10 steps to a GDPR compliant website

We’ve worked hard to develop a Consent Management Platform that truly complies with the GPDR provisions, so we had a lot to read & learn.

The main problem is that your website is probably the easiest thing to check by anyone, including any controlling authority. Simply load the website, inspect, see what's loading and you know what's happening right from the homepage.

The other problem is that almost everyone uses something for their digital marketing, including retargeting or personalization. And that is usually referred to as "profiling", or "processing large volumes of information" or "automated decisions"

While everyone seems genuinely interested in respecting the law, it is not always easy to understand how to achieve this.

We know how opaque this type of processing can be for most people and how difficult it is for website owners to make it all clear and transparent for their audience.

Some have tried with cookie consent, others with implicit consent like "by continuing....", and others simply closed their sites to European citizens.

So, here’s what we’ve learned: You need to tweak your site in order to make it GDPR-compliant. There's no way around it.

First, you need to know what's happening.

1. Find out what is running on your sites. You should at least know what sites you own and who manages them, to start with.

It may sound silly, but you would be amazed how many large companies out there do not know this. Sometimes there are sites that were parts of old campaigns, closed projects, products that are no longer available.

Detect and review every application, tag, form, cookie etc. that you have on your website (plus, eliminate what is unnecessary or long-forgotten there). If you need help with this, click here.

2. Understand what each application does and who's behind it. You will need all this information when asking consent from your users.

As for the external vendors and third-party solutions that track the user, find out what data they process and for what purpose, how they store it and for how long, if they share/ disclose it to other third parties, what are their safeguards for data protection, their DPO’s contact details etc.

Tip: Sign written data protection agreements with these third parties. You need to make sure you have agreements with your marketing technology providers and a clear understanding of the roles split (controller/ joint controller/ processor), liabilities and guarantees. Keep in mind that you, as the site owner, are a data controller responsible with the lawful basis of the processing on your digital properties, as well as informing your users on who’s processing their data and how.

As for the external vendors and third-party solutions that track the user, find out what data they process and for what purpose, how they store it and for how long, if they share/ disclose it to other third parties, what are their safeguards for data protection, their DPO’s contact details etc. You will need all this information when asking consent from your users.

If by this time you realise you do not need to ask for consent, skip to #7 →.

Now it’s time to change things on your site.

4. Prevent applications from starting without appropriate consent. This is where most companies fail, by the way.

If you already use a tag manager: Try to set up your tags for the applications that require consent not to fire automatically. Create some custom triggers or events, that can be called from the web page when the appropriate consent is given.

If you use Avandor Consent ;), you're already set up! Simply remove the tags from the site and paste them into the Avandor Consent Manager interface and specify when/where to run each tag.

If you don't use a tag manager, your developers are out of luck. They will need to manually create code that starts those application tags when being called from the consent manager.

Relying on communicating consent to third party apps (using parameters or consent frameworks) is a risky approach that leaves you out of real control.

5. Ask for the appropriate consent Install (or develop) a consent manager and get valid consent.

“By continuing to use this website you agree...” notice is no longer enough. Get rid of it.

Valid consent means feely given, specific and informed consent given for data processing (more about that here). This translates to:

  • do not block access to your site if you did not get consent
  • do not pre-tick any checkboxes
  • do not declare marketing/tracking apps as "functional" (even if you really need them). Some people already got fined for this...
  • explain clearly the purposes you are asking consent for
  • ask consent for each purpose separately
  • explain what data is being processed, and which companies operate the data
  • explain the user's rights
  • inform about the way you collect, store and process their personal data
  • make sure the user can return to the consent management window at any time

Keep in mind: you are not asking consent for cookies (that would be pointless), instead you are asking consent for data processing done directly or via applications operated by third parties.

6. Store consent records for inspection

When you rely on explicit consent as a legal ground for your processing operations, you should make sure that you safely store all consent records into your system (as the controller must be able to prove that a user in a given case has consented!).

The rationale behind the obligation of demonstrating valid consent from the users is that data controllers must be accountable.

Hold on, there's more to do

7. Secure your site and infrastructure

You need to make sure your website (server, CMS, databases etc.) and all the data you store on it is secure (with a special focus on PII – personally identifiable information – such as names, email addresses etc.). You should also make sure that the data transferred via forms on your website is protected via a safe SSL connection.

Develop internal procedures in case of data security breaches and let your users know that you’ve implemented safeguards to protect their data.

8. Provide means for data access or even removal

The GDPR also recommends that “the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data.

Probably the easiest way to grant your users their right to data access and removal is via special software (such as Avandor Consent Manager) while managing their data processing preferences, as well as the other rights they have.

9. Facilitate data protection inquiries

Make it easy for your users to address data protection inquiries on predefined topics. This will also help you and your data protection team to manage these requests and provide answers and solutions within the legal terms.


Doing all that does not mean your company is GDPR compliant, and just that your websites respect GDPR requirements. The rest is usually more complicated than this.

Georgiana Bedivan

Head of Compliance

We've struggled to understand GDPR so you won't have to. Learn from our experience →

We've asked a Data Protection Authority for answers on digital processing...

Since everyone is scared by penalties, we wrote and asked the Romanian Data Protection Authority (ANSPDCP) some questions about how GDPR will apply to the online processing. Here's what they had to say...

read more

What's wrong with cookie consent?

The common misbelief is that compliance on digital properties equals cookie consent. But the truth is that GDPR is not about cookies, but about who set those cookies and what for.

read more

10 steps to make your site compliant

Some have tried with cookie consent, others with implicit consent like "by continuing to use this website...", and others simply closed their sites to European citizens.

read more

What makes valid consent under GDPR?

Consent is just one of six lawful bases to process personal data, as listed in the GDPR. It may not always be necessary, but when it is, you have to make sure it is properly obtained and stored.

read more

Data controller vs. processor? Who's who

Although GDPR’s definition of the two may seem simple and concise, marketers are still having a hard time trying to figure out who’s what, especially when it comes to automated processing technologies.

read more

Profiling and automated decisions under GDPR

As site owners’ challenge these days is to ensure compliance on digital assets, you should know that most of the apps and technologies you use for marketing purposes do profiling.

read more

GDPR myths and misconceptions

Starting with May 25th, a lot of misinformation regarding GDPR has been spread so understanding the basic principles of this new regulation and how to get compliant proved to be overwhelming.

read more

Using Facebook pixel on your site?

As per today’s practices you can’t really help but using Facebook as part of your marketing strategy. However, the question that arises since the 25th of May is who is responsible for obtaining consent.

read more

Looking for the right consent solution?

Discover Avandor Consent

see features & benefits →

Need help navigating GDPR compliance?

We're happy to assist you with free advice

get in touch →

Your details:

Your interest:

Your Message:

by submitting this form you consent to our use of your data

For more information or a demo call +4072 893-9780 or get in touch.