How to Make Your Website GDPR Compliant

Just to let you know: This article contains an affiliate link. Purchasing via this link won't cost you any more, but we'll make a small commission for referring you. Also, a brief disclaimer: The information in this article is given as a guide only. We are not legal professionals and nothing we publish should be taken as a substitute for legal advice from a qualified expert.

With the European Union's General Data Protection Regulation (GDPR) having come into force in May 2018, businesses around the world are expected to comply with strict data protection laws. The provisions of the EU GDPR have been incorporated directly into UK law as the UK GDPR following the United Kingdom's departure from the EU.

In this guide, we will cover everything you need to know about website GDPR compliance, including what GDPR is, who it affects, and how to make sure your business website is GDPR compliant.

What is GDPR?

The EU General Data Protection Regulation (EU GDPR) is a set of data protection laws that aim to protect the personal data of EU citizens and give them greater control over their data. The GDPR applies to any business or organisation that processes the personal data of EU citizens, regardless of where that organisation is based. This includes businesses of all sizes, from small start-ups to multinational corporations. If your business processes any personal data of EU citizens, it is your responsibility to ensure that you're doing so in a way that's GDPR compliant.

The UK GDPR is the UK's version of the EU GDPR, which came into effect on May 25, 2018. The UK GDPR applies to all organisations that process personal data of UK citizens, regardless of where the organisation is located. The UK GDPR is similar to the EU GDPR, but there are some differences that businesses in the UK need to be aware of.

One of the main differences between the UK GDPR and the EU GDPR is that the UK GDPR allows for some flexibility in certain areas. For example, the UK GDPR allows organisations to appoint a representative in the UK instead of the EU, and it allows for some exemptions for certain types of data processing.

To ensure UK GDPR compliance for websites, organisations must follow the guidelines and requirements outlined in the UK GDPR. Some key aspects include obtaining consent for data processing, ensuring data accuracy, limiting data storage, and implementing appropriate security measures to protect personal data. Certain organisations must also appoint a Data Protection Officer (DPO) to oversee UK GDPR compliance¹.

Organisations must obtain explicit consent from individuals for data processing, and the consent must be freely given, specific, informed, and unambiguous. Organisations must also provide individuals with the right to access, rectify, and erase their personal data. In addition, organisations must report data breaches to the relevant authorities within 72 hours of becoming aware of the breach.

Organisations must also ensure that their use of cookies complies with UK GDPR. Cookies are small text files that are stored on a user's device when they visit a website. Organisations must obtain consent from users before using cookies, and the consent must be freely given, specific, informed, and unambiguous.

To ensure compliance with the UK GDPR, organisations must follow these seven key principles²:

• Lawfulness, fairness and transparency
• Purpose limitation
• Data minimisation
• Accuracy
• Storage limitation
• Integrity and confidentiality (security)
• Accountability

The Data Protection Act (2018) is the UK’s implementation of the General Data Protection Regulation (GDPR). It outlines the rights and responsibilities of individuals and organisations with regard to the collection, use and storage of personal data online. This includes storing people's names and contact details so you can reply when they contact you, but it also includes things like their IP address, device type and browser, which are stored and tracked by cookies used by third-party analytics tools such as Google Analytics³.

According to itgovernance.co.uk, "all organisations in the UK that process personal data must comply with the UK GDPR and Data Protection Act or risk fines of up to £17.5 million or 4% of annual global turnover – whichever is greater."

Does the EU GDPR still apply in the UK?

"Organisations that offer products or services to the EU, or monitor EU residents’ behaviour, are still bound by it, and risk fines of up to €20 million or 4% of annual global turnover – whichever is greater – for breaches."⁴

How to make your business website GDPR compliant

Making sure your business and website is GDPR compliant is a process that requires a thorough understanding of the regulation and its requirements. Here are some key steps you can take to become GDPR compliant:

Conduct a data audit: This involves identifying all the personal data that your business processes, where it comes from, and who it is shared with.

Update your privacy policy: Your privacy policy must be updated to reflect GDPR requirements, including details on how personal data is collected, stored, and processed.

Obtain consent: GDPR requires that you obtain explicit consent from individuals before processing their personal data.

Implement data security measures: GDPR requires that you implement appropriate technical and organisational measures to protect personal data from unauthorised access or theft.

Appoint a data protection officer: If your business processes a large amount of personal data, you may be required to appoint a data protection officer (DPO) to oversee GDPR compliance.

But how!? How can I obtain consent and generate a GDPR compliant privacy policy?

