A GDPR website checklist sounds like a dry compliance chore — until the first letter from a warning-notice law firm lands in your mailbox. Then the annoying topic quickly turns expensive. Here are the 8 points that really matter in 2026, without scaremongering and without legalese.
The good news first: a data-protection-compliant website isn't rocket science. Most problems don't come from bad intentions but from copy-and-paste — a Google Font loaded from the web, a contact form without encryption, a cookie banner that offers no real choice at all. It's exactly these small things that automated scanners flag.
Why this GDPR website checklist matters more than ever in 2026
Ever since the first waves of automated warning letters — for instance around externally loaded Google Fonts — rolled across the web, a small industry has specialised in scanning websites for violations by machine. For small businesses that stings: a tradesperson, a practice or a restaurant rarely has a legal department to put the letter in context. The reflex is to pay. Yet almost all the typical traps can be closed in half a day of work — if you know where to look.
The 8 points of the checklist
- A complete privacy policy. Reachable from every subpage, in plain language, and it must actually describe what happens — which services process data, why, and on what legal basis. A 2019 template mentioning Google Analytics you removed long ago is worse than none.
- A correct legal notice (Impressum). Full provider identification as required by German law, reachable from every page in one click. Missing or incomplete legal notices are the classic warning-letter trigger.
- Encryption via HTTPS. A valid SSL certificate is mandatory the moment any form transmits data. Without the green padlock your visitors send names and emails in plain text — and the browser warns them.
- A contact form with data minimisation. Only ask for what you truly need. A checkbox referencing the privacy policy belongs underneath — but no double opt-in theatre for a simple enquiry.
- A cookie banner with a real choice. If you load consent-requiring services (tracking, maps, embedded videos), you need a consent banner that makes ‘reject’ just as easy as ‘accept’. No pre-ticked box, no hidden reject button.
- No externally loaded resources without consent. Google Fonts, YouTube videos, Google Maps, social-media buttons — anything that sends the visitor's IP to a third-party server on page load is a risk. Self-host it or load it only after consent.
- Data processing agreements in place. For hosting, newsletter tools or form providers you need a data processing agreement. Most reputable providers offer one — you just have to sign it and keep it on file.
- Data subject rights are actionable. Access, deletion, objection: there must be a clear contact path through which people can exercise their rights. In practice that means a reachable email address and a process that doesn't lead nowhere.
If you honestly work through these eight points and can say ‘yes, done’ for each, your website is in better shape than most of your competitors'. That's not a free pass — but it closes the doors the automated scanners come in through.
The most common mistakes that get expensive
- A cookie banner that loads tracking scripts before consent — then the banner is pure decoration and protects against nothing.
- Google Fonts, Maps or an embedded video that sends the visitor's IP to servers in the US unasked.
- A privacy policy as a PDF download instead of a normal, indexable subpage.
- A contact form without HTTPS or without a note on what happens to the data entered.
- A legal notice hidden in the footer but missing on landing pages or in mobile menus.
The most expensive mistake is usually the most invisible: you assume the site is clean because ‘it's always worked that way’. But data protection isn't a state you establish once — it's one that every new plugin and every embedded map can tip over again.
How the Website Manufaktur handles this for you
We build websites so these points are right from the start: fonts self-hosted instead of pulled from foreign networks, forms encrypted and data-minimal, consent only where genuinely consent-requiring services run — and when in doubt, one feature fewer that sends your visitors' data somewhere. No bloated cookie zoo, just a lean page that loads fast and leaves the scanners empty-handed. How the package model works and what's included is shown on the Website Manufaktur overview.
One honest note to close: this article is practical orientation, not legal advice. For a binding assessment of your specific case — especially with sensitive data — there's no way around a specialist lawyer or a data protection officer. What we take on is the technical part: a site built on the safe side from day one. You'll find more basics in the Journal.