GDPR requirements for websites

The General Data Protection Regulation (GDPR) requirements came into force on May 25, 2018.

Designed to protect the personal data of EU residents, it gives individuals control over how their personal data is stored and used by your company.

It's vital that you understand GDPR requirements for websites to avoid being in breach of the regulations.

What is GDPR and why is it relevant?

GDPR places strict rules on how businesses acquire, store and use personal data.

It applies to business of all sizes, although there are some exceptions for SMEs. GDPR requires businesses to have legitimate grounds to collect personal information and only use it for a specific purpose.

If you have a business website, it's likely you're collecting data about the people who visit and interact with your website.

Therefore, it's important to know the GDPR requirements for websites to ensure that yours is GDPR compliant.

The penalty for non-compliance is high - it can carry a steep fine of up to 4% of the turnover of your business or €20m - whichever is higher.

What are the GDPR requirements for websites?

While GDPR requirements are detailed, in general you must keep customer data safely secured and ensure that you have explicit permission to collect and use personal data.

If your website uses contact forms to collect sales leads, stores personal information for website accounts, or uses cookies to track customers then you need to ask permission for each website visitor and tell them what you will be using their data for.

Take the following steps to ensure your website is GDPR compliant.

Step 1. Review your website

It's essential to check that your website is GDPR compliant.

This involves assessing your website and any third-party tools you use for running your website, such as email list services, cookies that your website uses, and analytics such as Google Analytics.

Start by examining all the ways your website collects data, from online forms and user accounts to email signups.

Make a list of what personal data your website asks for, and where and how it is stored.

Personal data includes any information that identifies someone such as name, email, postal address or even computer IP address.

Check what cookies your website is using.

List the permissions your website asks and check they are in line with GDPR requirements.

This includes clearly asking permission to use cookies, marketing permissions on forms, and clear links to a privacy policy.

Step 2. Review your website's privacy policy

You must inform visitors that you are collecting data, explain what data you are gathering and what you plan to do with it.

You should also explain how data will be stored and for how long.

Update your privacy policy to ensure it is compliant with GDPR regulations and publish the privacy policy document on your website.

Your privacy policy should include contact details for your company's Data Officer and how a person can request any data you hold about them.

3. Cookies

Ensure your website includes a page listing all the cookies that it uses.

These need to include functional cookies - such as account log-in cookies - to tracking cookies from third-parties such as advertising platforms and analytics tools.

Free tools such as GDPR Cookies Scan can examine your website and provide a list of all the cookies in use.

As part of GDPR requirements for websites, you will also need to provide a cookie pop-up notification giving visitors a link to the cookie listing page, as well as the option to decline all cookies.

You cannot limit access to your website to only those willing to accept cookies.

4. Secure Socket Layer (SSL) certificates

SSL is a vital website component that encrypts information and traffic to-and-from your website.

This means personal information, from credit cards to phone numbers, is scrambled.

It will also show a padlock symbol in the address bar of a web browser so site visitors can see your website is secure.

Free SSL certificates are available from the Let's Encrypt initiative, which can be installed on your website.

5. Newsletters and contact forms

As part of GDPR requirements for websites, if you invite visitors to sign-up for email newsletters, downloads or fill in a contact form, you must be clear what you will use the information for.

You need to provide explicit opt-in permission tick boxes if you plan on sending the visitor marketing information or sharing their details with third-parties.

You cannot send any marketing without permission for each channel, such as email, telephone and SMS.

Email service providers such as MailChimp, MizMoz and Communigator should be GDPR compliant, but check your email mailing list provider.

Each email must include a clear unsubscribe link.

6. How to make WordPress GDPR compliant

Many websites use the WordPress content management system - it's free, popular and supported with a range of free plug-ins.

While you can buy GDPR plug-ins for WordPress that help ensure compliance, there are plenty of free WordPress plug-ins available to get you started.

  • Cookie Notice - With over 1m active users, this free plug-in provides a cookie pop-up that complies with EU cookie law in relation to GDPR.
  • WP GDPR Compliance - This free, open source plug-in adds permissions and consent controls for popular online forms including Contact Form 7, WordPress Comments, WooCommerce and Gravity Forms.
  • GDPR - Provide a free suite of tools to help a Data Officer manage GDPR compliance for a website, including cookie consent and requests for data deletion.

Learn more about entrepreneurship with our free online courses in partnership with the Open University.

Our free Learn with Start Up Loans courses include:

Plus free courses on finance and accounting, project management, and leadership.

Disclaimer: The Start -Up Loans Company makes reasonable efforts to keep the content of this article up to date, but we do not guarantee or warrant (implied or otherwise) that it is current, accurate or complete. This article is intended for general information purposes only and does not constitute advice of any kind, including legal, financial, tax or other professional advice. You should always seek professional or specialist advice or support before doing anything on the basis of the content of this article.

The Start-Up Loans Company is not liable for any loss or damage (foreseeable or not) that may come from relying on this article, whether as result of our negligence, breach of contract or otherwise. “Loss” includes (but is not limited to) any direct, indirect or consequential loss,  loss of income, revenue, benefits,  profits, opportunity, anticipated savings, data. We do not exclude liability for any liability which cannot be excluded or limited under English law. Reference to any person, organisation, business or event does not constitute an endorsement or recommendation from The Start-Up Loans Company, its parent company British Business Bank plc, or the UK Government. 

Your previously read articles