header strip image

Your Website and GDPR Compliance


By now you are probably aware that European Union is rolling out the GDPR (General Data Protection Regulation) on 25th May 2018.

The goal of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world.

In a nutshell, GDPR states that if a website collects, stores or uses any data related to an EU citizen, you must comply with the following:

  • Tell the user: who you are, why you are collecting the data (for what purpose), how long you are going to store it and who receives it.
  • Get a clear consent, before collecting any data
  • Let users access their data and correct it if it is incorrect
  • Let users delete their data or take it with them
  • Let users request that you stop processing their data
  • Let users know if data breaches occur

You, as a Data Controller, also have an obligation to keep the data safe. This means you need to ensure that any communication between the web server and a browser is via a Secure Socket Layer (in layman terms you need to have an SSL certificate installed on your site).


Do you REALLY need to be GDPR Compliant?

If people from European union can visit and interact with your site (e.g. post comments on your blog, subscribe to a newsletter, share your content to social media, place orders, send enquiries or contact you via an online form, you need to be compliant.

If your site makes use of any cookies or has any 3rd party integrations that use cookies (Facebook pixel, Google Analytics etc.), you need to be compliant. It doesn’t matter whether you sell anything to EU or not. If people from any EU country can access your website, you have to be compliant.

GDPR does not require you to be a European citizen, or for you to be a European based business to find you guilty and impose a violation.They can do it even if you’re located across the Pacific ocean and have absolutely no care what’s happening in France. If people from the EU can surf your site, you are liable to adhere to GDPR rules.


The Consequences of  your website not being GDPR Compliant

  • A fine of up to €20 Million or 4% of your global revenue. Whichever is the GREATER!
  • Not being able to sell to customers from EU or serve them in any other way.
  • Not being able to monetize EU based customers through ads or other means.
  • Severe legal costs and hassles that will stop you from focusing on your business.


Website Owner Obligations to ensure GDPR Compliance

  1. SSL Certificates.

    SSL Certificates are not an optional extra. If you have a contact form on your site, or a clickable email address, or someone can leave a comment, download content or place an order, you absolutely have to have an SSL certificate.  If your website does not have a https:// in the URL or there is no green padlock, then the connection to your website is not secure.

  2. Forms

    All forms that invite users to subscribe to newsletters or indicate contact preferences must default to “no” or be blank. You will need to check your forms to ensure this is the case.

  3. When sending out email

    When sending out email (as a newsletter, or as a purchase confirmation etc), you need to include information on why you are emailing them, how you got their data and provide them with an unsubscribe option and “forget me ” option. Email-optout is not enough in GDPR you also need to give people a way on your website to opt-out of future emails.

  4. Sharing Data

    If you share data with anyone you need to tell the owners of the data and ask for their consent.

  5. Privacy Policy

    You need to have a published Privacy Policy and keep it updated to make sure it is GDPR compliant. The Privacy Policy needs to follow GDPR rules. The Information Commissioner’s Office (ICO) has very kindly provided a sample privacy notice that you can use on your website. It is concise, transparent, and easily accessible.

  6. Terms & Conditions

    You will also need to update your terms and conditions on your website to reference GDPR terminology. In particular, you will need to make it transparent what you will do with the information once you’ve received it, and how long you will retain this information both on your website and also by your office systems.

    You will also need to communicate how and why you are collecting data. Your privacy policy will need to detail applications that you are using to track user interaction.

  7. Online Payments

    If you are an e-commerce business, then you are likely to be using a payment gateway for financial transactions. Your own website may be collecting personal data before passing the details onto the payment gateway e.g. to send emails with additional offers.

    If this is the case, and your website is storing these personal details after the information has been passed along, then you will need to modify your web processes to remove any personal information after a reasonable period, for example, 60 days. The GDPR legislation is not explicit about the number of days, it is your own judgement as to what can be defended as reasonable and necessary.

  8. Third Party Tracking Software

    Things now start to get tricky when it comes to third-party tracking software.

    Many websites are configured to use Google Analytics to track user behaviour. Google Analytics has always been an anonymous tracking system. There is no “personal data” being collected, so I believe GDPR does not impact on its usage.

    If you use other third-party marketing automation software solutions e.g. lead tracking applications like Lead Forensics, Leadfeeder or CANDDI, you need to ensure that their software is GDPR compliant.

    Your cookie policy needs to inform the visitors that you are collecting cookies, what types of cookies you are collecting and how is this information used.

  9. And Finally…

    It Isn’t Only Your Website That Needs to Be GDPR Compliant. The changes being introduced with GDPR will permeate your entire business, but in this series of articles, we are focusing purely on your digital marketing.

Planning your GDPR compliance strategy

As you start planning the detail of your website, you will uncover a Pandora’s Box of issues you will need to consider, but here are a few key questions to be considering now as we approach the May deadline:

  • You probably have lots of personal data stored in various places around the business. Do you have a good understanding, and documented record of the data you hold?
  • Do you need to either gain or refresh consent for the data you hold?
  • Do you have a defined policy for how long you retain personal data, so you don’t retain it unnecessarily, and ensure it’s kept up to date?
  • Is your data being held securely, keeping in mind both technology and the human factors in data security?
  • Whether you are a data controller or data processor (or both), do you have the correct legal arrangements in place?
  • Even if you do not collect and store personal data yourself the onus is on you to ensure that any data that is passed to you some from a compliant source and if you pass data on that the receiver is also compliant.

As all businesses are different the previous point should be regarded as guidelines on the things you need to be aware of and not as instructions.

Not sure what to do next? Then give us a call and we can help you make your website GDPR-compliant?

The price starts from €199 plus VAT and that includes a number of very important things:

  • We conduct a full audit of your website including, cookies, plugins, contact forms, subscription fields, comments, user data currently stored on the site, privacy policy, terms of use,  data security to identify what needs to be changed.
  • We then implement the changes identified by the audit and let you know what kind of personal data is being collected through the website, how it is being used and how long it can be kept for.
  • If need be, we supply a suite of GDPR-compliant documentation for you to use (Privacy Policy & Terms of Use, Cookie Policy)
  • If you don’t have an SSL certificate as yet on your website, we install it for you to ensure your website, customer data and emails are protected and secure at all times (optional service priced separately – from €50 depending on the complexity of your site.
  • We provide you with a mechanism to keep track of, correct or delete any type of personal data you may have stored on your website. This includes client subscriptions, past orders, blog comments or testimonials which include personal details.
  • Provide you with a mechanism to notify your users if a data breach occurrs.
  • We refer you to our legal partner to ensure that your Privacy Policy, Terms & Conditions and Third Party contracts comply with GDPR (may be required if you use Data Processors such as Lead Forensics, HootSuite etc and have a bit of traffic on your website).


Contact Details


090 975 9542

“Highly experienced in business coaching Joanna adds the invaluable qualities of a committed manager to her professional skills. She simply loves her work. Available day and night if needed in a critical moment of development or deadlines, just recently Joanna proved once again to be an outstanding business partner for me. I wonder if there is another service provider out there like her. She delivered a great website, coaching me through the pr… Read more Aglae Hagg-Thun