The Complete GDPR Guide for Website Owners

What Is GDPR and Why Does It Exist?

The General Data Protection Regulation emerged from a recognition that the digital economy had fundamentally outgrown the 1995 Data Protection Directive. By the mid-2010s, practices that were once technically difficult — persistent cross-site tracking, invisible data brokers, consent obtained through dark patterns — had become standard business operations. The GDPR was designed to rebalance this relationship by making data subjects the owners of their personal data, not the subjects of it.

Unlike a directive, which requires transposition into national law, the GDPR applies directly and uniformly in all 27 EU member states without domestic legislation. It also applies to the United Kingdom through the UK GDPR, a retained version of the original regulation post-Brexit. For practical purposes, a website serving both EU and UK users must satisfy both frameworks — which are nearly identical in their consent and tracking requirements.

The regulation is enforced by national Data Protection Authorities (DPAs). These are independent supervisory bodies that receive complaints, conduct investigations, and levy fines. The Irish Data Protection Commission (DPC) is the lead authority for many major US technology companies that have their EU headquarters in Ireland, which is why enforcement actions against Meta, Google, and LinkedIn have frequently originated from Dublin.

Who Must Comply with GDPR?

GDPR applies to any organisation that processes the personal data of people located in the EU, regardless of where the organisation itself is based. A company headquartered in California, Tokyo, or Sydney must comply if it offers goods or services to EU residents, or if it monitors their online behaviour. The regulation's extraterritorial scope in Article 3 is intentional — it closes the loophole that allowed non-EU companies to sidestep data protection laws.

The regulation distinguishes between two main roles. A data controller determines the purposes and means of processing personal data — typically the website owner or the business running the site. A data processor acts on behalf of the controller — typically a third-party service provider such as an analytics vendor, cloud hosting provider, or email marketing platform. Both can be held liable, but controllers bear the primary legal responsibility.

Small organisations are not exempt from the core obligations. While GDPR includes limited exceptions for businesses with fewer than 250 employees regarding some record-keeping requirements, all organisations regardless of size must have a lawful basis for every act of data processing, honour data subject rights, and implement appropriate security measures. The size of a business affects fine proportionality — not whether the law applies.

The Six Lawful Bases for Processing Personal Data

Every act of personal data processing under GDPR must be grounded in one of six lawful bases set out in Article 6: consent, contract performance, legal obligation, vital interests, public task, or legitimate interests. There is no hierarchy — all six are equally valid where they genuinely apply. The critical requirement is that the lawful basis must be identified and documented before processing begins, not selected retrospectively to justify existing practices.

Consent is the most commonly invoked basis for marketing, advertising, and analytics. It must be freely given, specific, informed, and unambiguous — meaning it requires a clear affirmative action. Pre-ticked checkboxes, consent bundled with terms of service, and consent obtained through confusing or coercive interfaces are all invalid. The EDPB Guidelines 05/2020 explicitly state that cookie walls — where consent to tracking is required to access content — are invalid unless genuine alternative access exists.

Legitimate interests (Article 6(1)(f)) is often misapplied as a catch-all basis for tracking and advertising. It requires a three-part balancing test: the interest must be legitimate, the processing must be necessary, and the interest must not be overridden by the data subject's rights and freedoms. Behavioural advertising and third-party cross-site tracking consistently fail this test because the privacy impact on individuals outweighs the commercial benefit to the controller.

Consent on Websites: What Valid Consent Looks Like

Under Article 7, consent must be as easy to withdraw as to give. This seemingly simple requirement has profound implications for consent banner design. If accepting all cookies requires one click and rejecting requires navigating through three sub-menus or disabling categories individually, the consent mechanism fails the freely-given test. EU regulators have consistently ruled that reject must be offered at the same visual prominence and interaction depth as accept.

Granularity is mandatory. Users must be able to consent or object separately to different categories of processing — analytics, advertising, personalisation, and functional cookies must each be independently controllable. Presenting a single 'Accept All Cookies' toggle that bundles all categories is not valid consent. Users who accept only analytics should have analytics cookies set; advertising trackers should not fire for those users.

