GDPR Requires a Secure Website: 12-Point Security Checklist

Most website owners think of GDPR compliance as cookie banners and privacy policies. But Article 32 of the GDPR adds a security obligation: you must implement technical and organisational measures appropriate to the risk when processing personal data.

When a data breach occurs because basic security measures were absent, the AP (Autoriteit Persoonsgegevens) can fine you for the security failure, not just the breach. Transavia was fined €400,000 for inadequate security after a cyberattack. The measure of "appropriate" is proportional to the risk and scale of processing, but certain baseline measures are expected of almost every website. Run a free security scan to see which of these 12 checks your site already passes.

The 12 Security Checks

Check 1: HTTPS and valid TLS certificate

Every website that processes personal data must run HTTPS. Plain HTTP transmits data unencrypted, so login credentials, form submissions and session cookies are exposed to anyone monitoring the network.

What to check:

• Your website URL begins with https://
• The TLS certificate is valid (not expired)
• No mixed content warnings (some resources still loading over HTTP)
• TLS 1.3 or 1.2 is used (1.0 and 1.1 are deprecated)

How to check: Open your website in Chrome → click the padlock icon → "Connection is secure" → "Certificate is valid."

Fix: Most hosting providers include free TLS certificates via Let's Encrypt. If yours doesn't, switch to a provider that does.

Check 2: CMS and plugin updates

Outdated software is the most common entry point for website attacks. WordPress, Joomla, Drupal and their plugins release security patches regularly. Running outdated versions with known vulnerabilities is an Article 32 violation.

What to check:

• WordPress core is on the latest version
• All plugins are updated
• All themes are updated (including inactive themes)
• No plugins installed that are no longer maintained

How to check: Log into your WordPress admin → Dashboard → Updates.

Fix: Enable automatic minor updates. For major updates, test in a staging environment first. Remove plugins you no longer use, as unused plugins that are not updated are still a risk.

Of 499 Dutch restaurant websites scanned, 54.9% ran WordPress and 4.4% had outdated major versions with known security vulnerabilities.

Check 3: Strong passwords and access controls

Weak admin passwords are responsible for a significant proportion of website breaches. The GDPR's requirement for appropriate security measures includes access controls.

What to check:

• Admin accounts use passwords of at least 16 characters, mixing letters, numbers and symbols
• No default passwords (admin/admin, admin/password)
• Multi-factor authentication (MFA) is enabled for admin accounts where available
• Admin usernames are not "admin" (common target for brute-force attacks)
• Former employee accounts are removed

Fix: Use a password manager (Bitwarden, 1Password) to generate and store strong passwords. Enable MFA for your CMS admin panel and hosting control panel.

Check 4: Database security

Databases storing customer data, order histories or personal information are high-value targets.

What to check:

• Database is not accessible directly from the internet
• Database credentials are not stored in publicly accessible config files
• Database user has minimum necessary permissions (not root/admin)
• Database backup exists and is tested regularly

How to check: If you host with a managed provider, they typically handle database network exposure. For self-managed servers, verify that port 3306 (MySQL) or 5432 (PostgreSQL) is not open to the public internet.

Check 5: Limit admin access

Every person with admin access to your CMS or hosting panel is a potential entry point.

What to check:

• Admin access is limited to people who need it
• Different access levels are used (editor vs. admin) where the CMS supports it
• Admin panel has IP allowlisting or additional authentication where possible

Check 6: Security headers

HTTP security headers tell browsers how to behave when loading your website. They prevent a range of common attacks. The AP's enforcement of Article 32 does not specify exact headers, but security auditors and the Dutch government's NCSC (Nationaal Cyber Security Centrum) recommend them.

Key headers to implement:

Of 499 Dutch restaurant websites scanned: 30.9% had HSTS, 10.6% had a CSP and 21% had X-Frame-Options.

How to add headers: In Apache, add to .htaccess. In Nginx, add to the server block. Many CDNs and hosting providers allow header configuration through their control panel.

Check your headers: Visit securityheaders.com and enter your URL.

