GDPR Technical Controls: Website Compliance Requirements

GDPR compliance isn't just about privacy policies and cookie banners. Article 32 mandates specific technical and organizational measures to protect personal data — and regulators are increasingly auditing the technical implementation, not just the paperwork.

Since 2018, EU regulators have issued over €4 billion in GDPR fines. Many of the largest fines targeted technical failures: inadequate encryption, missing access controls, and insufficient breach detection. This guide covers every technical control your website needs.

GDPR Technical Requirements Overview

Article 32 requires "appropriate technical measures" including:

• Encryption of personal data — in transit and at rest (Article 32(1)(a))
• Confidentiality and integrity — access controls, security headers (Article 32(1)(b))
• Availability and resilience — backups, redundancy (Article 32(1)(b))
• Regular testing — security scans, penetration testing (Article 32(1)(d))
• Data minimization — collect only what's necessary (Article 5(1)(c))
• Privacy by design — built-in data protection (Article 25)

Encryption: HTTPS & TLS CRITICAL

Every page that collects or displays personal data must use HTTPS. This includes login pages, contact forms, account pages, and any page with cookies that identify users.

# Verify TLS configuration
# Check SSL Labs grade (aim for A or A+)
# https://www.ssllabs.com/ssltest/

# Minimum TLS version: 1.2 (TLS 1.0 and 1.1 are deprecated)
# Apache
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1

# Nginx
ssl_protocols TLSv1.2 TLSv1.3;

# Force HTTPS redirect
# Apache .htaccess
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# Nginx
server {
    listen 80;
    return 301 https://$host$request_uri;
}

HSTS (HTTP Strict Transport Security)

# Prevent protocol downgrade attacks
Strict-Transport-Security: max-age=31536000; includeSubDomains

# This tells browsers to ALWAYS use HTTPS for your domain
# See our full Security Headers Guide for more details

Privacy & Security Headers HIGH

# Essential headers for GDPR compliance

# Prevent data leakage via referrer
Referrer-Policy: strict-origin-when-cross-origin

# Restrict browser features that access personal data
Permissions-Policy: camera=(), microphone=(), geolocation=()

# Prevent clickjacking (protects user sessions)
X-Frame-Options: SAMEORIGIN

# Prevent XSS (protects user data)
Content-Security-Policy: default-src 'self'; script-src 'self'

# Prevent MIME sniffing
X-Content-Type-Options: nosniff

# Control cross-origin access
Cross-Origin-Opener-Policy: same-origin-allow-popups
Cross-Origin-Resource-Policy: same-origin

See our complete Security Headers Guide for detailed configuration on Apache and Nginx.

Cookie Consent & Tracking CRITICAL

• No cookies before consent — non-essential cookies must not be set until the user explicitly agrees
• Granular consent — users must be able to choose categories (analytics, marketing, functional)
• Equal-weight choices — "Reject All" must be as prominent as "Accept All"
• Easy withdrawal — users must be able to change their consent at any time
• Consent records — store proof of when and how consent was given

For detailed implementation, see our Cookie Consent & GDPR Guide.

Access Controls HIGH

# Implement principle of least privilege

# Password requirements (NIST SP 800-63B aligned)
- Minimum 8 characters (12+ recommended)
- Check against breached password databases
- No composition rules (uppercase/special char requirements)
- Implement account lockout after failed attempts

# Two-Factor Authentication (2FA)
- Require for admin accounts
- Offer for all user accounts
- Use TOTP (Google Authenticator) or WebAuthn

# Session management
- Set secure cookie flags
Set-Cookie: session=abc123; Secure; HttpOnly; SameSite=Strict; Path=/

- Implement session timeout (15-30 minutes for sensitive data)
- Invalidate sessions on password change
- Limit concurrent sessions

Breach Detection & Notification CRITICAL

GDPR Article 33 requires notification to your supervisory authority within 72 hours of becoming aware of a breach. You need technical capabilities to:

1. Detect breaches — logging, monitoring, intrusion detection
2. Assess scope — determine what data was affected and how many individuals
3. Contain the breach — isolate affected systems, revoke access
4. Notify authorities — within 72 hours with required details
5. Notify individuals — if high risk to their rights and freedoms

# Essential logging for breach detection

# Web server access logs (who accessed what)
# Application logs (authentication events, data access)
# Database audit logs (queries on personal data tables)
# Error logs (unusual patterns may indicate attacks)

# Log retention: keep for at least the period needed to detect breaches
# Typically 90 days minimum, 1 year recommended

# Monitor for:
- Multiple failed login attempts (brute force)
- Unusual data export volumes
- Access from unexpected locations
- Privilege escalation attempts
- SQL injection patterns in logs

Data Subject Access Requests HIGH

Under Articles 15-22, individuals have the right to access, rectify, erase, and port their data. Your website needs technical capabilities to fulfill these requests within 30 days:

• Right of Access (Art. 15) — export all personal data you hold about an individual
• Right to Rectification (Art. 16) — allow users to correct their data
• Right to Erasure (Art. 17) — delete all personal data on request
• Right to Data Portability (Art. 20) — provide data in machine-readable format (JSON/CSV)

# Data export endpoint example (pseudocode)
GET /api/user/data-export?format=json

# Response should include ALL personal data:
{
  "user": {
    "email": "user@example.com",
    "name": "John Doe",
    "created_at": "2025-01-15",
    "ip_addresses": ["203.0.113.50"],
    "consent_records": [...],
    "activity_log": [...],
    "scan_history": [...]
  }
}

# Data deletion endpoint
DELETE /api/user/account
# Must delete from: database, backups (within reasonable time),
# logs (anonymize), third-party services (notify processors)

Third-Party Data Sharing

• Audit all third-party scripts — Google Analytics, Facebook Pixel, chat widgets, CDNs
• Data Processing Agreements (DPAs) — required with every processor (Article 28)
• Transfer Impact Assessments — required for data transfers outside the EU
• Subprocessor management — maintain a list of all subprocessors and notify users of changes

Technical Compliance Checklist

• ☐ HTTPS enforced on all pages with HSTS header
• ☐ TLS 1.2+ with strong cipher suites
• ☐ Security headers configured (CSP, Referrer-Policy, Permissions-Policy)
• ☐ Cookie consent banner with granular controls
• ☐ No non-essential cookies before consent
• ☐ Secure session management (HttpOnly, Secure, SameSite cookies)
• ☐ 2FA available for user accounts
• ☐ Data export functionality (JSON/CSV)
• ☐ Account deletion functionality
• ☐ Breach detection logging and monitoring
• ☐ Data Processing Agreements with all processors
• ☐ Privacy policy with required GDPR disclosures
• ☐ Regular security scanning and testing

Frequently Asked Questions

What technical controls does GDPR require for websites?

GDPR requires encryption in transit (HTTPS/TLS), access controls, cookie consent mechanisms, breach detection capabilities, data subject request handling, and regular security testing under Article 32.

Is HTTPS required for GDPR compliance?

While not explicitly named, Article 32 requires encryption as an appropriate technical measure. Every EU data protection authority considers HTTPS a baseline requirement for websites processing personal data.

What is the GDPR breach notification requirement?

You must notify your supervisory authority within 72 hours of becoming aware of a personal data breach (Article 33). If high risk, you must also notify affected individuals (Article 34).

How do I check if my website is GDPR compliant?

Run a free compliance scan with AI QA Monkey to check encryption, security headers, cookie compliance, and other technical controls mapped to GDPR requirements.