The ultimate checklist for GDPR compliant websites
BY Renana Dar February 9, 2023
0 minute read

As of May 25, 2018, the European Union (EU) implemented the General Data Protection Regulation (GDPR).


GDPR is an EU law that protects the personal data of EU citizens and impacts any business or website with users in the EU.


All websites must comply with GDPR if they collect, store, or process the personal data of EU citizens. But ensuring your clients' websites meet all of the GDPR requirements can be confusing—you probably aren't a lawyer, and you probably aren't a data privacy expert.


To help you get started, here's a checklist of the essential items that must be in place for your clients' websites to be GDPR-compliant and how a website building platform like Duda can help you with that.


But let's first spend some time answering basic questions like what is GDPR, why is it important, what does it include and more.


What is the GDPR?


The General Data Protection Regulation (GDPR) is an EU privacy law that regulates how companies process and store the personal data of EU citizens. It applies to any business or website with users in the EU, regardless of where it’s located.


Data Protection Authorities (DPAs) from the 27 EU countries are responsible for enforcing GDPR regulations. They are independent entities that investigate complaints, offer advice about data protection concerns, and decide whether or not the rules of GDPR have been violated.


The main purpose of the GDPR was to replace outdated national laws to protect personal data and give EU citizens more control over it. Under GDPR regulations, the individual (or data subject) has the right to know what personal information is being collected, how it’s being used, and who it’s shared with. And across the entire EU, the law remains the same.


GDPR is very strict—organizations must obtain explicit user consent before collecting their data and rigorously maintain its security. Organizations that fail to comply with GDPR could face fines ofup to €20 million or 4 percent of annual global turnover, whichever is greater.


What is GDPR compliance important?



A computer screen displays an ecommerce website and a GDPR stamp


As previously mentioned, GDPR is a strict law, and organizations that fail to comply with it could face hefty fines. But beyond the legal ramifications, having a GDPR-compliant website also shows your clients' customers that they value their privacy and are taking steps to protect their data.


There are several reasons that businesses should value and respect GDPR regulations:


  • It demonstrates that your business respects the rights of its customers, which can lead to increased customer loyalty and trust.
  • It ensures compliance with the law, avoiding expensive fines and legal action.
  • It sets a good example for other businesses in respecting user privacy.


Beyond the ability to operate legally and avoid massive fines associated with non-compliance, data privacy is important to customers. People want to know that they can trust a business and feel certain that their personal data is secure, not up for grabs.


For agency owners working with multiple clients' websites and ad strategies, compliance with data protection laws is exponentially critical—the number of potential lawsuits, fines, and data breaches is multiplied by the number of websites they work with.


What does personal data include under the GDPR?


According to the GDPR website, "personal data" includes any information that could identify a person. This covers a wide range of items, including but not limited to:


  • Names and identification numbers
  • Email addresses
  • Physical addresses and postcodes
  • IP addresses, cookie information, and RFID tags
  • Financial details such as bank account and credit card numbers
  • Images (including photos and videos)
  • Tagged images on social media
  • Political affiliations
  • Racial and ethnic data
  • Gender and sexual orientation
  • Health and biometric information (such as fingerprints)


Given that these regulations are vague, yet stringent, it's best to interpret the GDPR's definition as broadly as possible when making decisions for yourself or your clients.


Important GDPR updates for agencies



Updated for 2023

Since its implementation in 2018, GDPR has continued to evolve with the introduction of new rules and regulations.


Here are some important updates agency owners should be aware of:


  • The EU updated its policy on cookie consent in 2020. To be specific, it was made clear that cookie walls should not be used, and scrolling or swiping from website content will not indicate implied consent.
  • The definition of “joint controller” was updated in 2021. When companies are running other companies' social media accounts or displaying third-party plugins on their websites, they often become joint controllers. This means that whenever two or more entities collect customer data, both will now be held accountable if any non-compliance occurs.
  • GDPR has new rules regarding how Facebook advertisers collect, process, and store user data. Marketers and agency owners can continue to use Facebook's ad platform, but they must obtain consent before using any data. They must also inform users how it will be used and show or delete it upon request.
  • User consent must be confirmed before running email campaigns. Sending promotions without explicit, freely given consent could lead to hefty fines. Email marketing tools like MailChimp, Constant Contact, and AWeber all have various forms of consent to make sure companies are compliant with GDPR.
  • Google Analytics 4 no longer collects PII (Personally Identifiable Information) by default. To guarantee your company uses GA4 in accordance with GDPR, you'll have to audit all current data, anonymize personal information that could be used to identify users (such as an IP address) and get explicit consent before implementing the Google Analytics script. Pop-ups or widgets provide first-time and returning visitors a chance to either opt-in or opt-out.