Check 7: Backups

Without working backups, a ransomware attack or accidental deletion becomes a catastrophic data loss that may need to be reported as a breach.

What to check:

• Daily automated backups exist for both files and database
• Backups are stored off-site (not only on the same server)
• You have tested restoring from backup in the last 3 months
• Backups are retained for at least 30 days

Fix: Most managed hosting providers include automated backups. Verify the backup schedule and test a restore. For WordPress, plugins like UpdraftPlus or WP Time Capsule can automate off-site backups to cloud storage.

Check 8: Secure contact forms and input validation

Forms on your website accept data from the public, including from malicious actors attempting SQL injection, XSS attacks or spam.

What to check:

• Contact forms use CSRF protection (cross-site request forgery)
• Form submissions are sanitised before storage
• File upload fields (if present) restrict allowed file types
• reCAPTCHA or similar spam protection is in place

Note: If you use Google reCAPTCHA, this itself sends data to Google. Consider hCaptcha or Turnstile (Cloudflare) as privacy-friendlier alternatives.

Check 9: Email security (DMARC, SPF, DKIM)

If your domain sends email (order confirmations, contact form responses), email security records prevent your domain from being spoofed in phishing attacks.

What to check:

• SPF record exists in DNS
• DKIM signing is configured for your mail server
• DMARC record exists with at minimum a p=none policy

How to check: Use MXToolbox to verify your email authentication records.

Why it matters for GDPR: A phishing attack using your domain may result in your customers' data being stolen under the guise of your business. Preventing this is part of your Article 32 obligation.

Check 10: Remove sensitive data from public exposure

Data that should not be publicly accessible is sometimes inadvertently exposed.

What to check:

• No .env files, .git directories or config files accessible via browser
• No old database exports (.sql files) in the web root
• Admin panels are not publicly accessible without authentication (e.g., /wp-admin is fine, but not /phpmyadmin exposed without a strong password)
• WordPress xmlrpc.php is disabled if not needed

How to check: Try visiting [yourdomain.com]/.env, [yourdomain.com]/.git/config, [yourdomain.com]/wp-config.php.bak. None should return content.

Check 11: DDoS and availability

Article 32 includes "a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures" and availability as part of security.

Basic checks:

• Your hosting provider has DDoS mitigation
• Uptime monitoring alerts you if your website goes down
• You have a procedure for responding to availability incidents

A DDoS attack that takes your website down may not directly affect personal data confidentiality, but prolonged unavailability of an e-commerce site can cause financial harm to customers (blocked orders) and may itself constitute a notifiable incident if it affects data integrity.

Check 12: Vulnerability scanning

Regular scanning identifies vulnerabilities before attackers do.

What to check:

• You scan for known vulnerabilities in your CMS and plugins regularly
• You review WordPress plugin CVE (Common Vulnerabilities and Exposures) notices

Free tools:

• WPScan: WordPress vulnerability scanner (free tier available)
• Sucuri SiteCheck: checks for malware, blacklisting, outdated software
• TrustYourWebsite scanner: checks security headers and other compliance issues

Your Security Score

Count your checked items:

• 10-12: Strong security posture. Review every 6 months.
• 7-9: Good foundation. Address the missing items, prioritise Updates, HTTPS and Backups if not done.
• 4-6: Significant gaps. Start with HTTPS, updates and strong passwords, which are the most frequently exploited weaknesses.
• Below 4: Urgent attention needed. Even a small website with a contact form is at risk.

GDPR Security: The Proportionality Principle

Article 32 requires security "appropriate to the risk." A personal blog is not held to the same standard as a healthcare portal. But any website with:

• A contact form → processes personal data
• Analytics → processes IP addresses and browsing behaviour
• Login accounts → processes credentials and user data
• An online shop → processes financial and delivery data

...has personal data processing that justifies at minimum checks 1-3 (HTTPS, updates, passwords) and check 7 (backups). The rest of the checklist is recommended for most business websites.

---

This article is technical analysis, not legal advice. Consult a lawyer for advice specific to your situation.