Automate this with PrivacyAudit
Run an automated scan and get a compliance checklist tailored to your website.
GDPR has a reputation for complexity. But for small websites, the actual requirements are narrower than most people assume. You don't need a legal team or a dedicated DPO.
Here's what you actually need.
A privacy policy (required)
Non-negotiable. If your website collects any personal data — even just an email address for a newsletter — you need a privacy policy. It must explain what you collect, why, and how users can exercise their rights.
A cookie consent banner (if you use non-essential cookies)
If you're using Google Analytics, any advertising pixels, or third-party embeds (YouTube, Intercom, Hotjar) — you need a consent banner. Essential cookies like login sessions don't count.
HTTPS everywhere
Your site must be served over HTTPS. This protects data in transit and is a basic security requirement under GDPR's requirement for 'appropriate technical measures'.
A way for users to exercise their rights
At minimum: an email address or contact form where users can request access to their data, ask for deletion, or withdraw consent. You must respond within 30 days.
What you probably don't need (yet)
A full-time DPO. That's required only for organisations that process personal data at scale, or process sensitive categories of data. For most small websites, a named internal contact suffices.
Formal DPIAs (Data Protection Impact Assessments) are only required for high-risk processing activities. Standard website analytics doesn't qualify.
The fastest way to know if you're compliant
Run a privacy audit against your site. Tools like PrivacyAudit can scan your website and surface missing requirements — policy links, cookie configurations, and third-party trackers — in under two minutes.