RGPDScan/Blog/GDPR Checklist
Practical guide 202612 min read- May 16, 2026

GDPR Checklist 2026: 30 Points to Verify

GDPR compliance is not just about installing a cookie banner. Here are the 30 points every business must verify in 2026, according to CNIL and EDPB guidelines.

Note: This checklist does not replace a legal audit. RGPDScan automates the verification of 20+ of these points in 60 seconds.

Cookie banner & consent

5 points
Cookie banner shown before any cookie is set
"Reject All" button as visible as "Accept All"
No pre-ticked boxes
Ability to withdraw consent at any time
Consent log kept as proof

Cookies & trackers

5 points
No cookie placed before consent
Full cookie list with duration and purpose
Third-party cookies identified (Google Analytics, Facebook Pixel…)
Non-EU transfers documented
Legal basis for each cookie defined

Mandatory documents

5 points
Up-to-date accessible Privacy Policy
Separate or integrated Cookie Policy
Complete legal notices (publisher, host)
Terms of Use / Terms of Sale for e-commerce
DPO appointed if required

Data subject rights

4 points
Right of access form (Art. 15)
Data deletion procedure (Art. 17)
Data portability option (Art. 20)
Response time ≤ 30 days respected

Technical security

4 points
HTTPS active on the entire site
Security headers configured (CSP, HSTS, X-Frame-Options)
Personal data encrypted at rest
Data breach response plan in place

Non-EU transfers

4 points
Server locations documented
Standard contractual clauses (SCC) for US transfers
Google Analytics in EU compliance mode
No Google Fonts loaded from Google servers

Child protection

3 points
Age verification if service targets minors
No dark patterns targeting minors
Parental consent if under 15 (France)
0/30points verified

Use RGPDScan to automate the verification of 20+ of these points and get your compliance score in 60 seconds.

FAQ

How long does a full GDPR audit take?
Manually, a complete GDPR audit takes 2 to 3 working days. RGPDScan automates the verification of 20+ points from this checklist in 60 seconds, allowing you to quickly prioritize urgent fixes.
What is the maximum GDPR fine?
The maximum fine under the GDPR is €20 million or 4% of annual global turnover, whichever is higher. In France, the CNIL is the supervisory authority empowered to issue these fines.
Is a cookie banner enough to be GDPR compliant?
No. The cookie banner is just one of 30+ compliance points to verify. Without an up-to-date privacy policy, data subject rights procedures, data security measures, or documentation of non-EU transfers, your site remains non-compliant.

Automate your GDPR checklist

RGPDScan automatically verifies 20+ of these points in 60 seconds. Get your compliance score for free.