GDPR Compliance Checklist: 15 Steps for Small Businesses

GDPR compliance can feel overwhelming for small business owners. The regulation is 99 articles long. The guidance documents run into hundreds of pages. And the penalties for getting it wrong are severe.

But here is the thing: most small business websites need to get the same core set of things right. You do not need to read all 99 articles. You need a clear checklist that covers what actually matters for your website.

This guide gives you 15 practical steps. For each one, you will learn what to do, why it matters, and how to implement it. Work through these in order, and your website will be in solid shape.

Who This Checklist Is For

This checklist is for small business owners who have a website that collects personal data from visitors in the European Union. That includes businesses based in the EU, but it also includes businesses outside the EU that offer goods or services to EU residents or monitor their behavior.

If your website uses cookies, has a contact form, collects email addresses, or uses analytics tools like Google Analytics, GDPR applies to you.

Step 1: Identify What Personal Data You Collect

What to do: Make a list of every piece of personal data your website collects. This includes names, email addresses, phone numbers, IP addresses, cookie data, location data, and any other information that can identify a person.

Why it matters: You cannot comply with GDPR if you do not know what data you are processing. This data inventory is the foundation of everything else on this list.

How to do it: Go through every page on your website. Check every form. Look at your analytics tools, email marketing platform, CRM, and any third-party services. Document what data each one collects.

Step 2: Determine Your Lawful Basis for Each Type of Processing

What to do: For each type of data you collect, decide which of the six lawful bases under GDPR applies. The most common ones for websites are consent and legitimate interest.

Why it matters: GDPR requires a lawful basis for every processing activity. Without one, the processing is illegal. There is no grace period or exception.

How to do it: Use consent for marketing emails and non-essential cookies. Use contractual necessity for data needed to deliver a service the user requested. Use legitimate interest carefully and only after conducting a balancing test. Document your choice for each processing activity.

Step 3: Write a Clear Privacy Policy

What to do: Create a privacy policy that covers all the information required by GDPR Articles 13 and 14. This includes: what data you collect, why you collect it, how long you keep it, who you share it with, and what rights users have.

Why it matters: Transparency is a core GDPR principle. Your privacy policy is the primary way you inform users about how their data is handled. Most data protection authorities check the privacy policy first during an audit.

How to do it: Write it in plain language. Avoid legal jargon. Structure it with clear headings so users can find what they need. Include your contact details and the contact details of your data protection officer, if you have one. For more detail on privacy policy requirements, see our guide on whether you need a privacy policy.

Step 4: Implement a Compliant Cookie Consent Banner

What to do: Add a cookie consent banner that gives users a genuine choice about non-essential cookies. Include Accept All, Reject All, and Manage Preferences options.

Why it matters: Cookie consent is one of the most visible compliance requirements. It is also one of the most enforced. The French CNIL, Italian Garante, and other authorities have issued significant fines for non-compliant cookie banners.

How to do it: Block all non-essential cookies until the user makes a choice. Provide equal options for accepting and rejecting. Allow granular selection by category. Keep non-essential categories off by default. For real examples of compliant and non-compliant banners, see our GDPR banner examples guide.

Step 5: Fix Your Consent Forms and Checkboxes

What to do: Review every form on your website that collects personal data. Make sure consent checkboxes are unticked by default, each purpose has its own checkbox, and the language is clear and specific.

Why it matters: Invalid consent means any data collected through that form is unlawfully processed. That can lead to fines, data deletion orders, and complaints.

How to do it: Check signup forms, contact forms, checkout forms, and any other form that collects personal data. Remove pre-ticked boxes. Separate marketing consent from terms of service. State the purpose clearly. For detailed examples, see our guide on GDPR consent examples.

Check how many boxes your website ticks with a free scan.

Step 6: Set Up a Process for Data Subject Access Requests

What to do: Create a process to handle requests from individuals who want to access, correct, delete, or export their personal data. These are called Data Subject Access Requests (DSARs).

Why it matters: GDPR gives individuals specific rights over their data. You must respond to DSARs within one month. Failing to respond, or responding late, can result in complaints to the data protection authority.

How to do it: Create a dedicated email address or form for privacy requests. Train whoever handles these requests on how to verify the requester's identity and what information to provide. Document your process so it is consistent.

Step 7: Review Your Data Processing Agreements

What to do: Check that you have a Data Processing Agreement (DPA) with every third party that processes personal data on your behalf. This includes your hosting provider, email marketing service, analytics tools, CRM, payment processor, and any other service that touches personal data.

Why it matters: Under GDPR Article 28, you must have a written contract with every data processor. If a processor mishandles data and you do not have a DPA, you share liability.

How to do it: Most major service providers (Google, Mailchimp, Stripe, etc.) offer standard DPAs. Find them in your account settings or on their legal pages. Download and sign them. Keep copies organized.

Step 8: Minimize the Data You Collect

What to do: Review each form and process on your website. Ask: do we actually need this data? If not, stop collecting it.

Why it matters: Data minimization is a core GDPR principle. You should only collect data that is necessary for the stated purpose. Collecting extra data "just in case" is not compliant.

How to do it: Go through your forms field by field. If a field is not necessary for the purpose, remove it or make it optional. For example, if you run an email newsletter, you need an email address. You probably do not need a phone number.

Step 9: Set Data Retention Periods

What to do: Define how long you keep each type of personal data. Delete data when it is no longer needed for its stated purpose.