How to make your website GDPR compliant with our complete compliance checklist


An illustration representing a checklist for GDPR-compliant websites


Ensuring compliance might seem confusing, but the reality is that a company's GDPR compliance requirements depend on the types of data it collects, processes, and stores.


Here is a complete website GDPR compliance checklist to help you make sure your clients' websites are compliant.

Just one thing, though - this checklist does not replace consulting with a legal representative with GDPR expertise.


1. Data mapping and auditing



The first step is understanding the complete customer data collection process. To do this, you have to map out and audit all customer data points that are collected, processed, and stored by the website.


You can begin by going down the following checklist and answering each question.


  • What personal data does your client already have? Refer to the list given in the background information.
  • Does the data your client's website collects include any sensitive personal data?
  • Do your client keep personal data from minors (i.e., people under the age of 16)?
  • How long does your client need to keep this data? Under GDPR, data can only be kept for as long as it is necessary.
  • Why does your client collect this data in the first place?
  • What consent does your client have from the user to collect their data?
  • Where does your client store user data?
  • What processors does your client use to process user data?
  • Does your client have any third-party plugins installed on their website (i.e., social media widgets, ads, etc.)?
  • Do any third-party services outside the EU have access to user data, and are they aware of data privacy laws?
  • How do you control third-party usage and access to user data?
  • Do you have a plan for mitigating any data breaches or security risks?


Depending on your client's specific industry, you may have a list of other topics to answer, but auditing your client's website's data points based on these questions will help you decide which data is necessary and how to store it securely.


Build GDPR-compliant Sites


2. Have your clients collect only the data that they need


Aside from the fact that it increases risk of non-compliance, excessive data processing makes it hard for you and your clients to use the data you actually need in any meaningful way. It also makes it difficult to respond quickly when users request their data be deleted or modified.


You might not know which is needed and which data is not right off the bat, but as you map out data processes and audit the data collected, you should get a better understanding of which information is critical.


  • Typically, data that is considered as needed will help you or your client accomplish one of these six things:
  • Verify a user's identity
  • Comply with legal requirements
  • Create a better user experience
  • Improve your clients' products or services


Provide more personalized communications across marketing and sales channels

Keep a record of your clients' customers’ interactions with the business for tax, audit, or liability purposes


If the data your client's website collects doesn't serve a legitimate purpose or contradicts GDPR principles (e.g., the right to be forgotten or data minimization), it's best to let it go. And if it makes your client potentially vulnerable to cybersecurity risks, you should definitely delete it.


3. Appoint a data protection officer


Small companies and individuals might not need an in-house data controller, but if your client's website collects a lot of data or operates in multiple countries, appointing a Data Protection Officer (DPO) is essential.


The DPO's job is to ensure that the company follows all GDPR requirements, including protecting customer data and responding quickly to any data requests or complaints from customers. They can also provide legal advice in the event of a website compliance discrepancy.


4. Secure the website


Once you have the internal infrastructure set up, you need to secure your client's website.


A few elements go into this:


  • SSL certificates: An SSL certificate is a must for all websites. It makes data transfers between websites and visitors safer by encrypting them and protecting their confidential information. 
  • CDN: A Content Delivery Network (CDN) helps to reduce the risk of DDoS attacks, improve website performance by caching content, and protect data from hackers.
  • Website security: Make sure you have a robust website security system in place. This means ensuring that your web hosting and account passwords are secure, regularly backing up your data, and protecting against cyber threats like malware and phishing scams.
  • Data breach reports & analysis: A data breach is an illegal or unauthorized access of private information, and it's important to be able to detect and solve them quickly. You should also analyze the data breach to determine where it originated from and how you can prevent it from happening again.


With Duda's website builder, you can take your website’s protection to the next level with our advanced security measures. SSL encryption is built into our website architecture, so you don’t have to worry about hosting a secure site. 


5. Update the website's privacy policy and terms and conditions


Privacy policies are important because they inform users of their data use. GDPR requires privacy policies to be written in plain language, with clear and transparent information about what data you’re collecting, why you’re collecting it, and how it's processed.


