Make Your Website GDPR Compliant


The General Data Protection Regulation (GDPR) is a new EU regulation aimed at helping to strengthen data protection for EU citizens and residents both within the EU and the wider world.

Anyone who collects and processes personal data (defined by the GDPR as a Data Controller) will be required to comply with the new regulations to a certain degree. As well as organisations who run websites or apps, this also includes any organisations who use internal databases, CRMs or even just email.

The full GPDR is a huge document and can be read here.

In conjunction with the new EU Data Protection Laws has been making our website GDPR compliant. The following is a list of things you need to ask yourself to know whether your website is GDPR compliant or not:

1)What data is being captured and held?
2)When and where is it captured?
3)How long will the data be stored?
4)How is it being used?
5)Do you have explicit consent from the user to have and use the data?
6)Do you display who to contact to find out what data is held about a user and request how it’s being used?
7)Do you display the process for a user to ask to have all the data you hold about them permanently removed from your system? (AKA The Right to be Forgotten)

1) You must be able to prove an intended purpose for the data you hold. For Example you cannot add someone to an email marketing list for a different service that they have enquired about through a webform. In other words if they specifically ask for AdWords services and we started sending information on website building, this is not what they consented to. Unless the enquiry form has a checkbox that allows you to send them offers about other services.

2) The user must be able to withdraw their consent for you holding their information at any stage.

Processes Needed:

1)  Breach of Data˘

2) Appoint a Data Protection Officer. Just someone who is always available to answer GDPR related questions about your site and data that is held.

3) Have a process where users can request that their data be removed from the site.

4) Allude to 3rd party processors in your privacy policy, Compliant connected systems: Google, Mailchimp, Salesforce, Mizmoz, Facebook etc.


Take a data audit

List all the places where you know you capture users’ data and then mark each one with either with a 1 or a 3 to help you track which are first (your organisation) and which are third party data processors.

For each data processor consider the following:

  • What are you using the data for?
  • Where is the data being stored?
  • Do you still need to hold the data?

Data processors for the purpose of this article is anything you use to send/receive information from or about users of your website.

The Checklist:

 1. Cookie Policy

A page on your website that states what cookies are used for on the site, both yours and from third parties and what data you capture with them and what you do with it. An example of typical compliant cookie policy can be seen here

 2. Cookie & Privacy Popup Notice

You don’t need to have one but you do need to state what cookies are used and what the privacy policy is at the first point of arriving at the website – so a pop up is the most logical solution. It needs to state that cookies are used on the site and that the user needs to agree to the use of the data as set out in the privacy and cookie policy. The policy pages state what cookies are used (both yours and third-party ones) and that you have to agree to the terms in order to fully use the site. It is very possible that, as some cookies are purely functional and not data gathering tools, that the site won’t work properly for you.

The use of the website must not be limited to those who accept the use of the cookies. The user must be given the option to use the site without the use of cookies and decline the use of cookies for their session. It must be explained to them the cookie notice that if they decline the cookies the site may lose some functionality.

 3. Privacy Policy

A privacy policy is a more thorough document that states the website owner’s full statement of what data is captured, when it was captured, what the data is used for, the third party’s details and the process, including the DPO’s details as well as the process of requesting the user’s details and request that they be permanently deleted.

 4. SSL Certificate

If you would like further information on SSL or if you would like to have an SSL cert renewed or installed, please contact (01) 2071872  by email

5. Newsletter Signups

If you have the facility for users to sign up on your website to receive a newsletter from you, whether you send that out one at a time from your desktop email app or from a system like Mailchimp etc, you need to make sure the tick box that handles this subscription is set to the user has to OPT-IN and not opt out. You need to seek consent for each method you plan to email them, indicating how it is to be used and how you can unsubscribe. You cannot roll into your website’s standard terms of use/business the automatic sign up and agreement to the newsletter service. They must be separate opt-in tick boxes for each place you gather the data on the site. E.g If a user signs up to a service they buy on your website, they will have to tick a box to accept the terms of that service. If you offer a monthly marketing newsletter there will need to be a separate tick box for them to select. It cannot be a ‘required’ field. You’ll also need to provide another separate tick box if you also give the user’s details to another party. Make sure that the emails you send out all have an unsubscribe link, too.

