Beware of scams

We are aware of scams coming from email and social media where people try to impersonate us. We will never ask you for money or your bank details. Learn more about what to look out for and how to protect yourself.

GDPR requirements for websites

The General Data Protection Regulation (GDPR) requirements came into force on May 25, 2018. Designed to protect the personal data of EU residents, it gives individuals control over how their personal data is stored and used by your company. It’s vital that you understand GDPR requirements for websites to avoid being in breach of the regulations.

What is GDPR and why is it relevant?

GDPR places strict rules on how businesses acquire, store and use personal data. It applies to business of all sizes, although there are some exceptions for SMEs. GDPR requires businesses to have legitimate grounds to collect personal information and only use it for a specific purpose.

If you have a business website, it’s likely you’re collecting data about the people who visit and interact with your website. Therefore, it’s important to know the GDPR requirements for websites to ensure that yours is GDPR compliant. The penalty for non-compliance is high – it can carry a steep fine of up to 4% of the turnover of your business or €20m – whichever is higher.

What are the GDPR requirements for websites?

While GDPR requirements are detailed, in general you must keep customer data safely secured and ensure that you have explicit permission to collect and use personal data. If your website uses contact forms to collect sales leads, stores personal information for website accounts, or uses cookies to track customers then you need to ask permission for each website visitor and tell them what you will be using their data for. Take the following steps to ensure your website is GDPR compliant.

Step 1. Review your website

It’s essential to check that your website is GDPR compliant. This involves assessing your website and any third-party tools you use for running your website, such as email list services, cookies that your website uses, and analytics such as Google Analytics.

Start by examining all the ways your website collects data, from online forms and user accounts to email signups. Make a list of what personal data your website asks for, and where and how it is stored. Personal data includes any information that identifies someone such as name, email, postal address or even computer IP address. Check what cookies your website is using.

List the permissions your website asks and check they are in line with GDPR requirements. This includes clearly asking permission to use cookies, marketing permissions on forms, and clear links to a privacy policy.

Step 2. Review your website’s privacy policy

You must inform visitors that you are collecting data, explain what data you are gathering and what you plan to do with it. You should also explain how data will be stored and for how long. Update your privacy policy to ensure it is compliant with GDPR regulations and publish the privacy policy document on your website.

Your privacy policy should include contact details for your company’s Data Officer and how a person can request any data you hold about them.

3. Cookies

Ensure your website includes a page listing all the cookies that it uses. These need to include functional cookies – such as account log-in cookies – to tracking cookies from third-parties such as advertising platforms and analytics tools. Free tools such as GDPR Cookies Scan can examine your website and provide a list of all the cookies in use.

As part of GDPR requirements for websites, you will also need to provide a cookie pop-up notification giving visitors a link to the cookie listing page, as well as the option to decline all cookies. You cannot limit access to your website to only those willing to accept cookies.

4. Secure Socket Layer (SSL) certificates

SSL is a vital website component that encrypts information and traffic to-and-from your website. This means personal information, from credit cards to phone numbers, is scrambled. It will also show a padlock symbol in the address bar of a web browser so site visitors can see your website is secure. Free SSL certificates are available from the Let’s Encrypt initiative, which can be installed on your website.

5. Newsletters and contact forms

As part of GDPR requirements for websites, if you invite visitors to sign-up for email newsletters, downloads or fill in a contact form, you must be clear what you will use the information for. You need to provide explicit opt-in permission tick boxes if you plan on sending the visitor marketing information or sharing their details with third-parties. You cannot send any marketing without permission for each channel, such as email, telephone and SMS.

Email service providers such as MailChimp, MizMoz and Communigator should be GDPR compliant, but check your email mailing list provider. Each email must include a clear unsubscribe link.

6. How to make WordPress GDPR compliant

Many websites use the WordPress content management system – it’s free, popular and supported with a range of free plug-ins. While you can buy GDPR plug-ins for WordPress that help ensure compliance, there are plenty of free WordPress plug-ins available to get you started.

  • Cookie Notice – With over 1m active users, this free plug-in provides a cookie pop-up that complies with EU cookie law in relation to GDPR.
  • WP GDPR Compliance – This free, open source plug-in adds permissions and consent controls for popular online forms including Contact Form 7, WordPress Comments, WooCommerce and Gravity Forms.
  • GDPR – Provide a free suite of tools to help a Data Officer manage GDPR compliance for a website, including cookie consent and requests for data deletion.


Learn with Start Up Loans and help get your business off the ground

Thinking of starting a business? Check out our free online courses in partnership with the Open University on being an entrepreneur.

Our free  Learn with Start Up Loans courses opens in new window include:

Plus free courses on finance and accounting, project management, and leadership.


Reference to any organisation, business and event on this page does not constitute an endorsement or recommendation from the British Business Bank or the UK Government. Whilst we make reasonable efforts to keep the information on this page up to date, we do not guarantee or warrant (implied or otherwise) that it is current, accurate or complete. The information is intended for general information purposes only and does not take into account your personal situation, nor does it constitute legal, financial, tax or other professional advice. You should always consider whether the information is applicable to your particular circumstances and, where appropriate, seek professional or specialist advice or support.

Feeling Inspired?