๐Ÿ’ณ Open Wise Account
๐Ÿ’ณ Open Wise Account
Homeโ€บ Toolsโ€บ GDPR Checklist
๐Ÿ›ก๏ธ Free EU Tool

GDPR Compliance Checklist

Check your website's GDPR compliance in minutes. 8 essential requirements every EU business must meet. Updated for 2026.

๐Ÿ›ก๏ธ GDPR Compliance Check

Click each item you have implemented on your website or business:

0%
0 of 8 requirements met
Not compliant
Progress saved in browser
๐Ÿ›ก๏ธ

GDPR-Compliant Business Payments with Wise

Wise stores financial data on EU-based servers, compliant with GDPR requirements for data residency. Ideal for EU businesses handling customer payments.

Open Wise โ†’

GDPR Requirements for EU Businesses โ€” 2026 Guide

The General Data Protection Regulation (GDPR), in force since May 25, 2018, applies to all businesses that process personal data of EU residents โ€” regardless of where the business is located. Non-compliance can result in fines up to โ‚ฌ20 million or 4% of global annual turnover, whichever is higher.

1. Privacy Policy

Every website or app collecting personal data must have a clear, accessible Privacy Policy. It must explain what data you collect, why, how long you keep it, who you share it with, and how users can exercise their rights. The language must be plain and understandable โ€” not legal jargon. Under GDPR Article 13, this information must be provided at the time of data collection.

2. Cookie Consent

Non-essential cookies (analytics, advertising, social media) require explicit prior consent under GDPR and the ePrivacy Directive. A cookie banner must offer a genuine choice โ€” pre-ticked boxes are not valid consent. Users must be able to refuse cookies as easily as they can accept them. Many EU supervisory authorities (including Belgium's GBA and France's CNIL) have issued significant fines for non-compliant cookie banners.

3. Data Subject Rights

GDPR grants individuals eight rights: access, rectification, erasure ("right to be forgotten"), restriction of processing, data portability, objection, and rights related to automated decision-making. You must have a documented process for responding to these requests within 30 days.

4. Data Breach Notification

Under GDPR Article 33, personal data breaches must be reported to your national supervisory authority within 72 hours of becoming aware of the breach โ€” unless the breach is unlikely to result in risk to individuals. Breaches likely to result in high risk to individuals must also be communicated directly to those affected without undue delay.

5. Data Processing Agreements (DPA)

If you share personal data with third-party processors (email providers, analytics tools, cloud storage, payment processors), you must have a signed Data Processing Agreement (DPA) with each one. This is required under GDPR Article 28. Most major providers (Google, Microsoft, Stripe, Mailchimp) offer standard DPAs in their settings or on request.

GDPR Fines in 2025โ€“2026 โ€” What's Being Enforced

Enforcement has intensified significantly. Notable 2025 fines include cookie consent violations, unlawful data transfers to the US, and inadequate security measures. Belgian DPA (GBA), French CNIL, Irish DPC, and German state authorities are among the most active enforcers. SMEs are not exempt โ€” fines in the โ‚ฌ5,000โ€“โ‚ฌ50,000 range have been issued to small businesses for basic violations like missing Privacy Policies or non-compliant cookie banners.

Frequently Asked Questions

Does GDPR apply to my small business?
Yes, if you process personal data of EU residents. There is no size threshold โ€” GDPR applies to sole traders, freelancers, and micro-businesses. However, some obligations (like appointing a DPO) only apply to organizations processing large volumes of data or processing sensitive data systematically. A small business with a website collecting email addresses still needs a Privacy Policy and cookie consent.
What is a Data Processing Agreement (DPA)?
A DPA is a contract required by GDPR Article 28 between a data controller (you) and a data processor (any third party that processes data on your behalf). Examples include your email marketing platform, analytics provider, cloud storage service, and payment processor. Most major SaaS providers offer standard DPAs โ€” check their privacy/legal settings or contact their support.
Do I need a Data Protection Officer (DPO)?
A DPO is mandatory for: (1) public authorities, (2) organizations that systematically monitor individuals at large scale, or (3) organizations processing special categories of data (health, criminal, biometric) at large scale. Most SMEs do not need a formal DPO, but it is good practice to designate someone responsible for data protection internally.
What are GDPR fines for non-compliance?
GDPR provides for two tiers of fines. Less severe violations (like failing to maintain records) can result in fines up to โ‚ฌ10 million or 2% of global annual turnover. More severe violations (like unlawful processing, violations of consent requirements, or data subject rights) can result in fines up to โ‚ฌ20 million or 4% of global annual turnover, whichever is higher.
Is Google Analytics GDPR compliant?
Google Analytics 4 (GA4) can be used in a GDPR-compliant way, but requires careful configuration: IP anonymization must be enabled, data sharing with Google must be reviewed, a DPA must be in place with Google, users must be informed via Privacy Policy, and cookie consent must be obtained before loading analytics. Several EU supervisory authorities (Austria, France, Italy, Denmark) previously ruled that certain configurations of Google Analytics violated GDPR due to US data transfers. GA4 with proper consent mode and EU data residency settings generally satisfies current requirements.

Related Tools

๐Ÿ”
Password Generator
Secure access controls
 ๐Ÿ“„
Invoice Builder
Legal invoice wording
 ๐Ÿ›‚
EORI Checklist
EU customs registration
 ๐Ÿ› ๏ธ
All 18 Tools
Full EU business toolkit