GDPR Compliance for Websites

GDPR Compliance for Websites

Disclaimer: The information provided within this article does in no way constitute legal advice. Any person who intends to rely upon or use the information contained herein in any way, is solely responsible for independently verifying the information and obtaining independent expert advice if required.

What Is GDPR and When Will It Come into Effect?

New General Data Protection Regulation (GDPR) will come into effect on 25th May 2018 replacing the 1998 UK Data Protection Act. The purpose is essentially to expand the rights of individuals and how their data is collected and processed, ultimately returning control to citizens over the use of their data.

Organisations will be held more accountable for data protection – how they hold and process consumer data. Consumers will also be given enhanced privacy protections, including the right to access data held about them and to have it permanently deleted upon request. Organisations will also be required to inform the Information Commissioner's Office (ICO) of any data breaches.

Understanding GDPR – The Terminology

What Is Personal Data?

In principal, personal data refers to any information which relates to an identifiable, living human being and typically includes the following:

  • Name
  • Address
  • Email address
  • Photo
  • IP address
  • Location data
  • Online behaviour (cookies)
  • Profiling & analytics data
  • Race
  • Religion
  • Political opinions
  • Trade union membership
  • Sexual orientation
  • Health information
  • Biometric data
  • Genetic data

Organisations will need to establish if they are legally allowed to collect, hold or process data, where it is held and for what purposes.

What Is the Difference Between a Data Controller, Data Processor and a Data Subject?

A Data Controller is an entity which determines the means, conditions and purposes of the processing of personal data – in short, how the data is or will be used. The Data Processor is the entity which processes personal data on behalf of the controller – processing is obtaining, holding, recording or adapting personal data.

The Data Subject is a living individual whom the particular personal data is about.

Who Does GDPR Apply To?

GDPR applies to all UK organisations including public authorities, commercial businesses and charity organisations. It aims to introduce stronger consent requirements making organisations more accountable for data protection, i.e. how they hold and process consumer data. It also applies to all companies holding and processing personal data of Data Subjects residing in the EU, regardless of the company’s physical location.

GDPR and Brexit

The UK government has stated that it will comply with GDPR when it comes into effect on May 25th 2018 – compliance will not be affected by Brexit as GDPR will be assumed into UK law before exiting Europe.

GDPR Principles Relevant for Websites

Data Collection and Processing

Identify all of your Data Processors, which of these are Third Party and if Third Party processors are GDPR compliant.

Having identified all Data Processors, the next step is to establish if you have satisfied the following regulations for storing data:

  • Are you legally allowed to collect this data?
  • Are the Data Subjects fully aware of what data is being collected and for what purposes?
  • What is the source of the data?
  • What are the categories of Data Subjects?
  • Does the nature of the data being collected fall into what is defined by GDPR as a special category of personal data?
  • Have the Data Subjects been clearly notified of their rights?
  • Where is the data being stored?
  • Is the data transferred to a country outside of the EU? If so, to which country is it transferred?
  • Do you need to keep the data? If so, for how long?
  • What is your organisation’s method of destruction of data after it has passed its retention date?


Ensure your organisation satisfies the high GDRP regulations regarding consent by addressing the following points taken from the ICO:

  • Ensure that consent is the most appropriate lawful basis for processing
  • The request for consent should be prominent and separate from your terms and conditions and privacy policy
  • Consent requires a positive opt in
  • Do not use pre-ticked boxes, or any other type of consent by default
  • Always use clear, plain language that is easy to understand
  • Specify why your organisation wants the data and what they intend to do with it
  • Use specific granular options to get separate consent for independent processing operations
  • Name any Third Party organisations which may rely on the consent
  • The process of withdrawal of consent must be straightforward, easily accessible and transparent
  • An individual must be able to refuse to consent without detriment
  • Consent should not be a precondition of a service
  • When offering online services directly to children, only seek consent if there are age-verification and parental-consent measures in place

