Practical guide 202612 min read- May 16, 2026
GDPR Checklist 2026: 30 Points to Verify
GDPR compliance is not just about installing a cookie banner. Here are the 30 points every business must verify in 2026, according to CNIL and EDPB guidelines.
Note: This checklist does not replace a legal audit. RGPDScan automates the verification of 20+ of these points in 60 seconds.
Cookie banner & consent
5 pointsCookie banner shown before any cookie is set
"Reject All" button as visible as "Accept All"
No pre-ticked boxes
Ability to withdraw consent at any time
Consent log kept as proof
Cookies & trackers
5 pointsNo cookie placed before consent
Full cookie list with duration and purpose
Third-party cookies identified (Google Analytics, Facebook Pixel…)
Non-EU transfers documented
Legal basis for each cookie defined
Mandatory documents
5 pointsUp-to-date accessible Privacy Policy
Separate or integrated Cookie Policy
Complete legal notices (publisher, host)
Terms of Use / Terms of Sale for e-commerce
DPO appointed if required
Data subject rights
4 pointsRight of access form (Art. 15)
Data deletion procedure (Art. 17)
Data portability option (Art. 20)
Response time ≤ 30 days respected
Technical security
4 pointsHTTPS active on the entire site
Security headers configured (CSP, HSTS, X-Frame-Options)
Personal data encrypted at rest
Data breach response plan in place
Non-EU transfers
4 pointsServer locations documented
Standard contractual clauses (SCC) for US transfers
Google Analytics in EU compliance mode
No Google Fonts loaded from Google servers
Child protection
3 pointsAge verification if service targets minors
No dark patterns targeting minors
Parental consent if under 15 (France)
FAQ
How long does a full GDPR audit take?
Manually, a complete GDPR audit takes 2 to 3 working days. RGPDScan automates the verification of 20+ points from this checklist in 60 seconds, allowing you to quickly prioritize urgent fixes.
What is the maximum GDPR fine?
The maximum fine under the GDPR is €20 million or 4% of annual global turnover, whichever is higher. In France, the CNIL is the supervisory authority empowered to issue these fines.
Is a cookie banner enough to be GDPR compliant?
No. The cookie banner is just one of 30+ compliance points to verify. Without an up-to-date privacy policy, data subject rights procedures, data security measures, or documentation of non-EU transfers, your site remains non-compliant.