A Privacy Policy probably includes some information relevant to GDPR, but updating it to explicitly cover how you collect and use EU citizens' data is essential. This should include:


  • The types of data a website collects
  • How long the website uses the new data for
  • What users can do if they want their information deleted


You should also double-check your clients’ Terms and Conditions to see if they cover any GDPR-related topics, such as data transfer and storage. For instance, if they store data on servers in countries outside of the EU, they could a clause outlining the security measures they take to protect this data.


Pro tip: Make sure your website builder allows to easily create a Privacy page. Just for reference, Duda provides you with a privacy page template that you can add to every site.


6. Get consent for emails


Email newsletters and marketing campaigns are excellent ways to communicate with potential customers, promote your client's products or services, and deliver value right to their inboxes. But they can also be invasive (just think about all the times you've seen spammy emails), so it's important to make sure you or your client get explicit user consent before adding them to the list.


The GDPR states that individuals must give their “freely given, specific, informed and unambiguous” consent if they are going to be added to an email list. What this means is that you need to have a clear opt-in form on your client's website, with an unequivocal statement about the type of emails they will receive.


Some companies use small checkboxes that automatically opt users in for marketing emails, which is a bit deceptive. Avoid tricking website visitors into signing up for marketing material when they're filling out a checkout or contact form on your client's website.


When sending out promotional emails, always remember to add an unsubscribe link.


7. Review all of your client's website forms


There are a few different forms they might have on their site:


  • Active opt-in: Active opt-in forms require users to manually check a box that indicates they give their consent to receive emails.
  • Unbundled opt-ins: Unbundled opt-ins give users the option to subscribe to your mailing list or newsletter separately from other forms.
  • Double opt-in: Double opt-in forms require users to confirm their intent by clicking on a link sent via email.
  • Granular consent: Granular consent forms allow users to specify which type of emails they want to receive, such as marketing promotions or product updates.


Use an active opt-in or a double opt-in form to ensure that their customers don't find your content spammy or unauthorized. This will allow them to confirm their interest before being added to your mailing list.


8. Evaluate international data transfer


If you transfer data from the EU to another country, that country must have an adequate level of protection for personal data.


The GDPR sets out a few ways for international transfers to take place:


  • Adequacy Decisions: Adequacy decisions come into play when a third-party non-EU country has been assessed and approved as having an adequate level of data protection.
  • Binding Corporate Rules (BCRs): BCRs are written corporate policies that provide a framework for compliance with GDPR when transferring data from the EU to other countries.
  • Standard Contractual Clauses: Standard contractual clauses (SCCs) are legally binding documents that companies use to protect users' data when transferring it from the EU.


If you're transferring data from the EU to another country, make sure you and your clients both understand how those countries' laws apply to your activities and what measures you can put in place to protect that data.


9. Clean up your client's mailing lists


Auditing and updating your client's site for GDPR compliance is the perfect time to clean up their mailing list—you want to make sure they are only sending emails to people who actually want them.


Look at who is on the list, identify inactive subscribers based on individual open and engagement rates, and consider removing those contacts who have not interacted with any of the emails in the past 6 months.


If you aren't sure who to remove, you could send an email to those who haven't interacted with your client's content in a while and ask them to confirm that they want to stay on the list. Those who don't respond (or respond negatively) can then be removed.


10. Add a cookie notice or banner (but don't use cookie walls)


Have you ever noticed a banner at the bottom of a website that says something like “By continuing to use this site, you consent to our use of cookies”?


This is called a cookie notice or cookie banner. It informs users that the website uses cookies, small text files stored on their devices that store information about their browsing and search engine habits.


Under the GDPR, website owners must provide users with information about their use of cookies and give them the option to opt-out.


It's important to note that cookie walls—pages that require users to accept cookies before they view the content—are not allowed under the GDPR. The cookie notice or banner should be presented in a way that allows users to reject cookies without any penalty.


11. Review third-party services and ensure their compliance


It's important to make sure that any third-party data processors you or your client use—such as analytics or advertising platforms—are GDPR compliant. Most people sign up for these types of services without even thinking about the implications of GDPR, but agency owners who use these platforms for client reporting and progress tracking need to keep a close eye on all their data.


Look into their policies and procedures on data protection, and review the contracts you have with them. You should also be aware of any additional data processing activities they may carry out on your behalf, such as collecting and profiling user data.


12. Secure your online payment process


Both you and your clients probably collect online payments, so it's important to ensure that your payment process—whether you're using PayPal, Stripe, or any other payment platform—is GDPR compliant.


