duda
The ultimate checklist for GDPR compliant websites

February 9, 2023
0 minute read

As of May 25, 2018, the European Union (EU) implemented the General Data Protection Regulation (GDPR).


GDPR is an EU law that protects the personal data of EU citizens and impacts any business or website with users in the EU.


All websites must comply with GDPR if they collect, store, or process the personal data of EU citizens. But ensuring your clients' websites meet all of the GDPR requirements can be confusing—you probably aren't a lawyer, and you probably aren't a data privacy expert.


To help you get started, here's a checklist of the essential items that must be in place for your clients' websites to be GDPR-compliant and how a website building platform like Duda can help you with that.


But let's first spend some time answering basic questions like what is GDPR, why is it important, what does it include and more.


What is the GDPR?


The General Data Protection Regulation (GDPR) is an EU privacy law that regulates how companies process and store the personal data of EU citizens. It applies to any business or website with users in the EU, regardless of where it’s located.


Data Protection Authorities (DPAs) from the 27 EU countries are responsible for enforcing GDPR regulations. They are independent entities that investigate complaints, offer advice about data protection concerns, and decide whether or not the rules of GDPR have been violated.


The main purpose of the GDPR was to replace outdated national laws to protect personal data and give EU citizens more control over it. Under GDPR regulations, the individual (or data subject) has the right to know what personal information is being collected, how it’s being used, and who it’s shared with. And across the entire EU, the law remains the same.


GDPR is very strict—organizations must obtain explicit user consent before collecting their data and rigorously maintain its security. Organizations that fail to comply with GDPR could face fines ofup to €20 million or 4 percent of annual global turnover, whichever is greater.


What is GDPR compliance important?



A computer screen displays an ecommerce website and a GDPR stamp


As previously mentioned, GDPR is a strict law, and organizations that fail to comply with it could face hefty fines. But beyond the legal ramifications, having a GDPR-compliant website also shows your clients' customers that they value their privacy and are taking steps to protect their data.


There are several reasons that businesses should value and respect GDPR regulations:


  • It demonstrates that your business respects the rights of its customers, which can lead to increased customer loyalty and trust.
  • It ensures compliance with the law, avoiding expensive fines and legal action.
  • It sets a good example for other businesses in respecting user privacy.


Beyond the ability to operate legally and avoid massive fines associated with non-compliance, data privacy is important to customers. People want to know that they can trust a business and feel certain that their personal data is secure, not up for grabs.


For agency owners working with multiple clients' websites and ad strategies, compliance with data protection laws is exponentially critical—the number of potential lawsuits, fines, and data breaches is multiplied by the number of websites they work with.


What does personal data include under the GDPR?


According to the
GDPR website, "personal data" includes any information that could identify a person. This covers a wide range of items, including but not limited to:


  • Names and identification numbers
  • Email addresses
  • Physical addresses and postcodes
  • IP addresses, cookie information, and RFID tags
  • Financial details such as bank account and credit card numbers
  • Images (including photos and videos)
  • Tagged images on social media
  • Political affiliations
  • Racial and ethnic data
  • Gender and sexual orientation
  • Health and biometric information (such as fingerprints)


Given that these regulations are vague, yet stringent, it's best to interpret the GDPR's definition as broadly as possible when making decisions for yourself or your clients.


Important GDPR updates for agencies



Updated for 2023

Since its implementation in 2018, GDPR has continued to evolve with the introduction of new rules and regulations.


Here are some important updates agency owners should be aware of:


  • The EU updated its policy on cookie consent in 2020. To be specific, it was made clear that cookie walls should not be used, and scrolling or swiping from website content will not indicate implied consent.
  • The definition of “joint controller” was updated in 2021. When companies are running other companies' social media accounts or displaying third-party plugins on their websites, they often become joint controllers. This means that whenever two or more entities collect customer data, both will now be held accountable if any non-compliance occurs.
  • GDPR has new rules regarding how Facebook advertisers collect, process, and store user data. Marketers and agency owners can continue to use Facebook's ad platform, but they must obtain consent before using any data. They must also inform users how it will be used and show or delete it upon request.
  • User consent must be confirmed before running email campaigns. Sending promotions without explicit, freely given consent could lead to hefty fines. Email marketing tools like MailChimp, Constant Contact, and AWeber all have various forms of consent to make sure companies are compliant with GDPR.
  • Google Analytics 4 no longer collects PII (Personally Identifiable Information) by default. To guarantee your company uses GA4 in accordance with GDPR, you'll have to audit all current data, anonymize personal information that could be used to identify users (such as an IP address) and get explicit consent before implementing the Google Analytics script. Pop-ups or widgets provide first-time and returning visitors a chance to either opt-in or opt-out.


