GDPR Checker
Assess GDPR compliance for your website including privacy policy, cookie consent, and data processing practices
Want to learn more?
Complete guide to GDPR technical requirements including data mapping, consent, and privacy by design.
Read the guideGDPR Compliance Gaps?
Our compliance team assesses GDPR readiness, implements controls, and prepares documentation.
What Is GDPR Compliance Checking
The General Data Protection Regulation (GDPR) is the European Union's comprehensive data protection law that governs how organizations collect, process, store, and share personal data of EU and EEA residents. A GDPR compliance check evaluates an organization's data processing practices against the regulation's requirements, identifying gaps that could result in penalties of up to EUR 20 million or 4% of global annual revenue.
GDPR applies to any organization worldwide that processes personal data of EU residents, regardless of where the organization is based. This extraterritorial scope means that U.S. companies, Asian businesses, and any entity with EU customers or website visitors must comply.
GDPR Core Principles
| Principle | Article | Requirement |
|---|---|---|
| Lawfulness, fairness, transparency | Art. 5(1)(a) | Process data lawfully with a valid legal basis and transparent privacy notices |
| Purpose limitation | Art. 5(1)(b) | Collect data for specified, explicit, legitimate purposes only |
| Data minimization | Art. 5(1)(c) | Collect only the data that is adequate, relevant, and necessary |
| Accuracy | Art. 5(1)(d) | Keep personal data accurate and up to date |
| Storage limitation | Art. 5(1)(e) | Retain data no longer than necessary for its purpose |
| Integrity and confidentiality | Art. 5(1)(f) | Protect data with appropriate security measures |
| Accountability | Art. 5(2) | Demonstrate compliance with all principles |
Common Use Cases
- Website compliance audit: Check whether your website's cookie consent, privacy policy, data collection forms, and analytics setup comply with GDPR requirements
- Pre-launch assessment: Evaluate a new product or service for GDPR compliance before launch, identifying required privacy features and documentation
- Vendor due diligence: Assess whether third-party vendors and data processors meet GDPR requirements before sharing personal data
- Annual compliance review: Conduct periodic assessments to ensure ongoing compliance as your data processing activities evolve
- Data subject request readiness: Verify that your organization can fulfill data subject rights (access, deletion, portability, objection) within the required 30-day timeframe
Best Practices
- Identify your legal basis — Every data processing activity must have a valid legal basis: consent, contract, legal obligation, vital interests, public task, or legitimate interests. Document the basis for each activity.
- Implement privacy by design — Build data protection into new systems from the start rather than retrofitting. GDPR Article 25 requires this approach.
- Maintain Records of Processing Activities — Article 30 requires documented records of all processing activities, including purposes, data categories, recipients, and retention periods.
- Prepare for data subject requests — Implement automated processes to handle access, deletion, portability, and objection requests within 30 days. Manual processes break down at scale.
- Conduct DPIAs for high-risk processing — Data Protection Impact Assessments are required for processing that is likely to result in high risk to individuals (profiling, large-scale processing of sensitive data, public monitoring).
References & Citations
- European Commission. (2024). General Data Protection Regulation (GDPR). Retrieved from https://gdpr.eu/ (accessed January 2025)
- European Data Protection Board. (2020). Guidelines on consent under Regulation 2016/679. Retrieved from https://edpb.europa.eu/our-work-tools/documents/public-consultations/2020/guidelines-052020-consent-under-regulation_en (accessed January 2025)
- UK Information Commissioner's Office. (2024). ICO Guide to GDPR. Retrieved from https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/ (accessed January 2025)
Note: These citations are provided for informational and educational purposes. Always verify information with the original sources and consult with qualified professionals for specific advice related to your situation.
