Compliance

GDPR Compliance Checklist for Website Owners in 2026

📅 February 17, 2026 ⏱ 10 min read ✍️ SiteScanna Team

The General Data Protection Regulation (GDPR) has been in force since May 2018, yet enforcement continues to intensify. In 2024 alone, EU regulators issued over €2.9 billion in GDPR fines. For website owners processing data from EU residents, compliance is not optional — and the technical requirements are often misunderstood.

This checklist covers the key requirements that apply to most websites, with specific focus on the technical controls that an automated security scanner can verify.

⚠️ Disclaimer: This article provides general technical guidance. It is not legal advice. Consult a qualified data protection specialist for your specific situation.

1. Lawful Basis & Consent

Identify your lawful basis for each processing activityLegitimate interest, consent, contract, legal obligation — document which applies to each purpose.
Cookie consent banner implementedConsent must be opt-in (not pre-ticked boxes), granular by category, and as easy to withdraw as to give.
Privacy policy published at /privacy-policyMust explain what data is collected, why, how long it's retained, and users' rights.
Records of processing activities (RoPA) maintainedRequired for organisations with 250+ employees or processing that presents significant risk.

2. Technical Security Controls

Article 32 of GDPR requires "appropriate technical measures" to ensure a level of security appropriate to the risk. For websites, this translates to:

HTTPS enforced sitewideNo HTTP pages. HSTS header set with minimum max-age of 31536000. No mixed content.
Security headers implementedContent-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy all set.
TLS 1.2+ only (TLS 1.0 and 1.1 disabled)Weak protocol versions must be disabled on your server or CDN.
Passwords hashed with bcrypt, Argon2, or scryptMD5 and SHA-1 are not acceptable for password storage under GDPR.
Access controls in place for data storesOnly authorised personnel should have access to personal data. Use role-based access control.
Data encrypted at restDatabases containing personal data should use AES-256 or equivalent encryption at rest.
Security logging enabledLog authentication events, access control failures, and data access for audit purposes.
Vulnerability scanning performed regularlyRegular automated scans demonstrate due diligence under Article 32's "regular testing" requirement.

3. Data Subject Rights

Right of access (Subject Access Request) process definedYou must respond within 30 days of a request.
Right to erasure ("right to be forgotten") mechanismUsers can request deletion of their data in most circumstances.
Right to portabilityData must be exportable in a structured, machine-readable format (e.g., JSON, CSV).
Right to rectificationUsers can correct inaccurate personal data held about them.

4. Breach Notification Requirements

Under GDPR, you must notify your supervisory authority within 72 hours of becoming aware of a personal data breach — and notify affected individuals without undue delay if the breach poses a high risk to them.

Incident response plan documentedWho gets notified internally? Who contacts the DPA? What data is captured?
Data breach register maintainedAll breaches must be logged, even those not reported to regulators.
DPA contact details knownKnow which supervisory authority applies to your organisation and have their contact details.

5. Third Parties & Sub-Processors

Data Processing Agreements (DPAs) signed with all sub-processorsEvery SaaS tool that handles EU personal data on your behalf must have a DPA.
International transfer mechanisms in placeIf transferring data outside the EEA, ensure SCCs or adequacy decisions are in place.
Sub-processor list published or available on request

📋 Check Your GDPR Technical Controls

SiteScanna maps your scan findings directly to GDPR technical requirements — showing you which controls pass and which need attention.

Scan for GDPR Compliance →

Common GDPR Violations to Avoid

Pre-ticked cookie consent boxes

Pre-ticked boxes or consent obtained by placing analytics cookies before the user accepts are illegal. The CNIL (France) fined Google €150M and Facebook €60M for this in 2022.

Inadequate privacy notices

Vague language like "we may share your data with partners" is insufficient. You must name the specific purposes, legal basis, and retention period.

No data retention limits

Keeping data indefinitely violates the storage limitation principle. Define and enforce retention periods for every category of data you hold.