Skip to main content

How to make a website GDPR compliant

a laptop screen showing website traffic data
(Image credit: Photo by Luke Chesser on Unsplash)

The General Data Protection Regulation (GDPR) is a game-changer in regulating how businesses protect and use their customer’s data. 

In its purest form, this European initiative creates two key obligations for organizations. Firstly, it makes businesses responsible for the secure management of their customer’s data. Secondly, companies are required to provide transparent and easily accessible information on how they manage and use their customer’s data. 

At first, it might seem like the GDPR is a setback for digital marketing, but this couldn’t be further from the truth. Making your business GDPR compliant is relatively straightforward, and it will ensure your customers feel that their privacy is safe when using your website.

Also, with fines of up to €20 million (or 4% of annual revenue) for breaching the GDPR, it pays to make sure your website is GDPR compliant. 

Making your site GDPR compliant: Online contact forms 

Online contact forms are a standard feature on most websites today. They are an easy and straightforward way to help customers and businesses connect. Although the GDPR doesn’t stop companies from using contact forms on their websites, it does create new obligations and responsibilities. 

Firstly, organizations must explain why they are collecting personal information. For each custom data field (name/address/phone number), it helps to explain why you are collecting this data and how it will be used. For example, if you are asking customers for their address, you would explain that this is required so you can provide correspondence by mail. 

If you can’t think of why the data you are collecting is necessary, then perhaps it is not worth collecting. This process of the GDPR is designed to ensure that companies only collect essential personal information. 

Secondly, the GDPR requires businesses to include a tick box asking if a website visitor understands their privacy policy, and understands how their data will be used. This tick box must be unticked by default. Customers must also opt-in to each form of contact (email/phone/post) individually.

Email marketing 

computer monitor with an email graphic superimposed onscreen

Consent must be given in order for businesses to send our email marketing to individuals under the GDPR (Image credit: Shutterstock)

One of the most significant developments to come out of the GDPR is the prohibition of unsolicited marketing emails. GDPR compliant businesses can only send emails to individuals who have opted in to receive marketing information via the specified form of communication. 

Companies in breach of this requirement are liable to receive hefty fines or other punitive measures. Before the coming into force of the GDPR, businesses were encouraged to ask all customers to opt in again to marketing communications. Now you must receive consent from all customers before sending them marketing or promotional materials.

Privacy policy

To further encourage transparency, the GDPR requires all businesses to have a privacy policy and display it prominently on their website. This policy must explain how your company collects personal data, how it stores this data, and how it uses it. 

For example, if you encrypt data either in transit or at rest, it should be mentioned in your privacy policy. If all your employees are subject to police checks before commencing their employment, it should be mentioned. If you provide customer data to third parties, it should be mentioned. You get the idea.

Handling data 

servers locked behind metal frame door

There are a wide range of obligations for businesses when it comes to handling and managing customer data (Image credit: Unsplash)

The GDPR creates several obligations for businesses concerning their handling and management of customer data. A few of these are with mentioning here. 

Firstly, organizations are required to secure all customer or user data with some level of encryption. Adding an HTTPS protocol to your website is one of the easiest ways of fulfilling this obligation. Secure storage of customer data with AES (Advanced Encryption Standard) 256-bit encryption is also recommended. 

Secondly, businesses must ensure that data collected in Europe remains in Europe, or that any non-European entity with access to customer data is GDPR compliant. Even within Europe, businesses are responsible for ensuring that all partners or collaborators in customer data management are GDPR compliant. 

Finally, the GDPR establishes a right to be forgotten. Businesses must communicate this right to customers, either on their website or in their privacy policy. They must also provide a mechanism for permanently deleting all data identifying that particular customer. Significant penalties have already been issued for breaching this requirement.  

Following the advice contained in this article will help your website become GDPR compliant sooner. GDPR compliance can demonstrate to your customers that you are a responsible and reliable business, and may help you develop better relationships with them. 

When we add the costs of not complying with the GDPR, there’s no reason not to start becoming compliant today.