Important Information - This article does not constitute legal advice, but is intended as a practical guide.

GDPR Checklist – Especially in Europe, every website has to inform its visitors about how it collects and processes data. I have written this article because I have received many questions on this subject. Understandably, it may sound overwhelming, but if you take it step by step, you can make your website compliant with the GPDR laws. I choose one of the strictest GPDR laws, which comes from Germany – the Datenschutzgrundverordnung (DSGVO). It should cover all the important data protection measures so that you can present your website to your international visitors without any problems (until they change the laws again, or misinterpret their own laws).

Let’s take your site as internationally legal as possible!

The GPDR List

Here is a list of the most important elements that should be included in every website. They are arranged according to implementation steps. Each step includes a brief definition of the element.

  1. SSL (Secure Sockets Layer)
    • Changes the web address from http to https. It allows user data to be transmitted in encrypted form. It is also an important factor for Google ranking.
  2. A working(!) Cookie Banner
    • A notice displayed on the website to provide transparency to visitors, inform users about the use of cookies and obtain their consent before cookies are used. A working cookie banner disables all 3rd party cookies until the user has consented.
  3. Legal Notice / Imprint page
    • Basic legal and publication information that tells visitors who the owner of the website is and how they can be contacted.
  4. Privacy Policy page
    • A legal document outlining how a website collects, uses, stores and protects the personal information of its users.
  5. Terms and Conditions page (especially for online merchants and service providers)
    • A set of rules and guidelines that govern the relationship between a website or online platform and its users or customers. It provides a framework for conducting business or using the website’s services.

Other GPDR Elements to consider

Now you got most important ones covered. Of course, I will give you some further tips because the GPDR topic is like a jungle and I am giving you a map to survive. There are some other areas which should also be covered.

CMS Platforms

When using CMS platforms such as WordPress, follow the golden design rule: less but better. Fewer plugins can actually make data protection easier and it will also speed up the website.

Be aware of pre-installed Google Fonts. They are connected to Google’s servers, so you are sending data to them. Try to install the fonts locally, this will also make the website load faster.

Contact Form

When using a contact form, always include a checkbox between the input fields and the submit button to inform the user that they have read the privacy policy and understand how the data they enter will be processed. Don’t forget to include a link to the Privacy Policy, which explains how you intend to use the information submitted.

Imprint & Privacy Policy

There are several websites that generate imprint and privacy policies for free. However, if you need additional text or translation, you will need to go for the paid version. You can do a Google search for “privacy policy generator” or “imprint generator” – the most popular generator site in Germany is

If you are redesigning a website for a larger company in Europe, I suggest that you or your client go through it with the lawyer. So many little things can go wrong because of unclear rules that are open to wide interpretation. The same goes for the use of T&Cs.

Analytics Tools

In Germany, which has one of the strictest data protection laws, you need to make sure that you have anonymised the IP address. The IP address is like a street address. It uniquely identifies a user’s physical location. Google Analytics is the most popular analytics tool. To be on the safe side of data usage, you can choose to use Matomo and store the data on your own server instead of Google’s.

Credits for images and graphics

Not really a GDPR issue, but I think it should be mentioned here. All images/graphics that you have obtained for free from platforms such as pexels / unsplash should always be credited to the photographer. This can all be done in the imprint/legal notice. It is also advisable to mention the photographer you or your client hired for the website.

Cookie Banner Tool

If you are using a cookie banner, depending on what structure you are building – WordPress or HTML – you can go to, Osano or Complianz for starters. Otherwise, do your own research and find one that suits you.

The Golden Nugget to speed up Web Development

The first time you create a new website, put it in maintenance mode. This way, you can be sure that no GDPR compliance lawyers will send you a warning letter or even a claim for damages (even though there is no damage to be done) if your website is not even finished or ready for the public. It also makes it easier for you to create the privacy policy and legal notice as soon as your website is ready to be published. You don’t have to update them every time you add another 3rd party plugin/tool during the development.

Before publishing the site, you can use one of the free cookie scanners (look it up). But if you already know how to use the browser’s inspector. You can check if any cookies appear in the Network tab.

Final Thoughts

It’s a long list, but it’s worth it, and you should also know that the GDPR legislation is still a work in progress. The GDPR is a set of rules that govern how personal data should be protected in the EU. However, because the rules are broad and open to interpretation, there may be differences in how they are understood and applied by different countries and authorities. Some areas are not covered by the GDPR, and this can lead to confusion and disagreements between businesses.

In short, you need to let your visitors know who owns the site, how they can contact the site owner, and what the site will do with their information. You also need to block any element that collects data until the user has given consent. Try to collect only the data you really need and nothing more, just to be on the safe side.

If you have any further questions, feel free to drop me a line.