Here at Bigwheel Web Design, we were using legal document generators that are pricey and time-consuming to provide clients with a draft version of the documents they need to be legally compliant. This meant we were paying for a monthly subscription and spending hours checking which cookies were in use on our clients' websites, looking up what each of them does and why, and then putting all of this data into a neat little table in their website Privacy Policy.

Surely there was a way to auto-detect cookies and display the same table but without all the fuss! We needed a better solution and we found one that you can also use to make your website GDPR and Data Protection Act compliant! Install CookieYes for free, run a cookie scan on your site, fill in a few details and get GDPR compliant within minutes! You can display a cookie consent opt-in banner and get an even better version of the documents that were taking us hours to produce! It's a quick and easy solution for generating your policy documents and allowing your website users to explicitly opt-in or manage their cookie preferences, but remember - it's not fool-proof! It's your responsibility to fill out your details correctly and to get your documents reviewed by a legal professional to ensure compliance!

If you're still not sure what to do, all of our web design packages include a free tier CookieYes set up and we'll generate the policies for you.

CookieYes has amassed a user base of over 1.3 million since it was founded in 2018 and is trusted by big-name brands such as Toyota, Renault, KFC and Domino's. It's free up to 25,000 page views per month and 100 pages per cookie scan, with paid plans ranging from just $10 USD per domain per month up to $40 USD per domain per month. You only need a paid plan if you have more pages or get more traffic than that.

You'll need to run a cookie scan first. Then to generate your policy documents, just click on 'More' in the horizontal menu at the top of the page to select the Privacy Policy and Cookie Policy generators from the drop-down menu. You'll be asked to fill in a few details and then your policies will be generated automatically. Your Cookie Policy will even embed a table of the tracking cookies being used on your website with an explanation of what each one does, so you don't have to spend ages looking it all up manually!

You can then go to the Cookie Banner section to customise your opt-in form, allowing users to manage their cookie preferences. This will block the cookies that aren't necessary for the website to function until user consent has been obtained. Oh and just a heads up - the Cookie Banner text is all in US English, so you may wish to go through the Cookie Banner customisation options to change it to UK English. You can do this quickly and easily by just copying and pasting, using a free automated service such as GoTranscript.

Why is website GDPR compliance and Data Protection important? 

Three reasons immediately spring to mind: 

1. Legal requirements: Breaking the law can result in legal action and fines. It's important to understand the law and make sure your website is compliant to avoid potential issues. 
   
2. Customer trust: Having a clear privacy policy and terms and conditions can help to build trust with your clients. It demonstrates that you are transparent about what you do with people’s data. 
   
3. Brand Reputation: The reputation of your business might suffer if you break the law. Customers are becoming increasingly cautious about their privacy online and might decide to work with a business that doesn't seem shady! 

Under what circumstances is GDPR compliance needed? 

There are several circumstances in which a website needs to be compliant with the UK GDPR and Data Protection Act: 

1. If you collect any personal data from users, including names, email addresses, phone numbers, IP addresses or other identifying information. 
   
2. If you use cookies or other tracking technologies to collect data about users. 
   
3. If you sell products or services online and collect payment details from customers. 
   
4. If you use third-party tools or services to collect or process personal data, such as email marketing or analytics platforms. 

According to W3Techs "WordPress is used by 63.1% of all the websites whose content management system we know. This is 43.2% of all websites"⁵. These probably all use third-party tools that set their own tracking cookies.

Are most websites legally compliant?

In short, no. According to Statista most websites in the UK are not legally compliant, with only around 12% of websites fulfilling all of the requirements to be compliant with the UK GDPR⁶. But that's not really the point, is it? You wouldn't throw yourself under a bus if most people were doing it. No one seems to be actively policing this at the moment, so it might not seem important. But it's best to get ahead of it in case you have to defend yourself in court and you then need to be able to say "all of this is covered in the policy you agreed to when you used our website!"

Are Wix websites GDPR compliant?

Not necessarily. Probably not unless you've made sure of it. Given that it never seems to be mentioned in their marketing, you might assume that GDPR and Data Protection Act compliance are just built-in to the big-name DIY website builders such as Wix and Squarespace - that it must come as standard. But you'd be wrong to assume that! It isn't mentioned in their marketing materials because it's not their responsibility, it's yours. Every website is different and the laws are different in different parts of the world. It would be a logistical nightmare for them to attempt to create a 'one-size-fits-all' Privacy/Cookie Policy or to create a policy for every possible use case in every jurisdiction. Therefore you need to do your due diligence and be aware of what's required for your website.

