Free Resource

GDPR Compliance Checklist
for Small Websites

17 requirements across technical, documentation, process, and cookie categories. Check each one off — or use PrivacyAudit to automate the process.

17
Total requirements
4
Categories
Free
To use
Legend: Pass Fail / MissingUse PrivacyAudit to check these automatically → Get started free

Technical Requirements

5 items

01Privacy policy page exists and is linked

Your site must have an accessible privacy policy explaining what data you collect, why, and how it's used.

Example: Link in footer, cookie notice, and account sign-up flow.

02Cookie consent banner is present

Visitors must be able to accept or reject non-essential cookies before they are set.

Example: A banner appearing on first visit with Accept / Decline / Manage options.

03HTTPS / SSL certificate enabled

All pages must be served over HTTPS to protect data in transit.

Example: Valid TLS certificate, no mixed content warnings.

04Data collection notices on forms

Every form that collects personal data (email signups, contact, checkout) must inform users what you'll do with their data.

Example: "By submitting this form, you agree to our Privacy Policy."

05Marketing opt-out mechanism

Users who receive marketing communications must be able to unsubscribe easily.

Example: Unsubscribe link in every email, preference centre in account settings.

Documentation Requirements

5 items

01Data inventory / processing register

You must document every type of personal data you collect, its source, how it's used, and how long you retain it.

Example: A spreadsheet or tool listing: email addresses, IP logs, purchase history — each with retention period.

02Legal basis identified for each processing activity

Each data processing activity must have a documented legal basis: consent, contract, legitimate interest, legal obligation, vital interests, or public task.

Example: Email marketing = consent; order fulfilment = contract; fraud prevention = legitimate interest.

03Processor agreements in place

Any third-party service that processes personal data on your behalf (email tools, hosting, analytics) must have a Data Processing Agreement (DPA) with you.

Example: DPAs signed with Stripe, Mailchimp, AWS, etc.

04Data retention policy documented

You must specify how long you keep personal data and have a process to delete it when no longer needed.

Example: Customer data retained for 7 years for tax purposes; website logs deleted after 30 days.

05International data transfer safeguards

If you send personal data outside the UK/EU (e.g. using US-based SaaS tools), you need appropriate safeguards in place.

Example: Standard Contractual Clauses (SCCs) or adequacy decisions.

Process Requirements

4 items

01Data Subject Access Request (DSAR) process

You must have a way for individuals to request access to, correction of, or deletion of their personal data — and respond within 30 days.

Example: A dedicated email address or form for privacy requests.

02Consent logged with timestamp

Where you rely on consent as your legal basis, you must be able to prove that consent was given, when, and for what purpose.

Example: Storing consent timestamp and form version in your database.

03Data breach response process

You must have a documented plan for detecting, containing, and reporting data breaches. Breaches affecting individual rights must be reported to the ICO/supervisory authority within 72 hours.

Example: An internal runbook for incident response, with contact details for your DPA.

04Privacy by design applied to new features

New products and features that involve personal data should consider privacy implications from the outset, not as an afterthought.

Example: DPIAs conducted for high-risk processing activities.

Cookie & Tracker Management

3 items

01Cookies categorised by type

Your cookie notice must clearly distinguish between essential cookies (no consent needed) and non-essential cookies (analytics, marketing — require consent).

Example: Essential / Analytics / Marketing / Preferences categories in your cookie banner.

02Analytics only loaded after consent

Google Analytics, Meta Pixel, and similar tools must not set cookies or collect data before the user has actively consented.

Example: Conditional script loading based on consent state.

03Cookie policy lists all cookies used

A detailed cookie policy (can be part of your privacy policy) must list every cookie, its purpose, and its expiry.

Example: A table of cookie name, provider, purpose, expiry for every cookie set.

Automate this checklist with PrivacyAudit

Instead of checking manually, let PrivacyAudit scan your website and map every finding to items on this list — then guide you through fixing them.

Start free audit

Free plan available · No credit card required