Ensure GDPR and Data Protection Act Compliance for Your Website

Just to let you know: This article contains an affiliate link. Purchasing via this link won't cost you any more, but we'll make a small commission for referring you. Also, a brief disclaimer: The information in this article is given as a guide only. We are not legal professionals and nothing we publish should be taken as a substitute for legal advice from a qualified expert.

In today's digital age, the protection of personal data is more important than ever. With the European Union's General Data Protection Regulation (GDPR) coming into force in May 2018, businesses around the world are expected to comply with strict data protection laws. The provisions of the EU GDPR have been incorporated directly into UK law as the UK GDPR following the United Kingdom's departure from the EU.

In this guide, we will cover everything you need to know about GDPR compliance, including what GDPR is, who it affects, and how to make sure your business and website are compliant.

What is GDPR?

The General Data Protection Regulation (GDPR) is a set of data protection laws that aim to protect the personal data of UK and EU citizens and give them greater control over their data. The GDPR applies to any business or organisation that processes the personal data of UK or EU citizens, regardless of where that organisation is based. This includes businesses of all sizes, from small start-ups to multinational corporations. If your business processes any personal data of UK or EU citizens, it is your responsibility to ensure that you are GDPR compliant.

The UK GDPR (General Data Protection Regulation) and the Data Protection Act (2018) outline the rights and responsibilities of individuals and organisations with regard to the collection, use and storage of personal data online. This includes storing people's names and contact details so you can reply when they contact you, but it also includes things like their IP address, device type and browser, which are stored and tracked by cookies used by third-party analytics tools such as Google Analytics.

How to become GDPR compliant

Making sure your business and website is GDPR compliant is a process that requires a thorough understanding of the regulation and its requirements. Here are some key steps you can take to become GDPR compliant:

Conduct a data audit: This involves identifying all the personal data that your business processes, where it comes from, and who it is shared with.

Update your privacy policy: Your privacy policy must be updated to reflect GDPR requirements, including details on how personal data is collected, stored, and processed.

Obtain consent: GDPR requires that you obtain explicit consent from individuals before processing their personal data.

Implement data security measures: GDPR requires that you implement appropriate technical and organisational measures to protect personal data from unauthorised access or theft.

Appoint a data protection officer: If your business processes a large amount of personal data, you may be required to appoint a data protection officer (DPO) to oversee GDPR compliance.

But how!? How can I obtain consent and generate a GDPR compliant privacy policy?

Here at Bigwheel Web Design, we've been using document generators that are pricey and time-consuming to provide clients with a draft version of the documents they need to be legally compliant while making it clear in our Terms of Service that we are not legal professionals and that it's their responsibility as the website owner to have these documents reviewed and customised for their business by a legal professional. This meant we were paying for a monthly subscription and spending hours checking which cookies were in use on our clients' websites, looking up what each of them does and why, and then putting all of this data into a neat little table in their website Privacy Policy.

It was laborious and seemed pointless - surely there was a way to auto-detect cookies and display the same table but without all the fuss! We needed a better solution and we found one that you can also use to make your website GDPR and Data Protection Act compliant! Install CookieYes for free, run a cookie scan on your site, fill in a few details and get GDPR compliant within minutes with a cookie consent opt-in banner and an even better version of the documents that were taking us hours to produce! It's a quick and easy solution for generating your policy documents and allowing your website users to explicitly opt-in or manage their cookie preferences, but remember - it's not fool-proof! It's your responsibility to fill out your details correctly and to get your documents reviewed by a legal professional to ensure compliance!

To generate your policy documents, just click on 'More' in the horizontal menu at the top of the page to select the Privacy Policy and Cookie Policy generators from the drop-down menu. You'll be asked to fill in a few details and then your policies will be generated automatically. Your Cookie Policy will even embed a table of the tracking cookies being used on your website with an explanation of what each one does, so we don't have to spend ages looking it all up manually!

You can then go to the Cookie Banner section to customise your opt-in form, allowing users to manage their cookie preferences. This will block the cookies that aren't necessary for the website to function until user consent has been obtained. Oh and just a heads up - the Cookie Banner text is all in US English, so you may wish to go through the Cookie Banner customisation options to change it to UK English. You can do this quickly and easily by just copying and pasting, using a free automated service such as GoTranscript.

CookieYes has amassed a user base of over 1.3 million since it was founded in 2018 and is trusted by big-name brands such as Toyota, Renault, KFC and Domino's. It's free up to 25,000 page views per month and 100 pages per cookie scan, with paid plans ranging from just $10 USD per domain per month up to $40 USD per domain per month.

Why is website GDPR compliance and Data Protection important? 

Three reasons immediately spring to mind: 

1. Legal requirements: Breaking the law can result in legal action and fines. It's important to understand the law and make sure your website is compliant to avoid potential issues. 
   
2. Customer trust: Having a clear privacy policy and terms and conditions can help to build trust with your clients. It demonstrates that you are transparent about what you do with people’s data. 
   
3. Brand Reputation: The reputation of your business might suffer if you break the law. Customers are becoming increasingly cautious about their privacy online and might decide to work with a business that doesn't seem shady! 

Under what circumstances is compliance needed? 

There are several circumstances in which a website needs to be compliant with the UK GDPR and Data Protection Act: 

1. If you collect any personal data from users, including names, email addresses, phone numbers, IP addresses or other identifying information. 
   
2. If you use cookies or other tracking technologies to collect data about users. 
   
3. If you sell products or services online and collect payment details from customers. 
   
4. If you use third-party tools or services to collect or process personal data, such as email marketing or analytics platforms. 