How to make your website GDPR compliant with our complete compliance checklist


An illustration representing a checklist for GDPR-compliant websites


Ensuring compliance might seem confusing, but the reality is that a company's GDPR compliance requirements depend on the types of data it collects, processes, and stores.


Here is a complete website GDPR compliance checklist to help you make sure your clients' websites are compliant.

Just one thing, though - this checklist does not replace consulting with a legal representative with GDPR expertise.


1. Data mapping and auditing



The first step is understanding the complete customer data collection process. To do this, you have to map out and audit all customer data points that are collected, processed, and stored by the website.


You can begin by going down the following checklist and answering each question.


  • What personal data does your client already have? Refer to the list given in the background information.
  • Does the data your client's website collects include any sensitive personal data?
  • Do your client keep personal data from minors (i.e., people under the age of 16)?
  • How long does your client need to keep this data? Under GDPR, data can only be kept for as long as it is necessary.
  • Why does your client collect this data in the first place?
  • What consent does your client have from the user to collect their data?
  • Where does your client store user data?
  • What processors does your client use to process user data?
  • Does your client have any third-party plugins installed on their website (i.e., social media widgets, ads, etc.)?
  • Do any third-party services outside the EU have access to user data, and are they aware of data privacy laws?
  • How do you control third-party usage and access to user data?
  • Do you have a plan for mitigating any data breaches or security risks?


Depending on your client's specific industry, you may have a list of other topics to answer, but auditing your client's website's data points based on these questions will help you decide which data is necessary and how to store it securely.


Build GDPR-compliant Sites


2. Have your clients collect only the data that they need


Aside from the fact that it increases risk of non-compliance, excessive data processing makes it hard for you and your clients to use the data you actually need in any meaningful way. It also makes it difficult to respond quickly when users request their data be deleted or modified.


You might not know which is needed and which data is not right off the bat, but as you map out data processes and audit the data collected, you should get a better understanding of which information is critical.


  • Typically, data that is considered as needed will help you or your client accomplish one of these six things:
  • Verify a user's identity
  • Comply with legal requirements
  • Create a better user experience
  • Improve your clients' products or services


Provide more personalized communications across marketing and sales channels

Keep a record of your clients' customers’ interactions with the business for tax, audit, or liability purposes


If the data your client's website collects doesn't serve a legitimate purpose or contradicts GDPR principles (e.g., the right to be forgotten or data minimization), it's best to let it go. And if it makes your client potentially vulnerable to cybersecurity risks, you should definitely delete it.


3. Appoint a data protection officer


Small companies and individuals might not need an in-house data controller, but if your client's website collects a lot of data or operates in multiple countries, appointing a Data Protection Officer (DPO) is essential.


The DPO's job is to ensure that the company follows all GDPR requirements, including protecting customer data and responding quickly to any data requests or complaints from customers. They can also provide legal advice in the event of a website compliance discrepancy.


4. Secure the website


Once you have the internal infrastructure set up, you need to secure your client's website.


A few elements go into this:


  • SSL certificates: An SSL certificate is a must for all websites. It makes data transfers between websites and visitors safer by encrypting them and protecting their confidential information. 
  • CDN: A Content Delivery Network (CDN) helps to reduce the risk of DDoS attacks, improve website performance by caching content, and protect data from hackers.
  • Website security: Make sure you have a robust website security system in place. This means ensuring that your web hosting and account passwords are secure, regularly backing up your data, and protecting against cyber threats like malware and phishing scams.
  • Data breach reports & analysis: A data breach is an illegal or unauthorized access of private information, and it's important to be able to detect and solve them quickly. You should also analyze the data breach to determine where it originated from and how you can prevent it from happening again.


With Duda's website builder, you can take your website’s protection to the next level with our advanced security measures. SSL encryption is built into our website architecture, so you don’t have to worry about hosting a secure site. 


5. Update the website's privacy policy and terms and conditions


Privacy policies are important because they inform users of their data use. GDPR requires privacy policies to be written in plain language, with clear and transparent information about what data you’re collecting, why you’re collecting it, and how it's processed.


