Skip to content
← All posts
· 3 min read·Emre Yurtbay

Making your website GDPR-compliant – the key steps for SMBs

Cookie banner, privacy policy, fonts, forms: a practical checklist to put your website on a legally sound footing.

GDPRData protectionWebsiteSMBLaw

Warnings over data protection violations have long stopped hitting only large firms. The good news: the most common problems are technical in nature – and therefore well solvable. This checklist covers the points that, in experience, are most often missing at SMBs.

Note: This article is not legal advice. It explains the technical implementation of the most common requirements.

1. Host fonts locally

If Google Fonts are loaded dynamically from Google's servers, visitors' IP addresses are transferred to Google. The Munich Regional Court saw this as a GDPR violation (judgment of 20 Jan 2022, case 3 O 17493/20) and awarded €100 in damages. Even though later mass warnings on this topic were classified as abusive (Munich Regional Court, 30 Mar 2023, case 4 O 13063/22), the data-protection core remains – and the fix is simple: host fonts yourself.

This website demonstrates exactly that: the font used is served locally from the server, with no connection to Google.

2. Review external services

Every embedded third-party provider (maps, videos, analytics, chat widgets, form services) potentially transfers data. Rule of thumb:

  • Does something load only after consent? → consent needed
  • Does something go to servers outside the EU? → check carefully
  • Do you really need the service? → often the best solution: leave it out

3. Cookie banner – correct, not just present

The relevant law is § 25 TDDDG (the Telecommunications Digital Services Data Protection Act, successor to the TTDSG since 14 May 2024). Before accessing or storing information on the end device, consent is required – except for technically necessary functions. In practice this means:

  • "Reject" must be equally prominent and on the first level – as easy as "Accept".
  • No pre-ticked boxes for tracking/third-party cookies.
  • Non-essential scripts load only after consent.

Violations can be fined up to €300,000 under § 28 TDDDG.

4. Privacy policy & legal notice

Complete, current, easy to find (at most two clicks). The content must reflect the technology actually in use – blindly copying templates is risky, because they often describe services you don't use (or conversely omit ones you do).

5. Secure contact forms

TLS encryption, purpose limitation, clear consent, minimal data collection. Ideally the form is processed without third parties. On this website, for example, form delivery runs entirely via the own server and mail server – no external form service, no third-country transfer.

Quick checklist

  • Fonts hosted locally (no Google CDN)
  • External services inventoried & minimised
  • Consent banner: "Reject" equally easy, loads only after consent
  • Privacy policy reflects the real technology
  • Forms encrypted, minimal, ideally without third parties

Conclusion

Most GDPR risks on SMB websites are technical – and done in a day with a clear approach. What matters is doing it deliberately rather than hoping nobody looks.

Want to know where your website stands? I'll look at it concretely in a free initial consultation.

Discuss your project