1: Implement a Cookie Consent Banner
You must get informed consent before setting non-essential cookies.
Requirements: - Present clear choices: Accept All, Reject All, Customize - Do not pre-check any optional cookie categories - Do not use dark patterns (making "Accept" more prominent than "Reject") - Do not set non-essential cookies until the user gives consent - Remember the user's choice and do not ask again every visit
Cookie categories to separate: - Strictly necessary (always on, no consent needed) - Analytics (Google Analytics, Hotjar, etc.) - Marketing (Facebook Pixel, Google Ads, etc.) - Functional (chat widgets, preferences, etc.)
Step 2: Write a Privacy Policy
Your privacy policy must include: - Who you are (company name, address, contact details) - What data you collect (names, emails, IP addresses, cookies) - Why you collect it (legal basis for each type of processing) - How long you keep it (retention periods) - Who you share it with (third-party processors, analytics providers) - Users' rights (access, deletion, portability, objection) - How to contact you for data requests
Tips: - Write in plain language, not legalese - Link to the privacy policy from every page (footer) - Update it when you add new data processing
Step 3: Audit Your Data Collection
Make a list of everything your website collects: - Contact form submissions - Newsletter signups - User accounts and profiles - Payment information - Analytics data (IP addresses, browsing behavior) - Cookies set by third-party scripts
For each item, document: what data, why you need it, where it is stored, how long you keep it, and who has access.
Step 4: Establish a Legal Basis
GDPR requires a valid legal basis for processing personal data. The most common are:
| Legal Basis | Use Case |
|---|---|
| Consent | Newsletter signup, marketing emails, analytics cookies |
| Contract | Processing orders, providing services the user signed up for |
| Legitimate interest | Security measures, fraud prevention, basic analytics |
| Legal obligation | Tax records, regulatory requirements |
You cannot use "legitimate interest" as a catch-all. Each processing activity needs its own justification.
Step 5: Secure Data Transmission
All personal data must be transmitted securely: - HTTPS everywhere (no exceptions) - TLS 1.2 or higher (disable TLS 1.0 and 1.1) - Strong cipher suites (avoid deprecated algorithms) - HSTS header to prevent protocol downgrade attacks
Step 6: Implement Data Subject Rights
Users have the right to: - Access their data (provide it within 30 days) - Rectify incorrect data - Erase their data ("right to be forgotten") - Port their data to another service (in machine-readable format) - Object to processing - Restrict processing
Provide a clear way for users to exercise these rights (email, form, account settings).
Step 7: Third-Party Data Processing Agreements
If you use third-party services that process personal data (hosting, analytics, email), you need Data Processing Agreements (DPAs) with each one.
Most major services offer standard DPAs: - Google Analytics — DPA available - Stripe — Included in terms of service - Mailchimp — DPA in account settings - AWS/Vercel/Cloudflare — DPAs available on request
Step 8: Minimize Data Collection
Only collect data you actually need: - Do you really need a phone number in your contact form? - Do you need to track every page view, or just aggregate traffic? - Can you use privacy-friendly analytics instead of Google Analytics? - Do you need to store data indefinitely, or can you set a retention period?
Step 9: Protect Stored Data
- Encrypt data at rest (database encryption)
- Hash passwords (bcrypt, argon2 — never store plain text)
- Restrict access to personal data (principle of least privilege)
- Log access to sensitive data for audit purposes
- Regular backups with encrypted storage
Step 10: Set Up Data Breach Procedures
GDPR requires you to notify the supervisory authority within 72 hours of discovering a breach, and notify affected users without undue delay if the breach is high risk.
Prepare a breach response plan: 1. Detection and containment 2. Assessment of scope and impact 3. Notification to authorities (if required) 4. Notification to affected users (if high risk) 5. Remediation and lessons learned
Step 11: Children's Data Protection
If your website might be used by children under 16 (or 13 in some countries): - Get parental consent before collecting data - Use age verification mechanisms - Write privacy information in child-friendly language
Step 12: Regular Compliance Reviews
GDPR compliance is not a one-time task: - Quarterly: Review data processing activities and update records - Annually: Full privacy policy review and update - On change: When adding new features, forms, or third-party services - Continuously: Monitor for data breaches and security incidents
Verify Your Security Compliance
Many GDPR requirements overlap with website security best practices. Run a ZeriFlow scan to check your HTTPS configuration, security headers, cookie settings, and privacy indicators. It covers the technical security aspects of GDPR compliance automatically.
Conclusion
GDPR compliance protects both your users and your business. Start with the cookie consent banner and privacy policy (the most visible elements), then work through the technical and organizational steps. Use automated tools to monitor the technical aspects, and review your data processing practices regularly.