How to make a website GDPR compliant

GDPR iconography on a keyboard's enter key
(Image credit: Pixabay)

When it comes to building a website with one of the best website builders, and hosting that site online via one of the best web hosting services, a major change in data protection in Europe must be a large factor in your thinking.

Having been in force since 2018, the General Data Protection Regulation (GDPR) regulates how businesses use and protect customer data. Simply put, it creates two key obligations for organizations: it makes them responsible for secure management of customer data; and requires them to provide transparent, easily accessible information on how they manage and use this data. 

It may look like the GDPR is a setback for digital marketing, but this couldn’t be further from the truth. It's relatively straightforward to make your business GDPR compliant, and doing so ensures customers feel their privacy is safe when using your site.

It also pays to make sure your site's GDPR compliant, as you might face fines of up to €20 million (or 4% of annual revenue) for breaching the GDPR. In this feature, we discuss how the GDPR can affect your website, and how you can ensure it's GDPR compliant across the board.

Making your site GDPR compliant: Online contact forms 

Online contact forms are a standard feature on most sites today. They are an easy and straightforward way to help customers and businesses connect. Although the GDPR doesn’t stop companies from using contact forms on their websites, it does create new obligations and responsibilities. 

Firstly, organizations must explain why they are collecting personal information. For each custom data field (name/address/phone number), it helps to explain why you are collecting this data and how it will be used. For example, if you are asking customers for their address, you would explain that this is required so you can provide correspondence by mail. 

If you can’t think of why the data you are collecting is necessary, then perhaps it is not worth collecting. This process of the GDPR is designed to ensure that companies only collect essential personal information. 

Secondly, the GDPR requires businesses to include a tick box asking if a website visitor understands their privacy policy, and understands how their data will be used. This tick box must be unticked by default. Customers must also opt-in to each form of contact (email/phone/post) individually.

Email marketing 

computer monitor with an email graphic superimposed onscreen

Consent must be given in order for businesses to send our email marketing to individuals under the GDPR (Image credit: Shutterstock)

One of the most significant developments to come out of the GDPR is the prohibition of unsolicited marketing emails. GDPR compliant businesses can only send emails to individuals who have opted in to receive marketing information via the specified form of communication. 

Companies in breach of this requirement are liable to receive hefty fines or other punitive measures. Before the coming into force of the GDPR, businesses were encouraged to ask all customers to opt in again to marketing communications. Now you must receive consent from all customers before sending them marketing or promotional materials.

Privacy policy

To further encourage transparency, the GDPR requires all businesses to have a privacy policy and display it prominently on their website. This policy must explain how your company collects personal data, how it stores this data, and how it uses it. 

For example, if you encrypt data either in transit or at rest, it should be mentioned in your privacy policy. If all your employees are subject to police checks before commencing their employment, it should be mentioned. If you provide customer data to third parties, it should be mentioned. You get the idea.

Handling data in a GDPR compliant way

servers locked behind metal frame door

There are a wide range of obligations for businesses when it comes to handling and managing customer data (Image credit: Unsplash)

The GDPR creates several obligations for businesses concerning their handling and management of customer data. A few of these are worth mentioning here. 

Firstly, organizations are required to secure all customer or user data with some level of encryption. Adding an HTTPS protocol to your site is one of the easiest ways of fulfilling this obligation. Secure storage of customer data with AES (Advanced Encryption Standard) 256-bit encryption is also recommended. 

Secondly, businesses must ensure that data collected in Europe remains in Europe, or that any non-European entity with access to customer data is GDPR compliant. Even within Europe, businesses are responsible for ensuring that all partners or collaborators in customer data management are GDPR compliant. 

Finally, the GDPR establishes a right to be forgotten. Businesses must communicate this right to customers, either on their website or in their privacy policy. They must also provide a mechanism for permanently deleting all data identifying that particular customer. Significant penalties have already been issued for breaching this requirement.

Making your site GDRP compliant: Conclusion

Following the advice contained in this article will help your website become GDPR compliant sooner. GDPR compliance can demonstrate to your customers that you are a responsible and reliable business, and may help you develop better relationships with them. 

When we add the costs of not complying with the GDPR, there’s no reason not to start becoming compliant today. 

Further reading on web hosting and website builders

Make sure you read our features that focus on how web hosting security can impact your site; how you can evaluate and improve website security in a few simple steps; and why you should undertake regular website audits to keep your site up-to-date.

Darcy French

Darcy is a freelance copywriter, and a candidate for the dual master's program between the Paris Institute of Political Studies (Sciences Po) in France and Peking University in Beijing, China. His academic and professional areas of interest include human rights and development, sustainable agriculture and agroecology, Pacific Islands diplomacy, and Sino-Australian relations.