Logo

Does my website have to be GDPR compliant?

Many organisations are still failing to understand that their website has to be compliant with data protection legislation.  Back in 2018, it was estimated that over 75% of websites were not compliant with GDPR requirements.  This situation has changed to some degree, however we recently estimated that over 40% of business websites remain non-compliant.

What are the basic legal requirements?

Data protection legislation (e.g. the EU and UK GDPR) requires organisations to abide by key principles such as:

  1. Having a legal basis for the processing
  2. Ensuring that the processing is transparent to data subjects
  3. Ensuring that the processing is safe and the data is kept secure

How do these principles align to websites and their functionality?

Security of the data

All websites should keep the data safe that they process.

Key requirements include:

  • Secure encryption of the data (both in transit and at rest).  Typically this requires the website to use HTTPS protocol and have SSL (Secure Socket Layer) enabled.  To put it simply, the ‘lock symbol’ should appear on the left of the web address (URL) in the browser.
  • Data processed (usually contact data) should be secure at the point of residency (typically in a CRM solution or other database).

 

E.g.

SSL

Note – clicking on the highlighted area of a Chrome browser will reveal the security status and other data such as Cookies used etc.

Data should be secured in back-end systems. Security relating to access controls (such as strong passwords, multi-factor authentication etc) should be in place along with encryption at rest and in transit. Data should be appropriately backed up and such back-ups should also be encrypted.

Legal Basis for the processing

The data processed by the website must have a transparent legal basis for the processing e.g.

Consent (either implied or explicit)
Contract necessity
Legal obligation
Legitimate interest

Ideally, end users of the website would be ‘consenting’ to the processing. This should be clear and obvious to them at the point of the processing. There are a couple of options here including collecting ‘explicit consent’ at the time when a contact form is submitted.

Web Form

The highlighted checkbox in the example above is effectively getting the users explicit consent (assuming that its validated as ‘checked’ during the forms submission) when contacting the organisation via the website contact form.

The declaration is also referencing the websites privacy policy.  The legal basis for such processing should also be stated in that policy.

Note – some websites do not ask the end user to explicitly consent.  That’s ok to a point, this usually means they are reliant on the implied consent if that is supported by a statement in the contact form that typically states “all processing is done in accordance with our privacy policy”.  The user in this case is giving their implied consent to the processing of their data.

Either way, a legal basis is established.  A contact form without such declarations is not compliant.  Even though one could argue implied consent is present, the argument remains that this fails the transparency test.

Transparency of the Processing

Websites must provide full transparency of the data processing in relation to personal identifiable information (PII).  Usually this is done in the following ways:

Website Privacy Policy – This policy needs to state:

The applicable legislation

Who is doing the processing

Why the processing is being done

What is the data used for

Who the data is shared with

What the legal basis is for the processing

How the data is kept secure

Where the data is transferred and where it resides

How long the data is retained for

Who to contact about the data processing

The rights of individuals using the website

Cookie Policy – This policy needs to state:

What cookies are processed

Why they are processed

How long the data is retained for

Note – Websites should allow end users to opt-out of certain processing.  Therefore, there should be an option for new users to select certain cookie processing and reject others.

Cookie Acceptance

Other compliance requirements

We would always advocate that websites have other data protection information available to end users e.g.

Details of the registration with the Information Regulator (i.e. Information Commissioners Office – https://ico.org.uk)

ICO Reference

Note – this isn’t mandatory but it’s best practice.

Other requirements are to ensure that end users (data subjects) know their rights in relation to the use of the website.  That said, its again good practice to publish a link to the Data Subject Access Request Policy (or a deep link to the area of the Privacy Policy where this is covered).

Why is this important?

An organisations website is their ‘window to the world’, specifically prospective clients.  Having a non-compliant website is not only un-lawful but presents the organisation in a very negative way and should obviously be avoided.

Get in touch with Data Privacy Services if you need any assistance with website compliance or any other general GDPR compliance challenges.  Contact us for more information.

More Posts

Tagged , , , ,
Data Privacy Services

Operating Hours – Monday to Friday (09:00 hrs to 17:00 hrs – UK Time)

Email: info@dataprivacyservices.co.uk

Phone: 0808 101 0155

Key Services
Support & Help
Partnering and Referrals
Legal

Data Privacy and Security Services Limited © Copyright 2025

ICO NO. ZB313468

Thank you for contacting us

We will respond shortly

Note – if you do not receive an email from us please check your spam folder as we normally respond within 2 hours.

Home
Data Privacy Services
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.