6. User Account Creation

If your website offers eCommerce transactions or allows a user to set up an access to services behind a login area, you will need to ensure that you have both the SSL installed (as referred to in point 6) and also work towards the data being stored using pseudonyms. Recent headline examples (Uber, TalkTalk, Experian) have shown that even major internet giants aren’t doing this so better to talk to your web developer about how you can move towards this process.

7. Payment gateways

If you have an eCommerce website and use one of the popular payment gateways, such as PayPal, Sagepay, Worldpay or Stripe, you need to make sure that (as well as ensuring the processes are followed in line with the above points) the payment gateway privacy policies are checked and referenced in your own privacy policy.

8. Enquiry & Contact form

If your website has an enquiry form where people submit messages to you, ensure you adhere to the following:

The website has an SSL.

The details are not stored in the website’s SQL database unless stored encrypted.
If they are sent to you by email, your email service provider adheres to GDPR rules and that the email is stored and sent according to GDPR secure methods. Many email service providers, like Googlemail and Outlook 365 are updating their terms of service in accordance with GDPR – it’s worth checking their policies to make sure your email provider complies. Email is one of the most common places private data gets abused and lost or misused.

9. Live Chats

If you have a live chat service on your website, refer to this third party service in your cookie policyand privacy policy and that you review their GDPR/Privacy Shield policy. You may think the data isn’t being stored anywhere, but it is – very often the transcript of the chat is emailed to both parties once completed. The above principles for storage and use apply here, too.

 10. Connected Email

Whilst not strictly website-related, all email services and the storage of email from all with whom you are connected, must be stored in accordance with DPA (Data Protection Act) & GDPR guidelines. In short, make sure you store your email data securely, use good anti-virus applications and archive and delete unnecessary email completely. And have a Data Retention policy – a statement by which your organisation follows in terms of how you store data and for how long before it is deleted. Typical business data retention policies are 2 years – anything older than that is usually out of date anyway. The exception to the rule here are regulated industries – Financial Services, Medical, Governmental, HMRC etc – where you may be required you to keep data records longer, particularly when it comes to accounting and finance. You’ll need to check with your regulator if you fall into this bracket.

 11. Social Media Account Connection

Using social media sites for your organisation also falls under GDPR. Whilst you do not need to seek permission from each person who ‘likes’ your page or ‘follows’ you, you do need to ensure that any information gathered directly from people with whom you interact on these sites is handled in accordance with the GDPR privacy guidelines.

 12. Google Analytics (and other user tracking systems)

If you run Google Analytics on your site (or any other tracking service) you will need to make sure that it is referred to in the cookie policy and the privacy policy and that you ensure you check the third party’s own privacy policy to ensure they comply. Whilst we know that Google Analytics will be both GDPR and Privacy Shield compliant, other, lesser-known tracking services may not be.

You must enable the anonymisation option in Google Analytics to properly conform to GDPR. Google Analytics records user’s IP addresses in visitor reports and this is deemed as ‘identifiable information’. You don’t really need it so turn it off. What’s not fully clear right now is how this will affect geographic reports. We’ll update on this in the coming months.

 13. CRM Connection

Related to points 6, 7, 8, 9 & 10. If your website captures user’s data and then writes it into a CRM, such as Salesforce or Pardot, you need to make sure that the data collection process is secure, as previously referred, and that you refer to the third-party service in your privacy policy. Additionally, if your website automatically sends the enquiry directly into the CRM, the date, time, reason for capture and consent details are also captured. As a user, they have the legal right to ask you where you captured their details, when, was it explicit how the data will be used and how the details can be permanently deleted (also known as ‘request to be forgotten’).

Please see our revised privacy policy here.

We suggest that you carry out a review for your own business and your website.
Please send us through your updated privacy policy and we will publish it to your website. There will be no additional charge for this service, for clients on one of our Technical Support Programmes.

If you have any questions please contact us at or call us on (01)2071872