GDPR Checklist for Developers 2026: Everything You Need to Be Compliant

GDPR Quick Facts for Developers

• Applies to any site processing data of EU/UK residents — regardless of where you are based
• Maximum fine: €20 million or 4% of global annual turnover (whichever is higher)
• A data breach must be reported within 72 hours
• You need a lawful basis for every type of data processing

The Developer GDPR Checklist

Privacy Policy

• Published at a stable URL (e.g. /privacy-policy)
• Linked from footer on every page
• Covers: what data you collect, why, who you share it with, how long you keep it, and users rights
• Use our Privacy Policy Generator as a starting point
• Written in plain language — no legal jargon

Cookie Consent

• Cookie banner appears before non-essential cookies are set
• Consent is freely given, specific, informed, and unambiguous
• No pre-ticked boxes
• Users can withdraw consent as easily as they give it
• Analytics cookies (GA4, Hotjar) require explicit consent
• Essential cookies (session, security) do not require consent
• Consent records are stored with timestamp and IP

Data Minimisation

• Only collect data you actually need
• Delete data when it is no longer needed
• Set database TTLs for logs and analytics records
• Anonymise or pseudonymise where possible

Security

• All connections over HTTPS (check with our SSL Checker)
• HTTP security headers set (check with our HTTP Headers Checker)
• Database connections encrypted
• Passwords hashed with bcrypt or Argon2 (never MD5 or SHA1)
• Dependencies kept up to date
• Access logs retained for 90 days minimum

Data Subject Rights

You must be able to fulfil these within 30 days of request:

• Right of access — export all data held about a user
• Right to erasure — delete all data including backups
• Right to rectification — correct inaccurate data
• Right to portability — export data in machine-readable format (JSON/CSV)
• Right to object — opt out of processing for marketing

Third-Party Processors

• List every third-party service that receives user data
• Sign Data Processing Agreements (DPAs) with each processor
• Google Analytics: sign DPA, enable IP anonymisation, set 14-month data retention
• Check processors are covered by EU adequacy decisions or SCCs

Breach Response

• Written breach response procedure exists
• Severity assessment checklist prepared
• Contact details for your supervisory authority saved
• 72-hour notification timeline understood and documented
• User notification template prepared for high-risk breaches

Useful Tools

• Privacy Policy Generator — create a compliant privacy policy
• SSL Checker — verify HTTPS is correctly configured
• HTTP Headers Checker — check security headers
• Email Breach Checker — check if your users data was leaked