GDPR Compliance Services for Websites: Beyond the Banner

Most US businesses bolt a cookie banner onto their site and call it done. Then a European customer files a complaint, a regulator opens a case, and the company learns that GDPR compliance services for websites are not primarily about banners — they're about the data itself. The banner is the last two percent of the work. The first ninety-eight percent is knowing what personal data the site collects, why, from whom, where it flows, and on what lawful basis.

The fines prove the gap. Since 2018, over €5 billion has been issued in GDPR penalties, and the largest awards — Meta's €1.2B, Amazon's €746M, TikTok's €345M — were never about cookie banners. They were about data transfers, lawful basis, and transparency. A site that nails the banner and misses those three will still be fined.

The First Step Is a Data Map, Not a Banner

A data map is a single document that lists every category of personal data the site collects, every system it touches, every third party it flows to, the retention period, and the lawful basis under which each processing activity happens. On most small and mid-size sites, nobody has ever built one.

Building it is usually a surprise. A typical marketing site turns out to process data through 15–40 third-party services — analytics, ad pixels, email platforms, CRMs, chat widgets, heatmap tools, session recorders, support systems. Each is a separate processing relationship under GDPR. Each needs a lawful basis, a data processing agreement, and a transparent disclosure in the privacy notice.

Without the map, consent strings on the banner are guesses. With the map, consent choices and privacy language line up with what actually happens. Regulators look at the map first when an investigation opens. If there isn't one, that absence is itself evidence of non-compliance with Article 30 record-keeping obligations.

The Six Lawful Bases and Why Consent Is the Worst One

GDPR permits processing personal data only under one of six lawful bases: consent, contract, legal obligation, vital interests, public task, and legitimate interests. Most companies default to consent for everything. That's the weakest option — consent can be withdrawn, must be freely given, and the burden of proof is on the business.

Better choices for most processing: a sale or service agreement is generally "contract" basis. Tax-retention of invoices is "legal obligation." Security logging and fraud prevention often qualify as "legitimate interests" after a balancing test. Marketing to existing customers in some jurisdictions falls under the soft opt-in extension of legitimate interests.

A good compliance review re-maps lawful bases so that consent is reserved for the narrow case where it genuinely applies — typically cookies and direct marketing to new prospects. Everything else sits on a stronger, less withdrawal-prone basis. The side effect is that user experience improves because fewer interactions require a consent prompt.

Schrems II and the Transfer Trap

The Court of Justice of the European Union's Schrems II ruling in 2020 invalidated the US-EU Privacy Shield and placed strict conditions on any transfer of personal data to the US. The new EU-US Data Privacy Framework took effect in July 2023, but only for companies actively certified under it. Uncertified transfers still require Standard Contractual Clauses plus a Transfer Impact Assessment.

Practically, this means that sending EU visitor data to US-based tools without documentation is a live exposure. Google Analytics, US-hosted CRMs, US email platforms — each transfer needs a legal mechanism on file. Austria, France, Italy, and Denmark have all issued rulings that uncertified Google Analytics configurations were unlawful before the 2023 framework. Companies that assumed the problem went away are still on the hook for the transfers that happened in the 2020–2023 gap.

The Data Processing Agreement Nobody Signs

Every time a website sends personal data to a third-party tool — email platform, analytics provider, form builder, CRM, chat widget — GDPR Article 28 requires a written Data Processing Agreement between the controller (the site owner) and the processor (the tool). Most SaaS vendors publish a DPA template. Most site owners never download it, counter-sign it, and store it.

The DPA is not a formality. It allocates liability, defines breach notification timelines, names sub-processors, and governs deletion on contract termination. A regulator who opens a case will ask for the DPA with every vendor handling EU personal data. Missing DPAs count as Article 28 violations on their own.

A good compliance review inventories every vendor, pulls the available DPA, signs it, and stores signed copies in a single accessible location. This is unglamorous work. It's also the work that turns a full-day audit into a defensible file.

The 72-Hour Breach Clock Nobody Practices

Article 33 requires notifying the supervisory authority of a personal data breach within 72 hours of becoming aware of it. Most companies have never rehearsed that timeline. When a breach happens at 2am on a Saturday — and most do — the clock is already running while the team is still figuring out whether there's an incident.

A breach response plan should name, in writing: who triggers the internal declaration, who contacts the DPA, what draft notification template to use, what evidence to preserve, and what external counsel to call. Ship the plan as a one-page runbook stored somewhere non-technical leadership can find it on their phone. Teams without that document miss the 72-hour window more often than not, and a missed notification is itself a fineable offense.

Data Subject Rights in Practice

GDPR grants users eight rights: access, rectification, erasure, restriction, portability, objection, and rights around automated decision-making and consent withdrawal. The site must respond to most requests within one month. For small companies, volume is low — usually 0–5 requests per quarter. For mid-size B2C companies, it climbs fast.

The failure point is almost never refusal. It's mechanics. A user emails "delete my account" and the request gets routed to a support queue where nobody knows it triggers an erasure obligation. Thirty-one days later it's a complaint to the supervisory authority. The fix is a named DSR process: a single intake channel, a ticket template, a SLA, and a checklist that tracks every system the user's data lives in so deletion is complete, not partial.

What to Ask Before Hiring a Privacy Compliance Partner

The privacy consulting market has as many pretenders as the accessibility market. Four questions sort them.

• Will you build our Record of Processing Activities and our data map? Vendors who skip this step are selling paperwork on top of unknown exposure.
• How do you re-evaluate lawful bases? Expect an answer that mentions legitimate interests balancing tests and contract basis, not "we'll update the banner."
• What's your process for vendor DPAs and Transfer Impact Assessments? A serious answer names inventory, standard clauses, and a documentation store.
• Do you deliver a 72-hour breach runbook and a DSR process? Without those, the compliance file is theoretical.

Regulators do not ask whether your website looks compliant. They ask whether you can prove, on paper, that each processing activity had a lawful basis, a documented vendor relationship, and a disclosed purpose. Proof is the product.

Where Real GDPR Compliance Services for Websites Earn Their Fee

Serious GDPR compliance services for websites start with the data, not the banner. The first deliverable is a Record of Processing Activities and a data map; the second is a lawful-basis re-mapping so consent is reserved for where it belongs; the third is a vendor DPA inventory and Transfer Impact Assessments; the fourth is a breach runbook and a DSR process that actually gets used. Revenue Group works in that order because regulators do too. A site that nails those four will never be bulletproof — nothing is — but it will stop looking like the easy target regulators have been fining for the last five years.