GDPR

GDPR Compliance Checklist 2026: Everything Your Website Needs

A comprehensive GDPR compliance checklist for websites in 2026. Covers legal basis, privacy policies, cookie consent, DPO requirements, data processing records, DPIAs, breach notification, and international transfers.

Compliso Team
9 min read

The General Data Protection Regulation has been in force since May 2018, yet enforcement continues to intensify year after year. In 2025 alone, European Data Protection Authorities (DPAs) issued fines totalling over 2 billion EUR. With expanded enforcement budgets, new CJEU rulings, and evolving technical standards, 2026 demands a thorough review of your website’s GDPR posture.

This article provides a definitive, actionable checklist covering every GDPR obligation that applies to website operators. Whether you run a single-page portfolio or a multinational e-commerce platform, use this guide to identify gaps before a regulator does.

Legal Basis for Data Processing (Article 6)

Every piece of personal data your website processes must be tied to a lawful basis under Article 6(1) GDPR. There is no default — you must actively identify and document the basis for each processing activity.

The Six Lawful Bases

Lawful BasisTypical Website Use CaseKey Requirement
Consent (Art. 6(1)(a))Analytics cookies, marketing trackers, newsletter sign-upMust be freely given, specific, informed, unambiguous
Contract (Art. 6(1)(b))Account creation, order processing, payment handlingProcessing must be necessary for the contract
Legal obligation (Art. 6(1)(c))Tax records retention, fraud preventionMust be required by EU or member state law
Vital interests (Art. 6(1)(d))Emergency contact data (rare for websites)Last resort when consent cannot be obtained
Public interest (Art. 6(1)(e))Government services, public health portalsRequires legal mandate
Legitimate interest (Art. 6(1)(f))Basic security logging, fraud detection, first-party analyticsRequires documented balancing test (LIA)

Common mistake: Relying on “legitimate interest” for marketing cookies or third-party analytics. After the CJEU’s Planet49 ruling (C-673/17) and subsequent EDPB guidance, consent is the only viable basis for non-essential cookies and tracking technologies.

Privacy Policy (Articles 13 and 14)

Your privacy policy is not optional decoration. Articles 13 and 14 prescribe a mandatory list of disclosures that must be provided at the time of data collection.

Mandatory Disclosures Under Article 13

  • Identity and contact details of the data controller
  • Contact details of the Data Protection Officer (if appointed)
  • Purposes and legal basis for each processing activity
  • Legitimate interests pursued (where Art. 6(1)(f) is the basis)
  • Recipients or categories of recipients of personal data
  • Details of international transfers and safeguards (Chapter V)
  • Retention periods or criteria used to determine them
  • Data subject rights: access, rectification, erasure, restriction, portability, objection
  • Right to withdraw consent at any time (where consent is the basis)
  • Right to lodge a complaint with a supervisory authority
  • Whether provision of data is a statutory/contractual requirement
  • Information about automated decision-making and profiling (Art. 22)

Best Practices for Privacy Policies

  • Use clear, plain language. The GDPR explicitly requires this (Art. 12(1)).
  • Structure the document with a layered approach: a concise summary at the top, detailed disclosures below.
  • Keep it up to date. Every time you add a new analytics tool, payment provider, or marketing pixel, update the privacy policy accordingly.
  • Make it accessible from every page (typically via a persistent footer link).

Cookie consent is governed by the ePrivacy Directive (2002/58/EC, as amended), not the GDPR directly. However, since cookies frequently involve personal data, GDPR consent standards apply to the consent mechanism.

  • Prior consent (opt-in): Non-essential cookies must not be set until the user actively consents. Pre-ticked checkboxes are invalid (CJEU, Planet49, C-673/17).
  • Granular choice: Users must be able to consent to specific categories (e.g., analytics, marketing) rather than only “accept all.”
  • Equal prominence of reject option: The EDPB and multiple DPAs (CNIL, Garante) have ruled that “reject all” must be presented with equal visual weight to “accept all.”
  • Informed consent: The banner must identify tracking technologies and their purposes before consent is given.
  • Revocability: Users must be able to withdraw consent as easily as they gave it (Art. 7(3) GDPR). A persistent link to cookie settings is essential.
  • No cookie walls: Making access to content conditional on accepting cookies is generally not valid consent, per EDPB Guidelines 05/2020.

Since March 2024, Google requires Consent Mode v2 for any EEA website using Google Ads, Analytics, or related services. Your consent management platform must fire consent default on page load (denying all by default) and consent update when the user grants consent.

Data Protection Officer (Article 37)

You must designate a DPO if:

  • You are a public authority or body
  • Your core activities consist of processing operations requiring regular and systematic monitoring of data subjects on a large scale
  • Your core activities consist of large-scale processing of special categories of data (Art. 9) or criminal offence data (Art. 10)

Even if a DPO is not legally required, appointing one voluntarily is considered best practice and demonstrates accountability under Article 5(2).

