How to Run a GDPR Compliance Audit on Your Website in 2026

Why GDPR Audits Still Matter in 2026

The General Data Protection Regulation has been enforceable since May 2018, but enforcement has reached a new level of intensity. The Irish DPC fined Meta €1.2 billion in 2023. The French CNIL has issued over 50 fines in 2025 alone. And with the European Data Protection Board's coordinated enforcement actions targeting AI system providers, any organisation processing EU personal data is firmly in scope.

For AI companies in particular, GDPR intersects with EU AI Act requirements — your AI training data, inference logs, and user interaction records are all likely to involve personal data. This guide gives you a practical audit methodology you can run today.

Phase 1: Cookie Consent Audit

Cookie consent is the most visible GDPR requirement — and the most commonly violated. The standard is clear: non-essential cookies (analytics, advertising, personalisation) require prior, informed, freely given, and specific consent before being placed on a user's device.

What to check:

• Consent banner fires before cookies load:Use your browser's developer tools (Network tab) to confirm that no analytics or advertising cookies are set before a user clicks "Accept." This is the most common failure mode.
• Granular consent options: The banner must offer separate toggles for different categories (analytics, marketing, functional). A single "Accept All" button without a "Manage Preferences" option fails the granularity requirement.
• Refuse option is equally prominent: "Accept" and "Decline" buttons must be equally visible. Dark patterns (small grey "decline" text vs. large green "accept" button) have been fined by multiple DPAs.
• Consent stored and renewed: Consent records must be stored and consent must be re-collected every 12 months at maximum.
• No pre-ticked boxes: Consent must be given by a positive opt-in action.

Tools:Use Governer's website scan or browser extensions like CookieYes Checker or uBlock Origin + Network Monitor to identify pre-consent cookie drops.

Phase 2: Privacy Policy Audit

Under GDPR Articles 13 and 14, your privacy policy must contain specific information depending on whether you collect data directly from users or from third-party sources.

Required disclosures (Article 13):

• Identity and contact details of the data controller
• Contact details of the Data Protection Officer (if applicable)
• Purposes and legal bases for each processing activity
• Legitimate interests relied upon (if applicable)
• Any third-party recipients or categories of recipients
• International transfer mechanisms (if data leaves the EEA)
• Retention periods or criteria for determining retention
• All eight data subject rights, how to exercise them, and response timelines
• Right to withdraw consent (where processing is consent-based)
• Right to lodge a complaint with a supervisory authority
• Whether providing personal data is a statutory/contractual requirement
• Existence of any automated decision-making including profiling, logic, significance

Run your privacy policy URL through Governer's website compliance scanner to automatically check for missing required disclosures.

Phase 3: PII Exposure Scan

Inadvertent PII exposure is one of the leading causes of GDPR fines and breach notifications. It includes personal data visible in URLs, logged to analytics services, included in JavaScript errors, or transmitted to third parties without a lawful basis.

Common PII exposure vectors:

• Email in query parameters: e.g. /confirm?email=user@example.com — gets logged by web analytics and CDNs
• Form data in analytics events: Many Google Analytics and Mixpanel integrations accidentally log form field values including names, emails, and phone numbers
• API responses leaking excess data: REST APIs returning full user objects when only a name field is needed
• Error logs containing PII: Stack traces that include user-provided input with personal data, shipped to error tracking services like Sentry
• Third-party scripts with network access: Chat widgets, marketing pixels, A/B testing tools that can read DOM-level data including form values

Automated scanning tools — including Governer — can detect PII patterns in network requests, page source, and JavaScript bundle analysis.

Phase 4: Third-Party Tracker Inventory

Every third-party script on your website is a potential GDPR liability. You are responsible for the data processing activities of all sub-processors you engage, and must have Data Processing Agreements (DPAs) in place with each one.

• Conduct a full third-party script inventory using a tool like RequestMap or BuiltWith
• For each script, document: purpose, data processed, legal basis, and DPA status
• Remove any scripts for which you cannot identify a lawful basis or obtain a DPA
• Ensure scripts that process personal data are loaded only post-consent if consent is the legal basis

Phase 5: Data Subject Rights Implementation

GDPR grants eight fundamental rights to data subjects. Your website must enable exercise of these rights within defined timelines (generally 30 days):

• Right of access (Subject Access Request — SAR)
• Right to rectification
• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to data portability
• Right to object (including to profiling)
• Rights related to automated decision-making
• Right to withdraw consent at any time

Check: does your website have a clear, accessible mechanism to exercise each right? Most websites fail on data portability (downloadable data export) and the right to object to profiling.

Automating Your GDPR Audit

Manual audits are thorough but slow. Governer's website scanner automates the detection of: missing cookie consent banners, pre-consent cookie drops, privacy policy incompleteness, PII in URLs and network requests, and third-party tracker risk scores. A scan takes under 60 seconds and outputs a GDPR compliance report with a Trust Score you can share with your DPO, legal team, or enterprise customers. Run your free GDPR website audit now.