Why it's important to make sure your website is GDPR compliant

Businesses must comply with it otherwise they could be hit with huge fines and/or lawsuits.  

Ultimately, every single business must tell its users about the data it is collecting on them – being GDPR compliant helps protect users’ data. 

Understanding the law and knowing what you need to do to make your business’s website compliant can feel daunting – here we outline why it is so vital and how you can easily comply. 

What is GDPR? 

GDPR is an EU regulation designed to protect the privacy of all EU citizens, including how data is used and extracted from users go to a website.  

Seeing as every website could get visitors from the EU region, they should all be thinking about compliance.  

What is meant by ‘personal data’? 

What constitutes personal data is not just the obvious details. As a rule, it is any information that relates to an identified or identifiable individual. 

The list below exemplifies what this could entail, but it is non-exhaustive: 

• Name; 
• Identification number; 
• Location data 
• An online identifier such as an IP address or cookie identifiers 

Information that is truly anonymous is not covered by UK GDPR. 

What about UK GDPR? 

The Data Protection Act 2018 relates to the UK’s implementation of GDPR.  

As set out by the UK Government, everyone who uses personal data must comply with ‘data protection principles’. This means information is: 

• used fairly, lawfully and transparently.
• used for specified, explicit purposes.
• used in a way that is adequate, relevant and limited to only what is necessary.
• accurate and, where necessary, kept up to date.
• kept for no longer than is necessary.
• handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage. 

GDPR and websites 

The GDPR law is very detailed, but there are some key features that businesses need to take note regarding their website. Websites must: 

1. Disclose they are collecting personal data from users. 
2. Be able to provide a portable copy of their data collected if users ask. 
3. Erase users’ data if they ask. 
4. Tell users why, how and where their data is stored. 
5. Ensure they have a data protection officer if the business has core activities that include personal data collection. 

Businesses almost must make sure they report any serious data breaches within 72 hours of the breach. 

What happens if you aren’t compliant? 

If your website does not comply with GDPR laws when it is meant to, you could be fined up to 20 million euros or 4% of your global turnover. 

You may have seen the news when big businesses like Yahoo and Uber had serious data breaches. In 2016, for instance, Yahoo was impacted by a data breach in which the data of 500 million accounts was compromised. 

How to make your website GDPR compliant 

There are lots of factors involved with making sure your website is GDPR compliant – and lots of different areas to address – so it may be best to seek legal advice from a lawyer who knows GDPR well.  

But there are a number of actions you easily take to make sure you are compliant: 

• List all your data collection points 

To start off, go through and list all the data collection points on your website. These may include a registration page, a checkout page, IP addresses and many others. 

• Update your WordPress version 

If you use WordPress for your website, you’re in luck because it has built GDPR compliance into its design.  

You need to make sure you update your WordPress version to 4.9.6 or higher because it has these built in privacy settings, including new data export and erase features, a policy generator and the ability to get explicit consent in comments. 

• HTTPS 

You should also encrypt traffic on your website as way of being GDPR compliant, which simply involves using https in your site address. If users can see the https they naturally trust a site more. 

• Add a cookies notice 

You must explicitly notify users that your website is collecting cookies. 

Do this by creating an overlay which has a cookie notification plugin. 

• Contact forms 

Users must be informed that your website will collect their personal data when they use forms on your site, such as contact forms, opt-in forms and registration forms.  

The best way to do this is by creating a tick box users can click on enabling them to accept your terms of service.  

You need to add another tick box to tell users you will send them marketing communications. 

You must then ensure your terms of service are detailed and up-to-date. 

• Third party plugins and services 

It’s crucial not to forget third party plugins or services you have on your website, for example Google Adwords and Google Analytics.  

To do this you’ll need to make the data collected anonymous before the storage and processing.  

• Policy updates or data breach  

It’s important to have a system to be able to tell users about any data breaches and policy updates on your website.  

You could do this via a GDPR compliance plugin, as well as sending an email out to users updating them about policy changes.  

Summing up 

While complying with GDPR law can be painted as extra work for no reason, it is ultimately beneficial to your business to make sure you’re compliant.  

At it’s core, the law exists to prevent data breaches and, most importantly, to make sure people’s personal data is not misused.