Recording Consent

  • Ensure a record is kept of when and how consent was given from the individual
  • Keep a record of exactly what Data Subjects were told at the time

Managing Consent

  • Consent should be reviewed on a regular basis to check that the relationship, processing and the purposes have not changed
  • There should be processes in place to refresh consent at appropriate intervals, such as any parental consents
  • The use of privacy dashboards or other preference management tools are considered a matter of good practice
  • Withdrawal of consent for individuals must be easy and how to do so, well publicised
  • Requests for withdrawals of consent must be acted on as soon as possible
  • Individuals who wish to withdraw consent must not be penalised

Data Protection Officer

  • Establish if your organisation requires a Data Protection Officer
  • If this role can be provided by an existing member of staff, the role must be fulfilled without interference from the demands of their existing role or by other members of staff

Breach of Data

  • A breach of data must be reported to the ICO within 72 hours of becoming aware of the breach
  • Individuals affected by the breach must be notified as soon as possible
  • Your organisation must have robust measures in place to recognise a personal data breach and a well-prepared response plan in place
  • A dedicated person or team should be allocated for the responsibility of breach management

Penalties for Non-Compliance

  • Organisations which do not comply with the new GDPR regulations can expect to see a substantial increase in fines
  • The maximum fine will be 4% of organisation’s gross global revenue or €20 million, whichever figure is greater
  • Organisations with measures in place to comply with GDPR can expect considerably lower fines

Digital Marketing and GDPR

The ICO have highlighted the following points as key changes regarding consent – all of which need to be integrated into your digital marketing campaign.

Active opt-in – the use of pre-ticked boxes will no longer be acceptable. Users will be required to actively opt-in via means of a tick box, slider or similar methods.

Unbundled – Requests for consent must be separate from other terms & conditions

Opt out option – Users have the right to withdraw consent at any time, this should be made easy and straightforward

Granular – Granular options should be available wherever possible, in order for users to consent separately for different types of processing

Named – Your organisation must be clearly named, as well as any third parties such as Google Analytics or Mailchimp

Recording consent – A record must be kept of exactly how your organisation obtained consent and for what purposes

How to Comply – Suggested Best Practices for Websites

Email Marketing – Gaining Consent to Send

If your organisation wants to send marketing emails, they must have consent. The request for consent should be clearly labelled, as well as clarifying that email marketing is optional. It will also require the user to actively opt-in. Additional consent will be required for the use of Third Party email marketing services such as Mailchimp or Campaign Monitor. For example:

Email Signup

Website Registration Forms

If your organisation requires users to register to use your services, consent will be required. The following form asks the user to actively opt-in and read through the terms & conditions, these are “unbundled”. Registration will not be possible without an active opt-in. For example:

Email Signup

Email Marketing – Double Opt-In

Regardless of the method of email marketing signup, it is recommended to use double opt-in for email marketing purposes. A double opt-in process requires the user to fill out an initial consent form, which upon completion generates an auto-response email asking the user to confirm that he/she actively joined your email list.

Double Opt-in

Ecommerce Websites and Data Collection

If you run an ecommerce website, you are likely to be using an external payment gateway for any transactional information. However, if your website is collecting personal information such as name, email address, phone number and delivery address, then new processes will need to be put into place.

There are often two ways users can complete a transaction on a website:

1.       A user has consented to register to your website and has an account with you

2.       A user can checkout as a guest

If you offer a guest checkout, and a Data Subject doesn’t have an account on your website, then you will need to modify your processes to remove any personal information after a reasonable period, for example, 60 days. GDPR legislation is not explicit about the set number of days, and it is down to you to define what is reasonable and necessary. This change will generally require development to be carried out on your website to ensure that guest accounts are removed on a regular daily cycle, as per your policy – Siruss can advise on the requirements for this irrespective of your ecommerce platform.

In light of the suggestions for compliance for both consenting registrants and guests, to suggest that perhaps a visitor to your ecommerce store should not be allowed to checkout at all until a checkbox is ticked confirming they have understood your privacy policy and terms and conditions.

