How to Make a GDPR Compliant Website

If EU residents can access your website, and your website is used to collect some of their personal information including IP addresses, it must be GDPR compliant. If it is not yet GDPR compliant, you could be at risk of a sizable financial penalty.

The primary goal of GDPR is to safeguard the rights and freedoms of residents of the EU and to provide them with more control over how their personal information can be used.

In the last two years, a lot of businesses had been figuring out how GDPR impacts websites but many businesses are still unsure about the steps required to make a website GDPR compliant. Some website owners have done nothing to make their websites GDPR compliant.

Website owners who have not made their websites GDPR compliant could face substantial financial penalties. The maximum fine for not complying with the GDPR is €20 million or 4% of global annual turnover (whichever is higher). Therefore noncompliance truly is not an option.

What should website owners do to make their websites GDPR compliant?

The primary requirement for a GDPR compliant website is to obtain consent before any personal information is collected or processed. If consent is not obtaioned, personal data cannot be collected or used.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Although the majority of website owners make clear in a privacy policy how personal data are collected and processed, that is not enough under the GDPR. For instance, while it was possible to state that continued use of a website constitutes consent, that is no longer acceptable.

Permission should now be clearly given by means of an obvious, decisive action. If your website doesn’t record any personal information (which includes IP addresses) and doesn’t use cookies, contact forms or newsletters subscriptions, you don’t need to do anything regarding GDPR compliance. All other websites require consent to be obtained.

Under the GDPR, using pre-checked boxes for getting consent to gather and process personal information is not acceptable. Users need to give clear permission. If check boxes are utilized, users should manually check them as part of the consent process.

Consent forms must be clear and should explain in easy-to-understand language how information is collected and used. Website users should know how long the owners will keep their personal data and to whom the data will be disclosed. The exact data types that are collected through the website should be explained, including if the website uses cookies.

Website owners need to make a decision about the types of data collected and whether that information is necessary to carry out the tasks for which the information is being recorded. The collected or processed data should be the minimum required to accomplish the purpose for which data is collected. GDPR additionally calls for all personal information to be secured, so data encryption should be considered.

When a website uses any sort of analytics program like Google Analytics, it is the website owners responsibility to make sure that is covered in the privacy policy and that the analytics program is GDPR compliant. If tracking data is used, an the information can be used to identify a person, from their IP address for instance, consent is required.

It is essential that a site owners’ contact information is up-to-date so that website visitors can exercise their GDPR rights and freedoms. Visitors who wish to request a copy of their collected and processed data, exercise their right to be forgotten, or check the accuracy of their personal data must be able to easily contact the site owner.

In case a website visitor wants to exercise the right to be forgotten, a mechanism should exist to allow that process to happen automatically. Manually performing this task will be time consuming, particularly if many requests are received.

Website owners are responsible for learning about GDPR Rules and making their websites GDPR compliant. If you own or run a website, you should be familiar with GDPR requirements, must ensure permission is acquired prior to collecting and processing personal data, you should make sure that all collected and processed information is secured, and that you are able to honor data subjects’ rights and freedoms. You must likewise create policies and procedures for dealing with data breaches. In case of a breach, the Supervisory Authority should be informed within 72 hours.