July 16, 2026 · 8 min read
To be GDPR-compliant, a website essentially needs four things: a clear privacy policy, a cookie banner that collects consent before activating non-essential cookies, explicit consent in forms that collect data, and secure handling of that information. Nothing esoteric is required: it takes transparency about what data you collect, why and how. This isn't legal advice, but a practical guide to where to start.
The basics of compliance
- Privacy policy: explains what data you collect, for what purposes and with which tools (analytics, forms, newsletter).
- Cookie banner: must let users accept, reject and choose. Non-essential cookies activate only after consent.
- Contact forms: an un-pre-ticked checkbox and a link to the privacy policy before submitting.
- User rights: users can request access to, correction of or deletion of their data.
- Security: HTTPS everywhere and protection of the data collected, as in our security checklist.
The most common mistakes
Many sites fail on avoidable details: cookie banners that fire tracking cookies on load (before consent), pre-ticked consent boxes, generic privacy policies copied from other sites, or forms that collect data without explaining how it's used. Watch out for third-party tools too: analytics, maps, chat and ad pixels process data and must be declared and handled within consent.
GDPR and e-commerce
If you sell online, obligations grow: you handle payment data, addresses and orders. The good news is that by delegating payments to gateways like Stripe and PayPal, as we explain in our guide on payment integration, card data never passes through your server and much of the compliance is handled by them. Privacy policy, consent and site security remain on you.
We build compliant sites from the ground up, with correct cookie banners and consent management, as part of our web development. If you want to check whether your site is compliant, get in touch for a technical review.
Frequently asked questions
What does it take to make a website GDPR-compliant?
You need a clear privacy policy, a cookie banner that collects consent before activating non-essential cookies, explicit consent in forms that collect data, and secure handling of that information. In short: transparency about what data you collect, why and how.
Is a cookie banner mandatory?
If the site uses non-strictly-necessary cookies (analytics, marketing, third-party tools), yes. The banner must let users accept, reject and choose, and non-essential cookies must activate only after consent, not on page load.
Does a contact form need to comply with GDPR?
Yes. Anyone collecting data through a form must tell users how it will be used, with a link to the privacy policy and an un-pre-ticked consent box. The data must then be stored and handled securely.
Does this guide replace legal advice?
No. It's a practical guide to the technical basics of compliance. For complex situations or specific doubts, it's always advisable to consult a legal advisor or a DPO.
REQUEST A FREE QUOTE