Records of Processing Activities (Article 30)

Article 30 requires controllers to maintain a written record of all processing activities. This obligation applies to organizations with 250 or more employees, or to any organization whose processing:

  • Is not occasional, or
  • Includes special categories of data, or
  • Is likely to result in a risk to data subjects’ rights

In practice, virtually every website operator should maintain these records. They must include:

  • Name and contact details of the controller
  • Purposes of processing
  • Categories of data subjects and personal data
  • Categories of recipients
  • International transfers and safeguards
  • Retention periods
  • Description of technical and organizational security measures

Data Protection Impact Assessment (Article 35)

A DPIA is required when processing is “likely to result in a high risk to the rights and freedoms of natural persons.” Article 35(3) lists mandatory scenarios:

  • Systematic and extensive evaluation of personal aspects (profiling)
  • Large-scale processing of special categories of data
  • Systematic monitoring of publicly accessible areas

For website operators, DPIAs are most commonly required when deploying large-scale behavioral tracking, session recording tools, or biometric authentication systems.

Data Breach Notification (Articles 33 and 34)

Notification to the Supervisory Authority (Art. 33)

  • Must be made within 72 hours of becoming aware of a breach
  • Must describe the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken to mitigate

Notification to Data Subjects (Art. 34)

  • Required when the breach is likely to result in a high risk to individuals
  • Must be made “without undue delay”
  • Must describe the breach in clear, plain language

Practical tip: Prepare a breach response plan and template before an incident occurs. During a breach, 72 hours disappear quickly.

International Data Transfers (Chapter V)

Transferring personal data outside the EEA requires a legal mechanism:

MechanismUse CaseStatus
Adequacy decision (Art. 45)Transfers to countries deemed adequate by the CommissionEU-US Data Privacy Framework (July 2023) covers certified US companies
Standard Contractual Clauses (Art. 46(2)(c))Most common safeguard for non-adequate countriesNew SCCs (June 2021) must be used; old versions expired
Binding Corporate Rules (Art. 47)Intra-group transfers in multinationalsRequires DPA approval
Derogations (Art. 49)Explicit consent, contractual necessityOnly for occasional, non-repetitive transfers

Key concern for websites: Any third-party service (analytics, CDN, payment processor, email provider) that processes data in a non-EEA country triggers Chapter V obligations. Map your data flows.

Children’s Data (Article 8)

If your website is directed at or accessible to children, Article 8 imposes additional requirements:

  • Consent for information society services requires parental authorization for children below the age threshold (16 by default, though member states can lower it to 13)
  • You must make “reasonable efforts” to verify that consent was authorized by the holder of parental responsibility
  • Privacy notices must be written in language a child can understand

Compliance Checklist

Use this checklist to audit your website’s GDPR compliance:

  • Every processing activity has a documented lawful basis under Art. 6
  • Privacy policy contains all Art. 13/14 mandatory disclosures
  • Privacy policy is written in clear, plain language and accessible from every page
  • Cookie consent is obtained before non-essential cookies are set (opt-in)
  • Cookie banner offers granular category-level consent
  • Reject option is equally prominent as accept option
  • Users can withdraw consent via a persistent cookie settings link
  • Google Consent Mode v2 is implemented (if using Google services)
  • DPO is designated (if legally required)
  • Records of Processing Activities are maintained and up to date
  • DPIA has been conducted for high-risk processing activities
  • Data breach response plan is documented and tested
  • International data transfers are covered by an appropriate safeguard (SCCs, adequacy, etc.)
  • All third-party services are documented with their data transfer locations
  • Age verification mechanisms are in place (if processing children’s data)
  • Data subject rights requests can be handled within the 30-day deadline

Staying Ahead of Regulatory Changes

GDPR compliance is not a one-time achievement. The regulatory landscape continues to evolve:

  • CJEU rulings regularly clarify the interpretation of GDPR provisions, creating new obligations or modifying existing ones
  • EDPB guidelines provide increasingly specific guidance on topics like consent, dark patterns, and international transfers
  • National DPA decisions set enforcement precedents in individual member states
  • The proposed ePrivacy Regulation may eventually replace the ePrivacy Directive, changing cookie consent requirements

Subscribe to your national DPA’s newsletter, follow EDPB publications, and run regular compliance scans to catch new issues as they emerge.

Automate Your Compliance Checks

Manually auditing every requirement is time-consuming and error-prone. Regulations change, third-party services update their behavior, and new trackers can appear on your website without your knowledge.

Compliso’s automated website scanner checks for 30 GDPR, ePrivacy, and accessibility compliance issues in under 30 seconds — covering cookie consent, tracking scripts, security headers, legal texts, and more. Pair it with the privacy policy generator and cookie banner to close gaps immediately.

Run a free compliance scan or create your free account to get your full compliance report.

gdpr compliance checklist website privacy

Make your website GDPR-compliant?

Compliso automatically checks your website for cookies, trackers, dark patterns, and accessibility issues.

Scan for free Sign up for free