Is Your Website GDPR Compliant?

22 February 2018

CEB Creative's Blog Digital Marketing Website Hints and Tips

How to get your Website GDPR Compliant ready for the General Data Protection Regulations

With the General Data Protection Regulation (GDPR) coming into effect on 25th May 2018, it’s important you know how to make your website GDPR Compliant. This new law is designed to offer individuals greater protection in respect of their personal data whether as an employee, a customer, a supplier or a potential client.

Website GDPR Compliant

The new law applies to businesses or organisations in the European Union. Those outside the EU who offer goods and services (whether paid or not) to people living within the EU, or monitor their behaviour, must also comply. GDPR becomes the global standard for data protection.

What’s changed under GDPR?

Under GDPR people will have new rights to access any data which companies hold about them. Companies must obtain consent from people for the data they collect and there will be a new level of fines for breaching the regulations. Greater accountability will be required for the processing of data.

What is Personal Data?

Any data that can be used to identify a living person directly or indirectly is classed as personal data.

For example:

  • Name
  • Address
  • Email address
  • Social security number
  • Location data
  • IP address

Under the new law, not all data is equal. Some types of data are considered to be more sensitive than others and require more careful handling.

What Is Sensitive Personal Data?

Sensitive personal data includes details like:

  • Race
  • Health status
  • Sexual orientation
  • Religious beliefs
  • Political beliefs

An individuals rights under GDPR?

A big part of GDPR is making the data collected by companies/organisations more accessible by the subjects it has been collected from. As explained by the ICO, data subjects will have the following rights concerning their personal data:

  1. Information
  2. Access
  3. Rectification
  4. Erasure
  5. Restrictions on processing
  6. Data portability
  7. Objection
  8. Revision of automated decisions or profiling

Things you’ll need to consider:

  • What data do you hold?
  • What do you do with it?
  • Who has access to it?
  • How long do you keep it for?
  • Do you have consent to hold it?
  • Do you record the decisions you make in respect of it?
  • Do you have a clear process to remove and destroy unnecessary data?

You now need to take responsibly for your data and begin to include privacy in your systems and processes. To ensure you are fully compliant, it will be important to raise staff awareness across your business and educate them on the importance of collecting, processing and storing personal data.

The GDPR refers a lot to data processing. This simply refers to any operation that is performed on personal data – collection, storage, amendment, deletion etc.

Your clients will need to be confident that you can be trusted with their data and personal details.

What not to do:

  • Don’t take on data you don’t need
  • Don’t keep it longer than you need it
  • Don’t use it for purposes other than what the owner has given their explicit consent too

Get your policies in place

GDPR will mean you’ll need to have clear statements and policies in place with regards to data processing within your business or organisation.

You’ll need to inform your website visitors what sort of data is being collected from them, what it’s used for and how it is stored. Most of this can be covered off in a detailed privacy policy. You should already have one of these on your website so in most cases it will just be a case of updating it.

You should always tailor a privacy policy to your specific business. There are lots of templates out there, but it’s important that the information is all correct and relevant to your website specifically.

Examples of GDPR best practice

Here is an extract from a GDPR compliant website privacy policy statement with relation to the use of Google Analytics. It clearly explains what type of data gathering this is (visitor tracking), what it is used for and how to opt out if you wish.

In addition to your public privacy policy, you’ll also need to document your internal policies for storing, processing and erasing the data you keep.

If you are using forms on your website then you need to request the explicit consent of every user before any data collection takes place. Requests must be in clear, plain, easily understandable language free of legalese. It also must stand alone from other matters or requests and not be buried in other text. It will no longer be acceptable to use use pre-populated check boxes.

Here is an example of a GDPR compliant form’s explicit consent field.

GDPR Explicit consent

You also need to provide users with a way to withdraw consent and purge personal data collected on them; i.e. the ‘Right to Be Forgotten’. The easiest way to do this is to have a dedicated email (, for example) for them to get in contact with you.

You’ll need to appoint a Data Protection Officer for your business who’s job it is to manage these requests alongside other GDPR related admin.

It is also a requirement of GDPR that you verify requests to remove or edit data via email.  The easiest way to manage this is to ask your customers/users to send their email to you using the email account that they subscribed/enquired with so you can verify their identity and right to edit the data you hold.

GDPR doesn’t need to be scary. It is designed to protect all parties involved. As long as you have a clear policies in place with regards to the data you collect and hold, then you should be covered. 

Useful Links

GDPR Compliance and WordPress Forms: Everything You Need to Know

Is Your Website GDPR Compliant? How to Get Ready for the General Data Protection Regulations

Please note: This post is a commentary on general principles and should not be interpreted as advice for your specific situation.

Got a project?

  • Would you like to receive information from CEB Creative? CEB Creative would like to occasionally send you information about their products, services and promotions.
  • This field is for validation purposes and should be left unchanged.