As the GDPR enforcement date of 25 May 2018 looms, here are a few pointers you will need to address concerning your website:

What is personal data?

‘Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address’.

Forms: Active Opt-In

Forms that invite users to subscribe to newsletters or indicate contact preferences must default to “no” or be blank. You will need to check your forms to ensure this is the case.

Unbundled Opt-In

The consent you are asking for should be set out separately for accepting terms and conditions, and acceptance of consent for other ways of using data.

Granular Opt-In

Users should be able to provide separate consent for different types of processing.

For example, specific permission for each type of processing (post, email, telephone) and also asking permission to past details onto a third party.

Easy to Withdraw Permission or Opt-Out

Individuals need to know they have the right to withdraw their consent.

In terms of your web user experience, this means unsubscribing could consist of selectively withdrawing consent to specific areas previously interested in such as accounting, business, cyber security, finance.

The user must also be given the right to change the frequency of communication, or stop all communications entirely:

Named Parties

Your web forms must clearly identify each party for which the consent is being granted. It isn’t enough to define categories of third-party organisations – they must be named.

Privacy Notice and Terms and Conditions

You will need to update your terms and conditions on your website to reference GDPR terminology. Specifically, you will need to make it transparent what you will do with the information once you’ve received it, and how long you will retain this information both on your website and also by your office systems.


For example:
Here at (company name), we take your privacy seriously and will only use your personal information to administer your account and to provide the products and services you have requested from us.

However, from time to time, we would like to contact you with details of other (specify products/offers/services/competitions) we provide. If you consent to us contacting you for this purpose, please tick those ones individually below to say how you would like us to contact you:

  • Post  
  • Email
  • Automated Call 
  • Telephone  
  • Text message

We would also like to pass your details onto other (name of company/companies who you will pass information to)/(well defined category of companies), so that they can contact you by post with details of (specify products/offers/services/competitions) that they provide. If you consent to us passing on your details for that purpose, please tick the box to confirm.

I agree


You also need to communicate how and why you are collecting data. Your privacy policy will need to detail applications that you are using to track user interaction.

Online Payments

If you are an e-commerce business, then you are likely to be using a payment gateway for financial transactions. Your website may be collecting personal data before passing the details onto the payment gateway.

If this is the case, and your website is storing these personal details after the information has been passed along, then you will need to modify your web processes to remove any personal information after a reasonable period, for example, 60 days. The GDPR legislation is not explicit about the number of days, it is your own judgement as to what can be defended as reasonable and necessary.

Third Party Tracking Software

Many websites are using third-party marketing automation software solutions on their website.  For example, it must be made clear if Cookies are being used.

Google Analytics

Many websites are configured to use Google Analytics to track user behaviour. Google Analytics has always been an anonymous tracking system. There is no “personal data” being collected, so GDPR does not impact on its usage.

You will need to identify and have in place contracts with your third-party data processors to protect both your own interests.


Any data that is submitted to your website must be encrypted in order to comply with GDPR to stop your website being hijacked. Speak to us at to discuss getting an SSL certificate (see other blog on SSL certificate) fitted to your website to encrypt the data.


  • Do you have a good understanding, and documented record of the data you hold?
  • Do you need to either gain or refresh consent for the data you hold?
  • Do you have a defined policy for how long you retain personal data, so you don’t retain it unnecessarily, and ensure it’s kept up to date?
  • Is your data being held securely, keeping in mind both technology and the human factors in data security?
  • Whether you are a data controller or data processor (or both), do you have the correct legal arrangements in place?
  • Penalties for non-compliance include fines of up to 4% of annual global turnover.