GDPR (General Data Protection Regulation) applies to every website that collects data from EU residents — regardless of where your business is located. If you have Google Analytics, a contact form, or a newsletter signup, you're collecting personal data.
Non-compliance can result in fines (up to €20M or 4% of global annual turnover, whichever is higher for serious violations) and, more practically, damages customer trust when visitors can't find clear information about how their data is used.
The good news: most small business websites need only a few things to cover the basics.
The Minimum Viable GDPR Checklist
1. Privacy Policy (Required) You must have a privacy policy that tells visitors: - What personal data you collect (email addresses, names, IP addresses, browsing behaviour via analytics) - Why you collect it (legal basis: consent, legitimate interest, contract performance, etc.) - How long you keep it - Whether you share it with third parties (email service providers, analytics tools) - How to request deletion of their data - Your contact address for data-related requests
Free generators like Termly, iubenda, and PrivacyPolicies.com cover all the required fields for small sites.
2. Cookie Consent Banner (Required if you use non-essential cookies) Google Analytics, Facebook Pixel, and most advertising technologies use cookies classified as "non-essential" under GDPR. You must obtain opt-in consent before these fire.
"Legitimate interest" cannot be claimed for advertising cookies — explicit consent is required.
A compliant banner must: - Appear before non-essential cookies are placed - Offer a genuine "Reject" option as prominent as "Accept" - Not use dark patterns (pre-ticked boxes, buried reject links)
3. Data Processor Agreements If you use any third-party services that process personal data on your behalf (email platforms, CRMs, analytics), you need a Data Processing Agreement (DPA) with each. Most major providers (Google, Mailchimp, Stripe) provide these automatically or on request.
4. Right to Erasure Process You must have a way for users to request deletion of their personal data. This doesn't need to be elaborate — a contact email dedicated to data requests, with a documented internal process for handling them, is sufficient for most small businesses.
5. Secure Data Transmission and Storage Personal data must be transmitted over HTTPS (see #1 on the security section) and stored securely. This means not leaving customer data in unencrypted spreadsheets, using strong passwords on your email platform, and ensuring your database is access-controlled.
What Doesn't Require GDPR Action
- Anonymous usage data with no way to identify individuals
- Publicly available data you haven't actively collected
- Employee data (covered by employment law, not website GDPR)
Using RoastReady to Check Legal Compliance
RoastReady's trust scan includes a legal compliance check that detects whether your site has a privacy policy, terms of service, and cookie consent banner. It won't tell you whether the documents are legally perfect, but it will flag if they're missing entirely — which is the most common and most problematic failure.