GDPR & your website – what small businesses REALLY need to do

Profile data

GDPR – Just do it!

I know – as a small business, you’re probably sick of hearing about GDPR and just wish it would go away. It’s boring, right? But it’s not going away and you will need to comply with the new regulations from 25th May 2018. So here’s a handy guide to the implications of GDPR on your small business website. It’s intended to be a readable overview; to simplify what you need to think about in relation to your website and to encourage you to get on with it. Note that this article only covers specifically what you may need to do with your website, whereas the regulations cover much more than just your website. For more information on GDPR, visit the Information Commissioner’s Office website.  It may not be as user-friendly as this website, but it’s got the answer to everything you need to know about GDPR.

What is GDPR?

In case you don’t already know GDPR stands for General Data Protection Regulation. The new rules apply to any business that processes the personal data of EU citizens. This includes customer, supplier, partner and employee personal data. Importantly, it covers collecting email addresses for an email marketing list. The aim is to give people more control over their personal information.

People need to know what they’re signing up to

Just like with sex, it’s really important to get consent first. And implied consent is definitely not good enough.

If you use your website to collect personal data – for whatever reason – you must obtain specific permission to use it. Visitors to your website must understand exactly what you are planning on using their data for and they must agree to it. So you need to assume it’s a “no”, unless you have asked them a very specific question and they have said yes.

For example, if you have a contact form on your website, it needs to have something like a checkbox which people have to tick to agree to their data being used in a certain way. And no, you can’t pre-tick the box.

Be careful who has access

Check who has logon details for your website and if there’s anyone there who doesn’t need it, delete their access. If you have a developer, marketing consultant or other professional who helps you with the website, make sure that they understand the principles of GDPR and ask them what their GDPR policy is. If they look at you blankly, it might be time to find someone else to help you.


Essentially, this means that any data captured by your website must be encrypted so that it cannot be hacked. A decent developer will be able to help you with this. You will also need an SSL security certificate on your website. But don’t get a bad one. It needs to be at least “A” rated. Here’s a handy tool to check yours:

SSL Labs testing tool

If it’s anything less than “A” rated, get it sorted.

Having a great SSL certificate on your site will also really help you to do well in Google search engine results, but of course that’s not why you should do it – it just happens to be a great side effect. It’s a bit like digging a big hole for a fence post and finding a treasure chest at the bottom of it.

Privacy Policy

Haven’t got one?

You need one. Write it.

Got one?

You need to update it to reflect the GDPR requirements.

Don’t know how?

Google it. Find out what other people say and adapt it to suit your business and your customers.

Can I copy someone else’s?

No you can’t. Doing this means:

a) you’re not taking this seriously; and

b) Google will mark you down because they hate duplicate content and plagiarism.

What do I do with it once I’ve got it?

Finally, put your privacy policy on your website and add it to your menu (or a footer menu if you think no-one really cares).

What about a cookie policy?

You should already have one of these. But it will need reviewing and updating to comply with GDPR.

Anything Else?

Finally, think widely to make sure you know where personal data is being held. Here are some website-related areas you might have forgotten about:

  • Plugins that collect and store personal information
  • Registered users or members on your website (especially if you use things like BuddyPress or bbpress)
  • Comments or other commenting software
  • ECommerce solutions e.g. WooCommerce
  • Files – documents, spreadsheets, databases, PDFs
  • Storage and backups: computers, portable drives, USB sticks, DVDs, online
  • Cloud storage e.g. Dropbox, Google Drive, Amazon S3
  • Email and email attachments
  • CRM systems
  • Email marketing software e.g. MailChimp
  • Social media
  • Intranets
  • Messaging apps e.g. Slack, Facebook Messenger, Intercom
  • Productivity apps e.g. Zapier, Asana
  • Event and Calendar software e.g. Eventbrite, Calendly
  • Accounting systems e.g. Zoho, Wave
  • And if that wasn’t enough, don’t forget that paper records count too!

Where next?

GDPR: 12 steps to take now

Data protection self-assessment toolkit

A bit more detail

Fed up with this sort of stuff? Our Platinum package includes guaranteed development time so that you don’t have to worry about this kind of thing.


Share This Post

Want You and Your Business to Shine?

Let's Talk About Your Website

Check boxes