Automate this with PrivacyAudit
Run an automated scan and get a compliance checklist tailored to your website.
Launching a startup is already overwhelming. Privacy compliance often gets pushed to 'later' — but if you're targeting European users or collecting any personal data, GDPR obligations apply from day one.
The good news: getting the basics right is achievable in a weekend. Here's the checklist.
1. Write and publish a privacy policy
Your privacy policy must explain: what personal data you collect, why you collect it (the legal basis), how long you keep it, and who you share it with. It must be written in plain, accessible language — not legalese.
Minimum coverage: name and contact details of your business, types of data collected (email, IP, usage data, etc.), purposes of processing, legal basis for each purpose, retention periods, user rights, and how to contact you for a DSAR.
2. Add a cookie consent mechanism
If your site uses any non-essential cookies (analytics, advertising, A/B testing tools), you need explicit consent before setting them. A cookie banner that fires on first visit, allows users to accept or decline categories, and stores that preference is the minimum requirement.
Essential cookies (session cookies, login state) don't require consent. Everything else does.
3. Document your data processing activities
Keep a simple register of: what personal data you collect, where it's stored (which tools/services), who can access it, and how long you keep it. This is called a Record of Processing Activities (ROPA).
4. Identify your legal basis for each activity
Every data processing activity needs a documented legal basis under GDPR. Common ones for startups: Consent (email marketing), Contract (fulfilling orders, providing the service), Legitimate interests (fraud prevention, analytics).
5. Set up a way to handle DSARs
Data Subject Access Requests must be fulfilled within 30 days. Create a dedicated email address (e.g. privacy@yourcompany.com) and document your internal process for handling requests.
6. Use a cookie scanner before launch
Before going live, scan your site to identify every third-party script and cookie it drops. You may have more than you realise — analytics, support widgets, font loaders, A/B testing tools all touch personal data.
PrivacyAudit can automate this scan and map findings directly to your compliance checklist.