How to Fix Every GDPR Compliance Finding
The GDPR Audit checks your site against the General Data Protection Regulation and the UK GDPR — cookie consent, privacy policy clarity, data subject rights, lawful basis declarations, processor contracts, breach-response readiness and ePrivacy compliance. Fines hit 4% of global turnover or £17.5m, whichever is greater. This index covers fixes for every finding the audit raises. Not legal advice — consult a solicitor for your jurisdiction and risk profile.
By finding type
Pick the finding matching yours:
🍪 Fix cookie consent banner PLANNED
The banner must offer Accept and Reject with equal prominence — pre-ticked "Accept" is illegal, dark-pattern "Accept all" bigger than "Reject all" is illegal under recent CNIL and ICO rulings. The compliant pattern: granular toggles, no pre-tick, clear language, easy to revisit.
📄 Fix incomplete privacy policy PLANNED
Article 13/14 mandate: identity of controller, purposes, lawful basis, recipients, retention, subject rights, complaint route. Most policies miss 3-4 of these. The compliant policy template, written in plain English (not legalese).
⚖️ Fix missing data subject rights process PLANNED
Subjects have rights to access, rectification, erasure, portability, restriction, objection. You must respond within one month. The intake form, identity verification, response template, and the case-management process to avoid missing deadlines.
📜 Fix unclear lawful basis PLANNED
Every processing activity needs one of six lawful bases: consent, contract, legal obligation, vital interests, public task, legitimate interests. Most sites blanket-claim "legitimate interests" without doing the balancing test. The LIA template that holds up.
🤝 Fix missing processor contracts PLANNED
Every third party that processes personal data on your behalf needs an Article 28 contract — analytics, hosting, email, CRM, ad networks. Most off-the-shelf DPAs cover the requirements. The audit pattern: list every vendor, check each has a signed DPA on file.
🚨 Fix missing breach-response plan PLANNED
Article 33: notify the ICO (or equivalent) within 72 hours of becoming aware of a breach. Article 34: notify affected subjects if high risk. The IR playbook: detection, containment, notification, post-mortem. The template you fill in within the first hour.
🌍 Fix non-compliant international transfers PLANNED
Data to the US, India, Brazil etc needs Standard Contractual Clauses, adequacy decision, or a derogation. The 2023 EU-US Data Privacy Framework and what it does and doesn't cover. Audit your processor list for transfer mechanisms.
📊 Fix ePrivacy / tracking before consent PLANNED
ePrivacy says no tracking cookies, pixels or fingerprints before consent. Google Analytics, Meta Pixel, marketing scripts must all load conditionally on consent. The Consent Mode v2 patterns for GA4 and the legitimate-interest carve-outs that don't apply to tracking.
By business type
Compliance patterns vary by what you process:
🛒 Fix GDPR for e-commerce PLANNED
Checkout flows that capture only what's necessary, retention periods for transactional data, marketing-opt-in done legally, the Klaviyo/Mailchimp consent pipeline.
💼 Fix GDPR for B2B SaaS PLANNED
Controller-vs-processor distinction, customer-facing DPAs, sub-processor disclosure, the trust-centre page that B2B buyers want to see, and SOC2-GDPR-ISO27001 stacking.
📰 Fix GDPR for content sites PLANNED
Comment systems, newsletter signups, ad-network consent, the IAB TCF framework and whether you actually need it. Lean compliance for content businesses without lots of personal data.
What our GDPR audit checks
The audit scans for cookie consent compliance, privacy policy completeness, data subject rights process visibility, lawful basis declarations, third-party tracking before consent, processor disclosure and breach-notification readiness. For the complete reference, see the GDPR Guide or sample audit.
🔒 Audit your compliance first
Run the audit. Most sites have 4-6 findings that can be fixed in a week and remove material regulatory risk.
Run GDPR Audit →