All Guides
Privacy + Compliance

Achieve GDPR Compliance

By TC Timebomb, Moonvine

Protect EU visitor data and meet GDPR requirements without hiring a lawyer.

If you have website visitors from the EU and collect any data—email addresses, analytics, cookies—GDPR applies to you. The good news: for most small businesses, compliance takes an afternoon with the right tools.

This guide covers: What GDPR requires, the minimum you need, and the fastest path to compliance.

What this covers: The six GDPR requirements (cookie consent, privacy policy, data subject rights, DPAs, breach notification, processing records) and the minimum viable compliance path for small businesses.

Who it’s for: Site owners with EU visitors who collect data through analytics, email signups, or cookies and need to meet GDPR obligations.

Key outcome: You’ll have a cookie consent banner that blocks tracking before acceptance, a compliant privacy policy, signed Data Processing Agreements with third-party tools, and a process for data requests.

Time to read: 6 minutes

Part of: Privacy & Compliance series

Jump to Quick Questions ↓

Does GDPR Apply to You?

Yes, if ANY of these are true:

  • You have visitors from the EU
  • You sell to EU customers
  • You track EU user behavior (Google Analytics, Meta Pixel, etc.)

If your website is accessible from Europe—most are—assume GDPR applies.

The 6 Requirements

1. Cookie Consent

Get consent BEFORE setting non-necessary cookies.

For WordPress:

  • Complianz (free) – Full GDPR suite with cookie blocking
  • CookieYes (free tier) – Simple consent management

For any platform:

  • Osano (free tier) – Consent + vendor management
  • Iubenda (€27/year) – Cookie solution + privacy policy generator
  • Cookiebot (free under 500 pages)

What the banner needs:

  • Clear explanation of what cookies do
  • “Reject All” button as prominent as “Accept All”
  • No dark patterns (pre-checked boxes, confusing options)
  • Record of when consent was given

Not OK: “By using this site you accept cookies” banners, accept-only options, tiny reject buttons.

2. Privacy Policy

Must include:

  • What data you collect
  • Why you collect it (legal basis)
  • Who you share it with
  • How long you keep it
  • How users can delete their data
  • Your contact info for privacy requests

Must be written in plain language and accessible from every page (footer link).

Shortcut: Use Iubenda or Termly to generate one, then customize for your business.

3. Data Subject Rights

Users can request:

Right What You Must Do Deadline
Access Provide copy of their data 30 days
Rectification Fix incorrect data 30 days
Erasure Delete their data 30 days
Portability Export in machine-readable format 30 days
Object Stop processing for marketing Immediate

You need a process to handle these. For small sites, a dedicated email address (privacy@yoursite.com) works fine.

4. Data Processing Agreements

Every third party that handles your user data needs a DPA:

  • Analytics: Google, Mixpanel
  • Email: Mailchimp, Klaviyo
  • Payments: Stripe, PayPal
  • Hosting: AWS, Vercel
  • CRM: HubSpot, Salesforce

Most major services have DPAs available in their legal/privacy settings. Sign them before using the service.

5. Data Breach Notification

If user data is compromised:

  • Report to supervisory authority within 72 hours
  • Notify affected users if high risk
  • Document what happened and your response

6. Records of Processing

Document what personal data you process, why, who has access, how long you keep it, and what security measures protect it. A simple spreadsheet works.

Minimum Viable Compliance

For a typical small business website:

  1. Install cookie consent tool – Complianz or CookieYes (30 minutes)
  2. Write privacy policy – Use Iubenda or Termly generator, then customize (1 hour)
  3. Add contact email – privacy@yoursite.com for data requests
  4. Get DPAs signed – From Google, your email provider, payment processor
  5. Document your data – Spreadsheet of what you collect and why

Time: 2-4 hours for basic compliance.

Common Violations

Audits flag these frequently:

  • Loading Google Analytics before consent
  • No way to withdraw consent
  • Ignoring data deletion requests
  • Sharing data without DPAs
  • Keeping data forever with no retention policy

Penalties

Up to €20 million or 4% of global revenue, whichever is higher.

In practice: Small sites rarely get fined, but competitors and users can report you, and enforcement is increasing.

The GDPR Compliance Checklist

  • Cookie consent banner blocks tracking until accepted
  • Privacy policy is published and linked in footer
  • You have a process for handling data requests
  • DPAs are signed with your third-party tools
  • You’ve documented what data you collect and why

Sources

GDPR Compliance Questions Answered

Does GDPR apply to US-based websites?

GDPR applies to any website that processes personal data of EU/EEA residents, regardless of where the business is located. If your site has EU visitors, uses EU-targeted advertising, accepts euros, or offers content in EU languages, GDPR likely applies to you. The regulation has extraterritorial reach by design.

What is the penalty for GDPR violations?

GDPR fines reach up to 20 million euros or 4% of global annual turnover, whichever is higher, for the most serious violations. Lower-tier violations cap at 10 million euros or 2% of turnover. In 2023, Meta received a 1.2 billion euro fine for data transfers to the US, demonstrating enforcement at scale.

What are the six lawful bases for processing data under GDPR?

The six lawful bases are: consent (freely given, specific, informed), contractual necessity, legal obligation, vital interests (life-threatening situations), public task, and legitimate interests (balanced against individual rights). Most websites rely on consent for marketing and legitimate interests for analytics, but you must document your basis for each processing activity.

Do you need a Data Protection Officer under GDPR?

A DPO is required if you are a public authority, if your core activities involve regular and systematic monitoring of individuals at scale, or if you process special category data (health, biometric, political opinions) at scale. Most small websites do not require a DPO, but appointing one voluntarily demonstrates good faith compliance.

✓ Your Site Meets GDPR Data Protection Requirements

  • Cookie consent banner collects affirmative consent before setting non-essential cookies
  • A Records of Processing Activities (ROPA) document lists every data processing operation with its lawful basis
  • Data subject access requests (DSARs) can be fulfilled within the 30-day statutory deadline
  • A Data Processing Agreement (DPA) is signed with every third-party processor handling personal data
  • Your privacy policy is written in plain language and covers all Article 13/14 required disclosures

Test it: Open your site in a private window, decline all cookies, then check browser DevTools → Application → Cookies to confirm zero non-essential cookies are set.

Related Guides

Privacy + Compliance

Master ADA Compliance

Strategic legal protection and market expansion through accessibility implementation

Read guide → Privacy + Compliance

Implement Age Verification & COPPA

Protect children's privacy while ensuring legal compliance through systematic age verification and data protection procedures

Read guide → Privacy + Compliance

Achieve CCPA Compliance

California privacy law compliance for businesses with California website visitors or customers - plus strategies for handling the growing landscape of privacy regulations

Read guide →