Payment processing platforms all do their part to ensure that they meet the GDPR requirements. But you still have the responsibility of making sure your online payment process is secure. This means ensuring that your checkout process is properly secured and encrypted, as well as making sure that the credit card information of customers is not stored anywhere after processing payments.


Pro tip: Mentioning that payment information isn't stored anywhere post-purchase, you might see an increase in sales.


13. Provide data rights provision


The GDPR gives individuals the right to access, rectify, and erase their personal data. As an organization or website owner processing personal data, you must make sure that your customers are aware of these rights and how to exercise them.


You should provide users with a way to view their data and request any changes they need made—this could be as simple as providing a contact email address or offering a specific form on your client's website.


Once a request is received, you or your client must act on it within 30 days and provide the user with an answer. You should also have processes in place for erasure upon request and make sure that no copies are stored anywhere else.


14. Make sure you keep records of user interactions consent decisions


Keeping a record of user interaction, including what they consent to and when is beneficial for numerous reasons:


  • Your clients can easily see what permissions they have from each user and make sure that they are staying compliant with all the necessary regulations.
  • Your clients are able to keep track of any changes or requests that come in from users, allowing them to act on them quickly and efficiently.
  • Your clients can refer back to any past interactions to provide evidence of compliance in the event of an audit.
  • Your clients can also use this data to contact users about similar services or offerings that you may have in the future.
  • In the event of a legal dispute, having detailed records of user interactions and consent can help prove that your clients took all the necessary steps to follow GDPR regulations.


Keeping a record doesn't mean that your clients need to store all the data themselves, either—there are tools and platforms that can help them keep a secure, compliant record of user interactions.


15. Remember the right to be forgotten


The right to be forgotten, also known as "data erasure" and "right to erasure," is an important component of GDPR. It guarantees individuals the right to have their personal data erased from any online databases or digital systems when they no longer wish for it to be stored there.


A situation like this can occur when a customer cancels their account, or when they revoke their consent for data processing. When this happens, your clients must erase the customer’s personal data from their systems and any third-party systems that may be storing it.


Your clients can also set up an automated process to ensure that no sensitive information is kept on record after a certain amount of time (e.g., deleting customer data after six months of inactivity).


16. Use request response



Customers and site visitors may make a data subject access request or any GDPR-related requests, including but not limited to:


  • Accessing personal data
  • Changing, modifying, or deleting personal data
  • Revoking consent for data processing
  • Exercising the right to be forgotten


Implementing request response allows to collect and process requests easily, ensuring customers promptly get the answers they need.


Ensuring compliance with the Duda platform


At Duda, we take GDPR compliance seriously.


Our website builder offers the ultimate package of website protection and security with a privacy page template, customizable cookie notification, and free SSL certificate.


Click here to learn more about our commitment to GDPR compliance.


Final thoughts


A lot goes into GDPR compliance, and for global business owners unfamiliar with the law and its regulations, it can be a confusing process. Taking a proactive approach to compliance is the best way to protect your agency, clients and their customers.


By implementing the 16 steps outlined in this article, you are well on your way to ensure that your clients' sites are GDPR-compliant and secure (but again, be sure to be sure to contact a law representative for a full GDPR-compliant plan). And by using a website builder with GDPR features built-in, you can make the process easier and more efficient.


Headshot of Renana Dar

Renana Dar

Senior Content Writer, Duda.

Did you find this article interesting?


Thanks for the feedback!
A screenshot of a plumber's website with a

Help your SMB clients adopt eCommerce: Tearing down the walls!

By Renana Dar May 5, 2025
Many SMBs still hesitate to embrace eCommerce. As the agency partner, you have the opportunity to tear down the perceived walls of eCommerce and show clients how eCommerce can make their business more efficient, accessible, and profitable. Read all about it!
A computer screen with a graph on it and a purple background.

How platform ecosystems drive revenue

By Santi Clarke April 24, 2025
Learn how platform ecosystems drive revenue and why they are essential for the growth of SaaS businesses.

