How to Audit Your Website for GDPR in 90 Minutes (No Lawyer Needed)

Step 1: Run an Automated Scan (10 minutes)

Start with automated tools to catch the obvious issues. Run your homepage URL through fixGDPR (which checks SSL, privacy policy, cookie consent, contact info, third-party scripts, form consent, and ToS). Also run it through cookiebot.com's scanner or cookie-checker.com to get a cookie inventory.

Document what the scanners find. You'll use this as your punch list. The automated scan won't catch everything — it misses issues that require human judgment — but it identifies the clear technical failures in minutes.

Step 2: Check Cookie Loading Order in DevTools (15 minutes)

Open an incognito window (to clear any existing consent state) and load your homepage. Open Chrome DevTools (F12), go to the Network tab, and filter by "cookie" or look at the Application tab → Cookies.

The question: which cookies are set before you interact with your consent banner? Refresh the page and watch the Network tab. If you see Google Analytics, Meta Pixel, or LinkedIn cookies before you've clicked "Accept" on your banner — you have a pre-consent tracking problem.

Also check: does your consent banner have a clear "Reject all" or "Decline" option that's as easy to click as "Accept all"? Open your banner and count the clicks. Accept should take the same number of clicks as Reject.

Step 3: Privacy Policy Completeness Check (20 minutes)

Open your privacy policy and check it against GDPR Article 13's required disclosures. The policy must contain:

• ☐Identity and contact details of the data controller
• ☐Contact details of your DPO (if applicable)
• ☐Purposes and legal basis for each type of processing
• ☐Legitimate interests (if used as a basis), with explanation
• ☐Recipients or categories of recipients (third parties named)
• ☐International transfer details and safeguards
• ☐Data retention periods for each category
• ☐User rights (access, rectification, erasure, portability, objection)
• ☐Right to withdraw consent (if consent is the basis)
• ☐Right to lodge a complaint with a supervisory authority

Step 4: Form Consent Audit (15 minutes)

Find every form on your site: contact form, newsletter signup, checkout, lead magnet download, account registration. For each one:

Does it link to the privacy policy? Is there a consent checkbox for marketing communications (unchecked by default)? Does the submission button text accurately describe what happens? Is only necessary data collected — or are you asking for a phone number on a newsletter signup form?

The data minimisation principle (Article 5(1)(c)) means you should only collect what you actually need. If you're asking for a company name and job title on a contact form because "it's useful," that's worth questioning.

Step 5: Third-Party Script Inventory (15 minutes)

In DevTools, go to the Sources tab (Chrome) or Debugger (Firefox) and expand the domain list. You'll see every domain that your site is loading resources from. Each external domain is a third party potentially receiving data about your visitors.

Make a list. For each: do you have a DPA with them? Is their script in your cookie banner's consent categories? Should it be gated behind consent?

Common unexpected findings: a YouTube embed loading before consent (YouTube sets cookies), a font loading from fonts.googleapis.com, Hotjar or Clarity that someone installed and forgot about, an old A/B testing script left on the page.

Step 6: Test the Deletion Flow (15 minutes)

Create a test account and go through the deletion process. Can you find the delete account option in your settings? Does it actually work? What happens to the data? Try submitting a deletion request via the method described in your privacy policy — email, contact form, or in-app button.

If you can't easily find how to delete your data as a user, your users can't either. The ICO has fined organisations specifically for making data deletion requests difficult to submit.