A Privacy Policy probably includes some information relevant to GDPR, but updating it to explicitly cover how you collect and use EU citizens' data is essential. This should include:


  • The types of data a website collects
  • How long the website uses the new data for
  • What users can do if they want their information deleted


You should also double-check your clients’ Terms and Conditions to see if they cover any GDPR-related topics, such as data transfer and storage. For instance, if they store data on servers in countries outside of the EU, they could a clause outlining the security measures they take to protect this data.


Pro tip: Make sure your website builder allows to easily create a Privacy page. Just for reference, Duda provides you with a privacy page template that you can add to every site.


6. Get consent for emails


Email newsletters and marketing campaigns are excellent ways to communicate with potential customers, promote your client's products or services, and deliver value right to their inboxes. But they can also be invasive (just think about all the times you've seen spammy emails), so it's important to make sure you or your client get explicit user consent before adding them to the list.


The GDPR states that individuals must give their “freely given, specific, informed and unambiguous” consent if they are going to be added to an email list. What this means is that you need to have a clear opt-in form on your client's website, with an unequivocal statement about the type of emails they will receive.


Some companies use small checkboxes that automatically opt users in for marketing emails, which is a bit deceptive. Avoid tricking website visitors into signing up for marketing material when they're filling out a checkout or contact form on your client's website.


When sending out promotional emails, always remember to add an unsubscribe link.


7. Review all of your client's website forms


There are a few different forms they might have on their site:


  • Active opt-in: Active opt-in forms require users to manually check a box that indicates they give their consent to receive emails.
  • Unbundled opt-ins: Unbundled opt-ins give users the option to subscribe to your mailing list or newsletter separately from other forms.
  • Double opt-in: Double opt-in forms require users to confirm their intent by clicking on a link sent via email.
  • Granular consent: Granular consent forms allow users to specify which type of emails they want to receive, such as marketing promotions or product updates.


Use an active opt-in or a double opt-in form to ensure that their customers don't find your content spammy or unauthorized. This will allow them to confirm their interest before being added to your mailing list.


8. Evaluate international data transfer


If you transfer data from the EU to another country, that country must have an adequate level of protection for personal data.


The GDPR sets out a few ways for international transfers to take place:


  • Adequacy Decisions: Adequacy decisions come into play when a third-party non-EU country has been assessed and approved as having an adequate level of data protection.
  • Binding Corporate Rules (BCRs): BCRs are written corporate policies that provide a framework for compliance with GDPR when transferring data from the EU to other countries.
  • Standard Contractual Clauses: Standard contractual clauses (SCCs) are legally binding documents that companies use to protect users' data when transferring it from the EU.


If you're transferring data from the EU to another country, make sure you and your clients both understand how those countries' laws apply to your activities and what measures you can put in place to protect that data.


9. Clean up your client's mailing lists


Auditing and updating your client's site for GDPR compliance is the perfect time to clean up their mailing list—you want to make sure they are only sending emails to people who actually want them.


Look at who is on the list, identify inactive subscribers based on individual open and engagement rates, and consider removing those contacts who have not interacted with any of the emails in the past 6 months.


If you aren't sure who to remove, you could send an email to those who haven't interacted with your client's content in a while and ask them to confirm that they want to stay on the list. Those who don't respond (or respond negatively) can then be removed.


10. Add a cookie notice or banner (but don't use cookie walls)


Have you ever noticed a banner at the bottom of a website that says something like “By continuing to use this site, you consent to our use of cookies”?


This is called a cookie notice or cookie banner. It informs users that the website uses cookies, small text files stored on their devices that store information about their browsing and search engine habits.


Under the GDPR, website owners must provide users with information about their use of cookies and give them the option to opt-out.


It's important to note that cookie walls—pages that require users to accept cookies before they view the content—are not allowed under the GDPR. The cookie notice or banner should be presented in a way that allows users to reject cookies without any penalty.


11. Review third-party services and ensure their compliance


It's important to make sure that any third-party data processors you or your client use—such as analytics or advertising platforms—are GDPR compliant. Most people sign up for these types of services without even thinking about the implications of GDPR, but agency owners who use these platforms for client reporting and progress tracking need to keep a close eye on all their data.


Look into their policies and procedures on data protection, and review the contracts you have with them. You should also be aware of any additional data processing activities they may carry out on your behalf, such as collecting and profiling user data.