Consent records must be stored. If a regulator or data subject requests proof that consent was obtained, the controller must be able to demonstrate the specific consent signal, the version of the privacy notice shown at that time, and the date and mechanism of consent. Consent Management Platforms (CMPs) typically provide this audit trail — but only if they are correctly configured to block all non-essential scripts until after a positive consent signal is received.

Data Subject Rights Under GDPR

GDPR grants eight categories of enforceable rights to individuals. The right of access (Article 15) allows any person to request a copy of all personal data held about them, the purposes of processing, and the recipients. The right to erasure (Article 17) enables deletion requests, though this right is not absolute — it does not apply where processing is necessary for legal compliance or public interest tasks.

The right to data portability (Article 20) enables users to receive their data in a structured, machine-readable format and to transmit it to another controller. This right only applies to automated processing based on consent or contract — not to legitimate interests. The right to object (Article 21) lets individuals stop processing for direct marketing purposes at any time, without requiring justification. Controllers must cease this processing immediately upon receiving an objection.

Controllers must respond to all data subject requests within one calendar month. For complex or high-volume requests, this can be extended by a further two months with notification to the requester. Refusing a request without valid legal justification, or ignoring it entirely, is itself a GDPR violation. DPAs frequently receive complaints specifically about controllers failing to respond to access requests on time.

Data Protection Officers and Accountability

A Data Protection Officer (DPO) is mandatory for three categories of organisation: public authorities, organisations that carry out large-scale systematic monitoring of individuals (such as behavioural advertising networks), and organisations that process special category data at scale. The DPO must have expert knowledge of data protection law, must not be conflicted by other duties, and must be reachable by both data subjects and the supervisory authority.

Even where a DPO is not legally required, Article 30 mandates that controllers maintain Records of Processing Activities (RoPA). These records document the categories of data processed, their purposes, recipients, retention periods, international transfer safeguards, and security measures. RoPA documents are the primary evidence reviewed during regulatory investigations and must be available on request.

Accountability is a core GDPR principle (Article 5(2)). Controllers cannot simply claim compliance — they must be able to demonstrate it through documented data protection impact assessments (DPIAs), privacy-by-design processes, staff training records, data processor contracts with appropriate Article 28 clauses, and ongoing audit and review processes.

Breach Notification: The 72-Hour Rule

Article 33 requires that personal data breaches posing a risk to individuals' rights and freedoms be notified to the competent supervisory authority within 72 hours of the controller becoming aware of the incident. Not all breaches require notification — the threshold is whether the breach is 'likely to result in a risk'. Low-risk incidents, such as the loss of encrypted data where the key remains secure, may not trigger the notification obligation.

Where a breach poses a high risk to affected individuals — for example, the exposure of passwords, financial data, health records, or identity documents — Article 34 requires direct individual notification without undue delay. These notifications must include a plain-language description of the breach, the types of data affected, likely consequences, and the measures taken or proposed to address it.

The 72-hour clock is widely misunderstood. It begins when the controller first becomes aware that a breach has occurred — even if the full scope is not yet known. Controllers can notify with incomplete information and supplement later. The most serious GDPR fine involving breach notification was the €50 million sanction against Google in France, where the CNIL found consent mechanisms to be inadequate across the entire product.

How ConsentLens Scans Your Website for GDPR Compliance

ConsentLens scans websites from a simulated EU user perspective — using an EU locale and Berlin geolocation to trigger GDPR-relevant consent banners. This is important because many sites serve different cookie banners to EU visitors than to US or global visitors. Scanning without EU geolocation can produce a false-negative result, missing consent mechanisms that are only shown in EU jurisdictions.

The scanner captures all cookies set during page load, logs every third-party network request, detects the presence and type of consent management platforms, and records whether any trackers fire within the first 500 milliseconds of page load. Each of these signals maps directly to a specific GDPR or ePrivacy requirement. A tracker firing in the first 500ms before any user interaction is almost certainly firing before consent — a High-severity violation.

Every scan produces a 0–100 compliance score broken into four sub-dimensions, a prioritised list of compliance issues each with specific fix instructions, and evidence in the form of the exact cookie names or request URLs that triggered each issue. For details on how the score is calculated, see the scoring guide. For a full technical explanation of the detection methodology, see the methodology documentation.

Frequently Asked Questions

Related guides