But no need to fear! CookieYes is compatible and easy to use with WordPress, Wix, Squarespace, Shopify and more! You can scan 100 pages for cookies and have 25,000 page views per month for free AND you get a 14-day free trial on all paid plans (ranging from $10-40 USD per month) if you have more pages or get more traffic than that.

The law around website compliance in the UK 

As mentioned above, the UK GDPR and Data Protection Act outline the rights and responsibilities of people and businesses when it comes to collecting, using, and storing personal data online. Some key points to consider include: 

1. Consent: You must get explicit consent from users before collecting or using their data. This means that users have to actively opt-in to having their data collected and must be clearly informed about how it’s going to be used. We get consent by having a checkbox on our contact form, which is not pre-checked and must be checked by the user before contacting us via the form. We also have our CookieYes Cookie Consent Banner that allows users to accept, reject or manage their cookie preferences.
   
2. Transparency: You must be transparent about how you collect, use, and protect users' personal data. This includes having a clear and visible privacy policy on your website that outlines your data collection and use practices. Our privacy policy is easy to find and users can press the blue CookieYes button in the bottom left corner to review the cookies in use and manage their preferences. Click the following links to view our Privacy Policy and Cookie Policy that we generated using CookieYes. The cookie policy includes a table showing all of the cookies found by the scan and what they're used for.
   
3. Security: You have to take appropriate measures to protect users' personal data from unauthorised access, use, or disclosure. This includes using secure servers and encryption for any sensitive data.
   
4. Data retention: You must only retain users' personal data for as long as it is necessary for the purposes for which it was collected. This means that you should have a clear policy in place for how long you keep data and a process for deleting it when it is no longer needed. 
   
5. Data access: Users have the right to request access to the personal data that you hold about them and to have it corrected or erased if it is inaccurate. You must have a process in place for handling such requests and provide the information within a reasonable timeframe. 

How to know if your website is legally compliant: GDPR compliance checklist 

To ensure that your website is legally compliant with the UK GDPR and Data Protection Act, there are several steps you can take: 

1. Review your data collection and use practices: Make sure you are only collecting the personal data that is necessary for your business and that you have a clear purpose for collecting. 
   
2. Obtain explicit consent: Make sure you are obtaining explicit consent from users before collecting or using their personal data, including their IP address which will be tracked by any third-party Analytics solution you might use, such as Google Analytics. This should be done through a clear opt-in process, such as a checkbox or button such as the one provided by CookieYes. Contact forms must also have a checkbox allowing users to consent to their contact details being stored. It cannot be pre-checked, the user must tick the box.
   
3. Update your privacy policy: Make sure your privacy policy is clear, visible, and easy to understand. It should outline your data collection and use practices, as well as the rights of users. You also need a Cookie Policy displaying which cookies are in use and what they're being used for. You can use the CookieYes web app to scan your site and generate this easily in just a few minutes.
   
4. Implement security measures: Take appropriate measures to protect users' personal data from unauthorised access, use, or disclosure. This may include using secure servers and encryption for sensitive data. 
   
5. Review your data retention policy: Make sure you have a clear policy in place for how long you retain user's personal data and a process for deleting it when it is no longer needed, or at the user's request. 

By following these steps, you can ensure that your website is compliant with the UK GDPR and Data Protection Act and that you are protecting the personal data of your users. 

It's also important to regularly review and update your website compliance practices to ensure that you are staying up-to-date with the latest laws and regulations. This may involve seeking legal advice or consulting with data protection experts to ensure that you are meeting your obligations. Additionally, when you sign up for a paid plan with CookieYes you can schedule the cookie scanner to run at regular intervals to make sure that your policy documents are up to date.

In summary, website compliance with the UK GDPR and Data Protection Act is essential for protecting the personal data of your users and avoiding potential legal issues. By understanding the laws and implementing appropriate measures, you can build trust with your customers and protect your brand reputation. That's why we've switched to using CookieYes on all our client websites and our own.

Sources:

1. A guide to the data protection principles - https://ico.org.uk/
2. Do we need to appoint a Data Protection Officer? - https://ico.org.uk/
3. The Data Protection Act - https://www.gov.uk/data-protection
4. An overview of UK Data Protection Law - https://www.itgovernance.co.uk/
5. Usage statistics and market share of WordPress - https://w3techs.com/
6. Share of websites with consent management platforms (CMP) in the UK in 2019, by adherence to the General Data Protection Regulation - https://www.statista.com/