12. Secure your online payment process


Both you and your clients probably collect online payments, so it's important to ensure that your payment process—whether you're using PayPal, Stripe, or any other payment platform—is GDPR compliant.


Payment processing platforms all do their part to ensure that they meet the GDPR requirements. But you still have the responsibility of making sure your online payment process is secure. This means ensuring that your checkout process is properly secured and encrypted, as well as making sure that the credit card information of customers is not stored anywhere after processing payments.


Pro tip: Mentioning that payment information isn't stored anywhere post-purchase, you might see an increase in sales.


13. Provide data rights provision


The GDPR gives individuals the right to access, rectify, and erase their personal data. As an organization or website owner processing personal data, you must make sure that your customers are aware of these rights and how to exercise them.


You should provide users with a way to view their data and request any changes they need made—this could be as simple as providing a contact email address or offering a specific form on your client's website.


Once a request is received, you or your client must act on it within 30 days and provide the user with an answer. You should also have processes in place for erasure upon request and make sure that no copies are stored anywhere else.


14. Make sure you keep records of user interactions consent decisions


Keeping a record of user interaction, including what they consent to and when is beneficial for numerous reasons:


  • Your clients can easily see what permissions they have from each user and make sure that they are staying compliant with all the necessary regulations.
  • Your clients are able to keep track of any changes or requests that come in from users, allowing them to act on them quickly and efficiently.
  • Your clients can refer back to any past interactions to provide evidence of compliance in the event of an audit.
  • Your clients can also use this data to contact users about similar services or offerings that you may have in the future.
  • In the event of a legal dispute, having detailed records of user interactions and consent can help prove that your clients took all the necessary steps to follow GDPR regulations.


Keeping a record doesn't mean that your clients need to store all the data themselves, either—there are tools and platforms that can help them keep a secure, compliant record of user interactions.


15. Remember the right to be forgotten


The right to be forgotten, also known as "data erasure" and "right to erasure," is an important component of GDPR. It guarantees individuals the right to have their personal data erased from any online databases or digital systems when they no longer wish for it to be stored there.


A situation like this can occur when a customer cancels their account, or when they revoke their consent for data processing. When this happens, your clients must erase the customer’s personal data from their systems and any third-party systems that may be storing it.


Your clients can also set up an automated process to ensure that no sensitive information is kept on record after a certain amount of time (e.g., deleting customer data after six months of inactivity).


16. Use request response



Customers and site visitors may make a data subject access request or any GDPR-related requests, including but not limited to:


  • Accessing personal data
  • Changing, modifying, or deleting personal data
  • Revoking consent for data processing
  • Exercising the right to be forgotten


Implementing request response allows to collect and process requests easily, ensuring customers promptly get the answers they need.


Ensuring compliance with the Duda platform


At Duda, we take GDPR compliance seriously.


Our website builder offers the ultimate package of website protection and security with a privacy page template, customizable cookie notification, and free SSL certificate.


Click here to learn more about our commitment to GDPR compliance.


Final thoughts


A lot goes into GDPR compliance, and for global business owners unfamiliar with the law and its regulations, it can be a confusing process. Taking a proactive approach to compliance is the best way to protect your agency, clients and their customers.


By implementing the 16 steps outlined in this article, you are well on your way to ensure that your clients' sites are GDPR-compliant and secure (but again, be sure to be sure to contact a law representative for a full GDPR-compliant plan). And by using a website builder with GDPR features built-in, you can make the process easier and more efficient.


Headshot of Renana Dar

Senior Content Writer, Duda.


Did you find this article interesting?


Thanks for the feedback!
Illustration of AI Overview Optimization in search results
By Carolina Cordioli December 20, 2024
Discover how digital marketing agencies are adapting to AI-driven search with insights from Duda and SE Ranking's survey. Learn about trends, pricing, and strategies for 2025.
A poster with the year 2025 on it
By Renana Dar December 17, 2024
Ready to make 2025 your best year yet? This article focuses on what will actually drives growth for marketing agencies in 2025.
A row of colorful squares with the word work on them
By Renana Dar December 3, 2024
One of the hardest things about running a profitable agency is bringing on the perfect amount of talent to support your clients. If you hire freelancers using a freelance site, you'll be able to vet their skills and experience without worrying about scams.
Show More

Latest Posts

Share by: