Skip to main content

GDPR Compliance Checklist for European Websites

LaNexa Team

The General Data Protection Regulation (GDPR) has been in effect since May 2018, yet many European websites still fall short of full compliance. The consequences are real: fines of up to 20 million euros or 4% of annual global turnover, whichever is greater. Beyond fines, non-compliance erodes customer trust and can result in legal action from individuals. This checklist will help you evaluate and improve your website's GDPR posture.

Cookie Consent

Cookie consent is often the most visible GDPR requirement, and it is also where most websites fail. A compliant cookie consent mechanism must:

  • Block all non-essential cookies before consent — analytics, marketing, and social media cookies must not fire until the user explicitly opts in
  • Offer granular choices — users must be able to accept or reject cookies by category (necessary, analytics, marketing, preferences)
  • Make rejection as easy as acceptance — the "Reject All" button must be as prominent as "Accept All." Dark patterns are explicitly prohibited.
  • Store consent records — keep proof of when and how each user gave or withdrew consent
  • Allow easy withdrawal — users must be able to change their cookie preferences at any time

Tools like Cookiebot, Complianz, or custom-built consent managers can handle this, but they must be configured correctly. Many out-of-the-box setups still load Google Analytics or Facebook Pixel before consent is given.

Privacy Policy Requirements

Your privacy policy must be written in clear, plain language (not legal jargon) and must include:

  • Your identity and contact details as the data controller
  • The types of personal data you collect and the purposes for processing
  • The legal basis for each processing activity (consent, legitimate interest, contractual necessity, etc.)
  • Who you share data with (hosting providers, analytics services, payment processors)
  • Data retention periods for each category of data
  • Users' rights (access, rectification, erasure, portability, objection)
  • How to contact your Data Protection Officer (if applicable)
  • How to file a complaint with a supervisory authority

Data Processing Agreements

If you use third-party services that process personal data on your behalf (hosting providers, email marketing platforms, analytics tools, CRM systems), you must have a Data Processing Agreement (DPA) in place with each one. Most major providers (AWS, Google, Mailchimp, HubSpot) offer standard DPAs that you can sign electronically.

Right to Erasure

Users have the right to request deletion of their personal data. Your website must have a process for:

  • Receiving erasure requests (via a form, email, or user account settings)
  • Verifying the identity of the requester
  • Deleting data from all systems within 30 days (including backups, where technically feasible)
  • Notifying third parties who received the data to also delete it
  • Documenting the request and your response

SSL/HTTPS and Data Security

While GDPR does not specifically mandate HTTPS, it requires "appropriate technical and organisational measures" to protect personal data. In practice, this means:

  • All pages must be served over HTTPS with a valid SSL/TLS certificate
  • Passwords must be hashed (using bcrypt or Argon2, never MD5 or SHA-1)
  • Personal data in the database should be encrypted at rest
  • Access to personal data should be restricted to authorized personnel only
  • Regular security audits and penetration testing should be conducted

Common Mistakes to Avoid

  • Pre-ticked consent checkboxes — consent must be freely given through an affirmative action
  • Bundled consent — do not combine consent for marketing emails with terms of service acceptance
  • No cookie policy — a privacy policy and a cookie policy are separate requirements
  • Ignoring data from contact forms — form submissions are personal data and must be handled accordingly
  • Not logging consent — "we told them" is not sufficient. You must prove when and how consent was obtained.

Conclusion

GDPR compliance is not optional — it is a legal obligation for any website that serves European users or processes data of EU residents. The good news is that achieving compliance also builds trust with your audience and demonstrates professionalism. LaNexa can help you audit your website for GDPR compliance and implement the necessary changes, from cookie consent integration to data processing workflows. Contact us for a free compliance review.

Tagged with: E-Commerce Security
Back to Blog