Key Security Terms
Understand the essential concepts behind this tool
Frequently Asked Questions
Common questions about the GDPR Checker
General Data Protection Regulation (GDPR) is EU law regulating personal data processing. Applies to: EU organizations, non-EU organizations processing EU residents data. Key requirements: lawful basis for processing, consent for non-essential cookies, privacy policy, data subject rights (access, deletion, portability), breach notification (72 hours), Data Protection Officer (if required), data processing agreements. Penalties: up to 4% global revenue or €20M. Enforcement: EU Data Protection Authorities. Applies since May 2018.
GDPR privacy policy must include: 1) Data controller identity and contact. 2) Data Protection Officer contact (if required). 3) Processing purposes and legal basis. 4) Data categories collected. 5) Recipients/transfers (third parties, international). 6) Retention periods. 7) Data subject rights (access, deletion, portability, objection). 8) Right to withdraw consent. 9) Right to lodge complaint with supervisory authority. 10) Automated decision-making disclosure. Must be: clear, concise, accessible, free. Update when processing changes.
GDPR cookie consent requirements: 1) Explicit consent before non-essential cookies. 2) Pre-ticked boxes invalid. 3) Granular options (analytics, marketing separately). 4) Easy to withdraw consent. 5) No cookie walls (blocking access). 6) Clear information (cookie purpose, duration, third parties). 7) Consent proof/records. Essential cookies (session, security) do not need consent. Cookie banner must: appear before loading cookies, allow rejection, be easy to understand. Validate: cookies not loaded before consent, withdrawal functional.
Eight data subject rights: 1) Right to be informed (privacy policy). 2) Right of access (data copy, SAR response within 30 days). 3) Right to rectification (correct inaccurate data). 4) Right to erasure (deletion, "right to be forgotten"). 5) Right to restrict processing (limit use). 6) Right to data portability (structured export). 7) Right to object (opt-out). 8) Rights related to automated decision-making (human review). Organizations must: verify identity, respond within 30 days, free (unless excessive).
Six lawful bases under GDPR: 1) Consent - explicit, informed, freely given (used for marketing). 2) Contract - necessary for contract performance (order processing). 3) Legal obligation - compliance with law (tax records). 4) Vital interests - life/death situations (emergency services). 5) Public task - official functions (government). 6) Legitimate interests - business interests not overridden by data subject rights (fraud prevention, security). Choose most appropriate basis - affects data subject rights. Document basis in privacy policy.
DPO required when: 1) Public authority (except courts). 2) Core activities involve large-scale systematic monitoring (tracking, profiling). 3) Core activities involve large-scale processing of special category data (health, biometric, criminal). "Large-scale" undefined - consider: number of data subjects, volume of data, duration, geographic scope. DPO must: be independent, have expert knowledge, report to highest management, not be dismissed for performing duties. Can be: internal employee, external contractor, shared DPO (for small organizations).
Data breach is security incident causing accidental/unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data. Examples: ransomware, phishing, lost laptop, misconfigured database, insider theft. GDPR obligations: 1) Document all breaches. 2) Notify supervisory authority within 72 hours (if risk to rights). 3) Notify data subjects without delay (if high risk). Notification includes: nature, categories/records affected, consequences, mitigation measures, DPO contact. Penalties for failure to notify: fines up to €10M/2% revenue.
GDPR audit checklist: 1) Data inventory (what data collected, where stored, who accesses). 2) Lawful basis documentation (consent records, legitimate interest assessments). 3) Privacy policy review (complete, current, accessible). 4) Cookie consent validation (banner functional, preferences saved). 5) Data subject rights procedures (SAR process, deletion, portability). 6) Third-party processors (DPAs signed, security validated). 7) Security measures (encryption, access controls, backups). 8) Breach response plan. 9) Staff training. 10) Documentation (processing records, DPIAs). Audit annually minimum.
No, automated GDPR scans only check visible technical elements like cookies and consent banners. Full GDPR compliance requires proper data processing agreements, privacy policies, data subject rights procedures, and internal documentation that cannot be verified by a scan alone.