Donec quam felis, ultricies nec, pellentesque eu, pretium quis, sem nulla consequat. Aenean massa.

Mon - Fri: 08:00 am - 18:00 pm

Commercial growth through creating thinking - SUM.AGENCY

what does a website need to be gdpr compliant? laptop

What does a website need to be GDPR compliant?

May has arrived! Bringing bank holidays galore, the royal wedding and new data regulations in the form of the GDPR!


The General Data Protection Regulation (GDPR) is coming into effect on the 25th of May, aiming to strengthen and provide structure to data protection within the European Union. The current regulation was put in place in 1995 so is extremely out of date; especially since 1995 was pre social media!


Data privacy is the buzzword surrounding GDPR, consumers must be able to easily access:

  • The purpose for which their data is collected
  • Their privacy rights
  • The way in which their data will be used, stored and retained.


The GDPR will allow consumers much more control over their data and will give businesses strict boundaries they must adhere to.


Websites are significant gatherers of data, fundamentally data is what fuels them! That’s why when GDPR comes into play, your website might be what catches you out if you are not gathering and storing the data it generates correctly.


Our website designs aren’t just pretty on the outside. Our web developers are working to ensure all of our clients websites are fully GDPR compliant, as well as being beautifully designed! There’s 14 things a website needs to be GDPR compliant from cookies to psuedonymisation, sounds complicated? Let us make it simple for you.


Here’s our 14 Step GDPR website checklist!

Cookie policy

A page on your website that states what cookies are used on the site, both yours and from third parties and what data you capture with them and what you do with it.

Cookie & privacy popup notice

You don’t need to have one, but you do need to state what cookies are used and what the privacy policy is at the first point of arriving at the website – so a pop up is the most logical and well-established solution. It needs to state that cookies are used on the site and that the user needs to agree to the use of the data as set out in the privacy and cookie policy.

Privacy policy

A privacy policy is a more thorough document that states the website owner’s full statement of what data is captured, when it was captured, what the data is used for, the third party’s details and the process, including the DPO’s details as well as the process of requesting the user’s details and request that they be permanently deleted.

SSL certificate

Secure Sockets Layer certificate – it’s the encryption code process that sits on the hosting space of your website. It’s the thing that makes the browser bar display a secure notice, sometimes go green and show a padlock symbol. The purpose is to securely encrypt all the details that are entered into any forms or fields on a website.

Pseudonymisation or anonymisation

As part of GDPR, ‘pseudonymisation’ means that websites will need to start moving towards the users being identified by a username only and that the rest of the data is encrypted so that there is no possible connection between the user and the stored details. You will need to speak to a web developer about planning this change as it will take time, planning and require a budget.

Newsletter signups

If you have the facility for users to sign up on your website to receive a newsletter from you, whether you send that out one at a time from your desktop email app or from a system like Mailchimp etc, you need to make sure the tick box that handles this subscription is set so the user has to OPT-IN and not opt out.

User account creation

If your website is an eCommerce site or allows a user to set up an account for access to services behind a login area, you will need to ensure that you have both the SSL certificate installed and also work towards the data being stored using pseudonyms.

Payment gateways

If you have an eCommerce website and use one of the popular payment gateways, such as PayPal, Sagepay, Worldpay or Stripe, you need to make sure that the payment gateway privacy policies are checked and referenced in your own privacy policy. If they are UK (or European) based, they will need to be GDPR compliant, if US-based, Privacy Shield compliant.

Enquiry & contact form

If your website has an enquiry form for people to send you messages, you need to ensure GDPR is adhered to strictly as the data submitted is high risk, skilled web developers can help you with this.

Live chats

If you have a live chat service on your website, you need to make sure that you refer to this third-party service in your cookie policy and privacy policy and that you review their GDPR/Privacy Shield policy. You may think the data isn’t being stored anywhere, but it is – very often the transcript of the chat is emailed to both parties once completed.

Connected email

Whilst not strictly website-related, all email services and the storage of email from all with whom you are connected, must be stored in accordance with DPA (Data Protection Act) & GDPR guidelines. In short, make sure you store your email data securely, use good anti-virus applications and archive and delete unnecessary email completely. Also, have a Data Retention policy – a statement by which your organisation follows in terms of how you store data and for how long before it is deleted.

Social media account connection

Using social media sites for your organisation also falls under GDPR. Whilst you do not need to seek permission from each person who ‘likes’ your page or ‘follows’ you, you do need to ensure that any information gathered directly from people with whom you interact on these sites is handled in accordance with the GDPR privacy guidelines.

Google Analytics and tracking

If you run Google Analytics on your site (or any other tracking service) you will need to make sure that it is referred to in the cookie policy and the privacy policy and that you ensure you check the third party’s own privacy policy to ensure they comply. You must enable the anonymisation option in Google Analytics to properly conform to GDPR.

CRM connection

If your website captures user’s data and then writes it into a CRM, such as Salesforce or Pardot, you need to make sure that the data collection process is secure and that you refer to the third-party service in your privacy policy. Users have the legal right to ask you where you captured their details, when and how the data is used.


Failing to comply with GDPR could be very costly, and it is expected that a large corporation will be made an example of just to prove this. Fines for not adhering to the GDPR are penalties of up to €20 million or 4% of annual global turnover (whichever is greater). That’s why it’s important to act now.


Get in touch with us if you’d like us to run a free, super quick GDPR check on your website or if you have any questions.