6 min read

The Ultimate 12-Step GDPR Compliance Checklist

Written by Andriy Boychuk
6 min read

GDPR (General Data Protection Regulation) is a new legislation that comes into force on the 25th of May 2018.

According to this law, if you want to collect, store, or process personal data from your EU users you must make it clear on your website how you plan to use their data and give them an explicit choice to opt-in or opt-out.

As the new regulation may seem confusing at first, we have prepared a GDPR compliance checklist for you to get familiar with the exact steps you have to make to make your business and website GDPR compliant.

What Is GDPR?

The GDPR is the strictest privacy security law anywhere in the world. The penalties for breaking GDPR can be tens of millions of Euros, so it’s a good idea to follow a GDPR compliance checklist to be sure your company doesn’t risk any penalty.

It technically only affects citizens and residents of the European Union.

However, if an American company, for instance, makes business with EU residents, it has two choices: create a different website for the EU market or, as most companies do, just apply the changes across the original website.

As a result, the GDPR standards also impact the data protection of other countries’ citizens.

GDPR Website Compliance Checklist in 12 Steps

1. Make a GDPR Compliant Privacy Policy

The Privacy Policy section of your website must contain the following information:

  • General company information (who you and/or your company are and what you do)
  • The types of information you store and how you collect it
  • Links and short descriptions of the laws like GDPR, UK data protection laws, general data laws, etc.
  • Links to the 3rd party providers on your website including analytical systems like Google Analytics, Facebook pixel, targeting, retargeting services, services that track the end-user data, etc.
  • Links to all the plugins, applications or software that store your user data (i.e. Woocommerce or some membership software)
  • Links to the user request forms so that the user can delete or change his data
  • Information about the personal information that this website collects and its purpose
  • Information about the data stored via the contact forms and its purpose
  • If the data is collected for the email newsletter purposes: links to the privacy policy of the email service provider and information about the person collected through the email marketing process
  • If there is a checkout page: information about the type of data being stored through the checkout page and its purpose
  • Information about the website’s server, its security and protection methods
  • Descriptions of the third party data processors – companies that help you make a business that also stores your customers’ data (i. e. Activecampaign, Klaviyo, Mailchimp, Google, PayPal etc.) and links to their privacy policies
  • Your action plan in case the data breaches
    All data breaches need to be recorded and actioned with a preventative measure within 72 hours.
  • The data controller and data protection officer information.
    The data controller is your official company, which developed and is the owner of this website. You need to put detailed data -official address, street, city, and name of the registered company.
    The data protection officer is the main manager or officer who protect the data or will reply to user requests to update, or delete their data.

2. Cookies are a big part of GDPR website compliance

First of all, you should set up a cookies notification on your website: a pop up offering a user to read and agree with the privacy policy.

The list of cookies collected by your website from the users/customers should also be available.

3. User request forms

Users should be able to request to delete or change their data. For this, you need to create forms that your website’s visitors would be able to complete and send to you.

Here is the list of the type of user request forms you will need to provide:

  • A contact form with a checkbox of consent
  • User request to download their own information stored on this website with links to analytical services or other services that are used
  • User request to delete any type of user data.

4. Other forms

If your website has any other types of forms, double-check them all to make sure your website stays GDPR compliant.

Two elements must appear:

  • Checkboxes with a link to the privacy policy page, with a text like “I have read and accept the Privacy & Policy of the “Website name””
  • The Privacy Policy link of the mailing service provider that you use.

5. Plugins and applications must be GDRP compliant

Make sure all the plugins and applications that you use on your website are GDPR compliant (they must have the GDPR compliance approval on their official webpage).

If some of your plugins or applications are not GDPR compliant, find a substitution.

6. GDPR website compliance can only be achieved with a GDPR compliant CMS

Make sure your CMS (i. e. WordPress, Magento, Shopify etc.) is updated and is GDPR compliant.

If not, update it manually, or add the custom code, plugins, or software.

7. Checkout pages

Make all the checkout pages GDPR compliant by adding the checkboxes for the user consent and the Privacy Policy link.

8. Email notification

By the 25th of May 2018, send a new email campaign to double opt-in users and check if they gave you the consent to store their private data.

Clear your lists after this campaign and delete the users that didn’t give you their consent. You can also delete the low bounces email accounts after 2-3 email campaigns.

9. Backups

Make sure that you don’t have more than 3 customer data backups and make sure the customer data backups are secure and only you can download them.

10. User request response

If you received a user request, you have to make sure you:

  • Answer to it in 2 days maximum
  • Delete or update the user data 30 days after the request.

11. Opt-ins

Remove all automatic opt-ins on your site and disable the double opt-ins through the newsletters.

12. Data Access Requests Processes

A user can ask for a copy of his data. Before that happens, you have to make sure that you:

  • Have a process in place for when someone is looking for a copy of their data (Subject Data Access Request)
  • Have a process in place for when someone requests their personal data in a portable transferable format


Talk email strategy with an expert