Ecommerce Websites and Email Consent at Checkout

It is common practice to have a checkbox in the checkout where users can opt-in to email marketing. As with the Website Registration Forms example above, the terms and conditions and email opt-in have to be “unbundled” and boxes cannot be pre-checked. Depending on your e-commerce platform, this may require additional development to be implemented.

The Right to Withdraw/Remove Data

Users have the right to withdraw consent, unsubscribe to any particular service and request that their personal data be deleted. Your organisation should have a process in place which makes this simple and straightforward. Providing your clients with a dedicated opt out page with granular options for the user to be able opt-out should they wish, is an effective way of addressing this concern. The ability to opt out should be easily accessible via a clearly visible link, such as in the footer of your website, and in any email marketing.

Editing Personal Details – The Right to Rectification

In some cases, a user may wish to edit or rectify the data an organisation holds about them – a clear and simple process should be in place ideally with the use of a contact form.

Refreshing Consent

It is good practice to keep consent refreshed and up to date. This also provides the user with the opportunity to update their information or withdraw consent should they wish to. For example:

Consent Email

Google Analytics and GDPR

Google have a privacy compliance section, with reference to GDPR here:

They’re currently working on GDPR compliance, but other information is sparse at this stage.

While their information doesn’t specifically focus on their Analytics software directly, it is an anonymous tracking system which is likely to not be impacted by GDPR. It is wise to reference Google Analytics in your Privacy Policy if you don’t already.

update Your Privacy Policy To Incorporate GDPR Requirements

Your organisation’s Privacy Policy is the best place to disclose all required information regarding data collection and storage, stating how personal data will be stored, for what length of time and exactly how it will be used. Every purpose of usage of personal data collected from your users should be identified, described and justified within the privacy policy.

The Use of Third Party Providers

Users must also consent to the use of, or collection of their data by any Third Party providers. Separate consent should be given for each Third Party, in the case of more than one.

Your organisation is responsible for actions taken by any Third Party providers – it is important to identify all Third Party providers, understand what data they collect, store and process and if they are GDPR compliant.

What Must Be Included

The following table taken from the ICO website, illustrates what needs to be included in your privacy policy – more information can be found at:

What information must be supplied?

Data obtained directly from Data Subject

Data not obtained directly from Data Subject

Identity and contact details of the controller and where applicable, the controller’s representative and the data protection officer.





Purpose of the processing and the legal basis for the processing.



The legitimate interests of the controller or Third Party, where applicable.





Categories of personal data.



Any recipient or categories of recipients of the personal data.



Details of transfers to third country and safeguards.



Retention period or criteria used to determine the retention period.





The existence of each Data Subjects rights.





The right to withdraw consent at any time, where relevant.



The right to lodge a complaint with a supervisory authority.



The source the personal data originates from and whether it came from publicly accessible sources.





Whether the provision of personal data is part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the correct personal data







The existence of automated decision making, including profiling and information, about how decisions are made, the significance and the consequences.







When should information be provided?

At the time the data are obtained.

Within a reasonable period of having obtained the data (within one month).

If the data are used to communicate with the individual, at the latest, when the first communication takes place; or

If disclosure to another recipient is envisaged, at the latest, before the data is disclosed.

Terms & Conditions

Terms & Conditions should be a separate document away from the Privacy Policy and may also require reviewing.

Examples of What Not to Do

The ICO has compiled a document citing examples of good and bad privacy notices. This is available to all organisations for reference purposes.

Further Reading Links

Download the Full Guide from Siruss for Free

GDPR Guidelines

Siruss Can Help Your Business

Please get in touch today, and we can help you with your website’s compliance. The Siruss development team can work with your organisation to help prepare it for GDPR by creating consent forms, a specific opt-out page, parental controls and adapting your website to highlight the options for consent and withdrawal of consent to suit your organisation’s requirements.