What a lot of website owners don’t know is that according to W3Techs 43% of ALL websites are built on the same platform (WordPress) as of January 2022 and probably ALL use third-party tools that set their own tracking cookies.

Are most websites legally compliant?

In short, no. According to Statista most websites in the UK are not legally compliant, with only around 12% of websites fulfilling all of the requirements to be compliant with the UK GDPR. But that's not really the point, is it? You wouldn't throw yourself under a bus if most people were doing it. No one seems to be actively policing this at the moment, so it might not seem important. But it's best to get ahead of it in case you have to defend yourself in court and you then need to be able to say "all of this is covered in the policy you agreed to when you used our website!"

Are Wix websites GDPR compliant?

Not necessarily - probably not unless you've actively made sure of it. Given that it never seems to be mentioned in their marketing, you might assume that GDPR and Data Protection Act compliance are just built-in to the big-name DIY website builders such as Wix and Squarespace - that it must come as standard. You'd be wrong though. It isn't mentioned in their marketing materials because it's not their responsibility, it's yours. Every website is different and the laws are different in different parts of the world. It would be a logistical nightmare for them to attempt to create a 'one-size-fits-all' Privacy/Cookie Policy or to create a policy for every possible use case in every jurisdiction. Therefore you need to do your due diligence and be aware of what's required for your website.

But no need to fear. CookieYes is compatible and easy to use with WordPress, Wix, Squarespace, Shopify and more! You can scan 100 pages for cookies and have 25,000 page views per month for free AND you get a 14-day free trial on all paid plans (ranging from $10-40 USD per month) if you have more pages or get more traffic than that.

The law around website compliance in the UK 

As mentioned above, the UK GDPR and Data Protection Act outline the rights and responsibilities of people and businesses when it comes to collecting, using, and storing personal data online. Some key points to consider include: 

1. Consent: You must get explicit consent from users before collecting or using their data. This means that users have to actively opt-in to having their data collected and must be clearly informed about how it’s going to be used. We get consent by having a checkbox on our contact form, which is not pre-checked and must be checked by the user before contacting us via the form. We also have our CookieYes Cookie Consent Banner that allows users to accept, reject or manage their cookie preferences.
   
2. Transparency: You must be transparent about how you collect, use, and protect users' personal data. This includes having a clear and visible privacy policy on your website that outlines your data collection and use practices. Our privacy policy is easy to find and users can press the blue CookieYes button in the bottom left corner to review the cookies in use and manage their preferences. Click the following links to view our Privacy Policy and Cookie Policy that we generated using CookieYes. The cookie policy includes a table showing all of the cookies found by the scan and what they're used for.
   
3. Security: You have to take appropriate measures to protect users' personal data from unauthorised access, use, or disclosure. This includes using secure servers and encryption for any sensitive data.
   
4. Data retention: You must only retain users' personal data for as long as it is necessary for the purposes for which it was collected. This means that you should have a clear policy in place for how long you keep data and a process for deleting it when it is no longer needed. 
   
5. Data access: Users have the right to request access to the personal data that you hold about them and to have it corrected or erased if it is inaccurate. You must have a process in place for handling such requests and provide the information within a reasonable timeframe. 

How to know if your website is legally compliant: GDPR compliance checklist 

To ensure that your website is legally compliant with the UK GDPR and Data Protection Act, there are several steps you can take: 

1. Review your data collection and use practices: Make sure you are only collecting the personal data that is necessary for your business and that you have a clear purpose for collecting. 
   
2. Obtain explicit consent: Make sure you are obtaining explicit consent from users before collecting or using their personal data, including their IP address which will be tracked by any third-party Analytics solution you might use, such as Google Analytics. This should be done through a clear opt-in process, such as a checkbox or button such as the one provided by CookieYes.
   
3. Update your privacy policy: Make sure your privacy policy is clear, visible, and easy to understand. It should outline your data collection and use practices, as well as the rights of users. You also need a Cookie Policy displaying which cookies are in use and what they're being used for. You can use the CookieYes web app to scan your site and generate this easily in just a few minutes.
   
4. Implement security measures: Take appropriate measures to protect users' personal data from unauthorised access, use, or disclosure. This may include using secure servers and encryption for sensitive data. 
   
5. Review your data retention policy: Make sure you have a clear policy in place for how long you retain user's personal data and a process for deleting it when it is no longer needed, or at the user's request. 

By following these steps, you can ensure that your website is compliant with the UK GDPR and Data Protection Act and that you are protecting the personal data of your users. 

It's also important to regularly review and update your website compliance practices to ensure that you are staying up-to-date with the latest laws and regulations. This may involve seeking legal advice or consulting with data protection experts to ensure that you are meeting your obligations. Additionally, when you sign up for a paid plan with CookieYes you can schedule the cookie scanner to run at regular intervals to make sure that your policy documents are up to date.

In summary, website compliance with the UK GDPR and Data Protection Act is essential for protecting the personal data of your users and avoiding potential legal issues. By understanding the laws and implementing appropriate measures, you can build trust with your customers and protect your brand reputation. That's why we've switched to using CookieYes on all our client websites and our own.

Just to remind you: This article contains an affiliate link. Purchasing via this link won't cost you any more, but we'll make a small commission for referring you. Also, a brief disclaimer: The information in this article is given as a guide only. We are not legal professionals and nothing we publish should be taken as a substitute for legal advice from a qualified expert.