Why it matters: GDPR requires that data is not kept longer than necessary. Indefinite retention is not compliant. You need a clear policy and a way to enforce it.

How to do it: For each type of data, decide on a retention period based on the purpose. For example: customer data might be kept for the duration of the customer relationship plus a period required by tax law. Marketing consent data might be kept until the user unsubscribes. Set up automated deletion where possible.

Step 10: Secure the Personal Data You Hold

What to do: Implement appropriate security measures to protect personal data. This includes encryption, access controls, secure passwords, and keeping software up to date.

Why it matters: GDPR Article 32 requires "appropriate technical and organisational measures" to protect personal data. A data breach caused by poor security can result in fines and mandatory notification to affected individuals.

How to do it: Use HTTPS on your entire website. Encrypt data at rest and in transit. Use strong passwords and two-factor authentication for admin accounts. Keep your CMS, plugins, and all software updated. Limit who has access to personal data to only those who need it.

Step 11: Create a Data Breach Response Plan

What to do: Write a plan for what to do if personal data is breached. This should cover detection, assessment, notification, and remediation.

Why it matters: GDPR requires you to notify your data protection authority within 72 hours of becoming aware of a breach that poses a risk to individuals. If the risk is high, you must also notify the affected individuals. Without a plan, meeting that 72-hour deadline is nearly impossible.

How to do it: Define who is responsible for handling breaches. Create a step-by-step procedure: detect, assess severity, notify the authority if required, notify individuals if required, document everything. Practice the plan so it works when you need it.

Step 12: Add a Cookie Policy

What to do: Create a separate cookie policy (or a dedicated section in your privacy policy) that lists all cookies your website uses, their purpose, their duration, and whether they are first-party or third-party.

Why it matters: Users need to know what cookies your site uses in order to make an informed consent decision. A generic statement about "using cookies" is not sufficient.

How to do it: Audit your website to identify every cookie. Categorize them: necessary, analytics, marketing, personalization. For each cookie, document the name, purpose, provider, and expiration. Update this list whenever you add or remove cookies.

Step 13: Maintain a Record of Processing Activities

What to do: Create and maintain a Record of Processing Activities (ROPA). This is a document that describes each processing activity, its purpose, the categories of data involved, and who has access to the data.

Why it matters: GDPR Article 30 requires organizations with more than 250 employees to maintain a ROPA. But even smaller organizations must maintain one if their processing is not occasional, involves sensitive data, or poses a risk to individuals. In practice, most websites that process personal data regularly should have one.

How to do it: Create a spreadsheet with columns for: processing activity, purpose, lawful basis, data categories, data subjects, recipients, retention period, and security measures. Keep it updated as your processing changes.

Step 14: Check Third-Party Scripts and Services

What to do: Audit every third-party script, plugin, and service running on your website. Understand what data each one collects and where that data goes.

Why it matters: Third-party services can collect personal data without your knowledge. An embedded YouTube video, a social media widget, or an analytics script can all set cookies and collect IP addresses. You are responsible for the data processing that happens on your website, even when it is done by third parties.

How to do it: Use your browser's developer tools or a scanning tool to identify all third-party requests your website makes. For each one, check whether it sets cookies, collects personal data, or transfers data outside the EU. Make sure each service is covered by your consent mechanism and your privacy policy.

Step 15: Review and Update Regularly

What to do: Schedule a regular review of your GDPR compliance. At minimum, do this every six months and whenever you make significant changes to your website.

Why it matters: Compliance is not a one-time task. New features, new third-party tools, updated regulations, and enforcement decisions can all change what you need to do. A website that was compliant six months ago might not be today.

How to do it: Set a calendar reminder for a compliance review. Go through this checklist again. Check for new guidance from your data protection authority. Run a website scan to catch any new issues.

Get your compliance score with a free website scan.

GDPR Compliance Statement Example

Many businesses need a GDPR compliance statement for their website or for business partners who ask about their compliance posture. Here is a template you can adapt:

"[Business Name] is committed to protecting personal data in accordance with the General Data Protection Regulation (GDPR). We collect and process personal data only for specified, legitimate purposes. We provide clear information about our data practices in our Privacy Policy. We implement appropriate technical and organizational measures to protect the data we process. We respect the rights of data subjects and respond to requests within the timeframes set by the regulation. For questions about our data protection practices, contact [email address]."

Adapt this to reflect your specific practices. Do not claim compliance with things you have not actually implemented.

A Practical Approach to Compliance

You do not have to do all 15 steps in a single day. Start with the ones that have the biggest impact and the highest risk:

Start here (highest priority):

• Step 3: Privacy policy
• Step 4: Cookie consent banner
• Step 5: Consent forms
• Step 10: Security measures

Then move to:

• Step 1: Data inventory
• Step 2: Lawful basis
• Step 7: Data processing agreements
• Step 14: Third-party audit

Then complete:

• Steps 6, 8, 9, 11, 12, 13, 15

Each step you complete reduces your risk. Perfect compliance on day one is not realistic for most small businesses. Steady, documented progress is what matters.

Get Your Compliance Score

If you want to see where your website stands right now, run a free compliance scan with Scanibly. The scan checks your cookie consent, privacy policy, third-party scripts, and other key compliance indicators. You will get a clear score and a list of specific issues to fix.