How to make your SaaS platform stickier

By Santi Clarke April 24, 2025
One of the greatest challenges for SaaS platforms is keeping users engaged long-term. The term “stickiness” refers to a product's ability to retain users and make them want to return. In the context of SaaS platforms, creating a sticky product means that users consistently find value, experience seamless interactions, and continue using the product over time. The following are 7 practical strategies you can take to improve the stickiness of your SaaS solution. 1. Offer websites that help customers build their digital presence One of the most effective ways to make your SaaS platform sticky is by offering websites to your users. Many businesses today need an online presence, and by providing a platform where your customers can easily build and manage their websites, you increase their reliance on your product. When you offer users a website-building solution, you’re helping them create something foundational to their business. Websites, in this case, aren’t just a tool—they become a part of their identity and brand. This deepens their engagement with your platform, as they need your product to maintain and update their site, ultimately making them less likely to churn. Plus, websites naturally encourage frequent updates, content creation, and customer interactions, which means your users will return to your platform regularly. When you can give your users the tools to create something so essential to their business, you make them more dependent on your platform. This creates a higher barrier to exit, as migrating a fully built website to another service is no small task. In fact, websites are some of the stickiest products you can sell, so adding them to your product portfolio can be one of the best decisions you can to keep your customers using your technology for the long haul. 2. Deliver continuous value through product innovation The key to keeping users coming back to your SaaS platform is ensuring that they consistently see value in it. This means not only meeting their immediate needs but also evolving to address their growing demands. Constant product innovation is essential for keeping your users satisfied and invested in your platform. One way to achieve this is through regular updates that add new features or improvements based on user feedback. A SaaS platform that evolves with its users will keep them engaged longer, making it harder for competitors to steal their attention. Encourage user feedback and prioritize updates that create tangible improvements. This creates an ongoing relationship with your users, which boosts stickiness. 3. Offer a multi-product solution Another powerful way to increase your platform’s stickiness is by offering a suite of products or features that integrate well together. When your users adopt multiple products, they are more likely to stay because they become embedded in your ecosystem. The benefits of this strategy are clear. Research shows that once users adopt more than one product, especially when they integrate >4 tools into their workflow, their likelihood of churn decreases significantly. This happens because the more a user integrates into your suite of products, the harder it is for them to switch to a competitor. These users have invested time in learning your ecosystem and rely on it for their day-to-day operations, making it much harder for them to make the switch. 4. Create a personal connection with your users Human connection is one of the most powerful drivers of user retention. People don’t want to feel like they’re using a cold, faceless platform. By offering exceptional customer support, personalized communication, and community engagement, you build a relationship with your users that goes beyond the product itself. Make sure your support team is responsive, knowledgeable, and empathetic. You can also consider offering tailored onboarding experiences to ensure users understand how to make the most of your platform. When users feel like their success matters to you, they are more likely to remain loyal. 5. Leverage data to personalize the user experience Using data to drive personalization is another strategy that can significantly increase the stickiness of your platform. By tracking user behavior and usage patterns, you can tailor the experience to each individual user’s needs. This could mean recommending features they haven’t yet explored or sending them reminders about tools they may not be fully utilizing. Personalization gives users the feeling that the platform was designed specifically for them, making it harder to walk away from. By demonstrating that you understand their unique needs, you can build a stronger connection and ultimately increase retention rates. 6. Focus on seamless integrations and API capabilities To further increase stickiness, consider expanding your product’s ability to integrate with other tools your users already rely on. Whether it’s email marketing software, CRM systems, or social media management tools, seamless integrations add tremendous value by making it easier for users to incorporate your platform into their existing workflows. The more your product can work in tandem with other popular tools, the more indispensable it becomes. In fact, users who depend on integrations are less likely to churn since their entire ecosystem is tied to your platform’s functionality. 7. Encourage user advocacy and community building User advocacy is another powerful tool in building a sticky product. When users feel a sense of community or even ownership over the platform, they become your most passionate promoters. Encourage your users to share their success stories, join community forums, or contribute to product development through beta testing or feedback loops. A thriving user community not only increases user engagement but also creates a sense of loyalty. When users are part of something larger than themselves, they are more likely to remain committed to your platform, reducing churn and increasing lifetime value. Create deep, lasting customer relationships Making your SaaS platform sticky is all about creating a deep, lasting connection with your users. This requires building a platform that continuously delivers value, creating a seamless and personalized experience, and integrating features that keep users coming back. By focusing on product innovation, offering a multi-product ecosystem, and fostering strong user relationships, you’ll be well on your way to reducing churn and boosting user retention. Stickiness isn’t just a nice-to-have; it’s essential for long-term success. Focus on creating a platform that users can’t imagine living without, and you’ll see them stick around for the long haul.
Show More

Latest posts