GDPR is fast approaching – it becomes law on 25th May 2018 – and by then all businesses, large and small, will have had to rethink how they handle people’s data.

What is GDPR? General Data Protection Requirements (GDPR) is a regulation that requires business to protect the personal data and privacy of their customers. The key element is to be transparent and provide accessible information to individuals about how you will use their personal data. Stiff penalties will be imposed for companies that fail to comply.

Data protection is obviously a very broad topic covering all areas of your business so in this post I am focussing specifically the key things you need to do as a small business owner to make sure your website is compliant.

Get consent to collect people’s information

Consent is a key part of GDPR legislation and it is important for any website that collects personal data to obtain specific permission. Visitors to your website must understand exactly how you are planning on using their data and must agree to each specific purpose. That means if you have someone’s email address because they have placed an order with you, you are only allowed to market to them if they have agreed to this. All contact forms must have an active opt in rather than opt out and ideally a separate opt in for each method of contact e.g. email, telephone, post etc.

Make sure your data is encrypted

Any data that is submitted to your website must be encrypted in order to comply with GDPR. This will stop people from hijacking the data; your website developer should be able to install the necessary measures to ensure this is the case. An SSL certificate should be fitted to your site to encrypt the data.

You can check whether you have one of these already by looking for the padlock symbol in the address bar of your browser when you visit your site’s homepage. If this appears to be missing, then it is important to speak to your web developer to rectify this.

Add a Cookie banner

Those annoying pop ups that appear on websites are a source of controversy with many websites just ignoring them and others judiciously complying with the law. Since 2012 EU rules have required websites to tell users what cookies are being placed on their machine. There has been much talk about introducing simpler rules but until they are in place, the best thing is to stick with the pop up banner that links to your cookie policy.

Update your Privacy and Cookie Policy

Make sure your privacy and cookie policies reflect the new legislation and if you don’t have one, add one. The Information Commissioner’s Office (ICO) has very kindly provided a sample privacy notice that you can adapt and use on your website. It is concise, transparent, and easily accessible.

ICO privacy policy example

You will also need to update your terms and conditions on your website to reference GDPR terminology. In particular, you will need to make it transparent what you will do with the information once you’ve received it, and how long you will retain this information both on your website and also by your office systems.

You will also need to communicate how and why you are collecting data. Your privacy policy will need to detail applications that you are using to track user interaction.

Are Google analytics ok to use?

Many websites are set up to use Google Analytics to track user behaviour. Google Analytics has always been an anonymous tracking system. As there is no “personal data” being collected, so GDPR should not impact on its usage. Read more about Google Compliance

Implementing GDPR across your business

This post has just looked at what you need to do or check on your website but for further reading about implementing GDPR across your business, the ICO has put together a very useful set of resources to explain it.

ICO preparing for GDPR


While I am not claiming to have covered everything here but implementing these actions will give you a good starting point for becoming GDPR compliant in 2018.

Further reading