Web Design

Is your website compliant with the requirements of GDPR due to come in effect in May 2018? Here are 10 changes you should make to your website now to stay on the right side of the law, and to keep your customers happy.

First things first: the General Data Protection Regulation (GDPR) comes into effect on 25 May. Be sure to start by reading our general overview of GDPR and its impact on digital marketing.

In this post, I want to cover specifically the narrow area of how to make your website GDPR compliant, and make recommendations for the specific changes you will need to be making.

GDPR will have a huge impact on website design, which will have a ripple effect on how your website integrates with your other digital activity like email marketing, social media, and e-commerce activities.

The golden thread that ties together all of these recommendations is that under the GDPR, the concept of consent being given freely, specific and informed is being strengthened, with new rules, which means businesses like ours need to provide more transparency.

Here are 10 steps you will want to review for your website, and discuss necessary changes with your web development team. Any questions, feel free to get in touch with me.

Let’s start with the straightforward changes that you will need to be making, and then move on to the more complex areas.

1. Forms: Active Opt-In

Forms that invite users to subscribe to newsletters or indicate contact preferences must default to “no” or be blank. You will need to check your forms to ensure this is the case.

As an example, the current Boots registration form pre-ticks the opt-in box, forcing the user to actively opt-out. Very naughty, bad user experience, and must be changed by May.

GDPR Opt In Fail

2. Unbundled Opt-In

The consent you are asking for should be set out separately for accepting terms and conditions, and acceptance of consent for other ways of using data.

In this example, Sainsbury’s clearly set out the acceptance of their terms and conditions, and separately set out the active opt-in for their contact permissions.

It’s a shame Sainsbury’s didn’t get the option to be more granular in terms of communication opt-in preferences (email, SMS, post).

sainsburys granular opt in


3. Granular Opt-In

Users should be able to provide separate consent for different types of processing.

In this example, ABC Awards are asking for specific permission for each type of processing (post, email, telephone) and also asking permission to past details onto a third party.

4. Easy to Withdraw Permission or Opt-Out

It must be just as easy to remove consent as it was to grant it, and individuals always need to know they have the right to withdraw their consent.

In terms of your web user experience, this means unsubscribing could consist of selectively withdrawing consent to specific streams of communication:

Withdaw consent GDPR


Or easily change the frequency of communication, or stop all communications entirely:

withraw consent frequency

5. Named Parties

Your web forms must clearly identify each party for which the consent is being granted. It isn’t enough to say specifically defined categories of third-party organisations. They need to be named.

In this example, you can see John Lewis understands the gist that we need to give named permissions for updates each from Waitrose, John Lewis, and John Lewis Financial Services.

But it’s a shame that it is opt-out rather than opt-in.

john lewis permissions

6. Privacy Notice and Terms and Conditions

The Information Commissioner’s Office (ICO) has very kindly provided a sample privacy notice that you can use on your website. It is concise, transparent, and easily accessible.

You will also need to update your terms and conditions on your website to reference GDPR terminology. In particular, you will need to make it transparent what you will do with the information once you’ve received it, and how long you will retain this information both on your website and also by your office systems.

You will also need to communicate how and why you are collecting data. Your privacy policy will need to detail applications that you are using to track user interaction.

7. Online Payments

If you are an e-commerce business, then you are likely to be using a payment gateway for financial transactions. Your own website may be collecting personal data before passing the details onto the payment gateway.

If this is the case, and your website is storing these personal details after the information has been passed along, then you will need to modify your web processes to remove any personal information after a reasonable period, for example, 60 days. The GDPR legislation is not explicit about the number of days, it is your own judgement as to what can be defended as reasonable and necessary.

8. Third Party Tracking Software

Things now start to get tricky when it comes to third-party tracking software.

Many websites are using third-party marketing automation software solutions on their website. These might be lead tracking applications like Lead Forensics, Leadfeeder or CANDDI. Or they could be call tracking applications like Infinity Call Tracking or Ruler Analytics.

The use of these tracking applications raise some very interesting questions in terms of GDPR compliance, and in my opinion, this remains a grey area.  At first glance, these applications track users in ways they would not expect and for which they have not granted consent.  For example, it is tracking my behaviour each time I return to your website, or view a specific page on your site.

However, the suppliers of these applications assure us they are GDPR compliant.

First, the suppliers like CANNDI are advising that banners stating clearly and unambiguously that cookies are being used,

CANNDI GDPR compliance

And, the software suppliers argue that the use of cookie tracking technology is in the legitimate interest of your business as a data controller, and specifically Recital 47 allowing for “processing for direct marketing purposes or preventing fraud.”

CANNDI advises:

Legitimate​ ​Interest​ ​-​ ​If using the legitimate interest principle within your website tracking it is advisable to have on record during your GDPR preparation that this is the case. This should include the grounds on which you are using this.

I want to thank CANNDI for sharing their GDPR perspective, and would recommend you read it (PDF.)

CANNDIO GDPR Perspective


The providers of these tools are confident that they are GDPR compliant. But if the software is doing something illegal, then it is your business’ responsibility as the Data Controller. The real question is to identify the GDPR compliance risks in using this kind of software, and to mitigate your risks as a business owner. As a result, you need to review your contract with these software providers carefully.

9. What About Google Analytics and Google Tag Manager?

If you are interested in Google’s commitment to GDPR then a good place to start is this website:  How Google complies with data protection laws

Many websites are configured to use Google Analytics to track user behaviour. Google Analytics has always been an anonymous tracking system. There is no “personal data” being collected, so I believe GDPR does not impact on its usage.

With regards to Google Tag Manager; it’s a powerful tool that enables your website to send information to third-party applications by inserting small amounts of code. You can integrate in-house data repositories, as well as external remarketing and retargeting systems, and a host of other services. The issue for businesses with regards to Tag Manager is to ensure you have a contract in place with the individuals that have access to your Tag Manager (which may well be your web designer, or digital marketing agency) to ensure they understand their legal responsibilities as a data processor on your behalf as data controller.

So, the underlying issue with the new GDPR  is to identify and have in place contracts with your third-party data processors to protect both your own interests.

10. And Finally… It Isn’t Only Your Website That Needs to Be GDPR Compliant

The changes being introduced with GDPR will permeate your entire business, and in this series of articles, we are focusing purely on your digital marketing.

As you start planning the detail of your website, you will uncover an Aladdin’s cave of issues you will need to consider. The Information Commissioner has provided an excellent set of resources for your reference, but here are a few key questions to be considering now as we approach the May deadline:

  • You probably have lots of personal data stored in various places around the business. Do you have a good understanding, and documented record of the data you hold?
  • Do you need to either gain or refresh consent for the data you hold?
  • Do you have a defined policy for how long you retain personal data, so you don’t retain it unnecessarily, and ensure it’s kept up to date?
  • Is your data being held securely, keeping in mind both technology and the human factors in data security?
  • Whether you are a data controller or data processor (or both), do you have the correct legal arrangements in place?

32 responses to “How to Make Your Website GDPR Compliant”

  1. Faye Brown says:

    Do we need to make sure our website has an ssl certificate in order to be GDPR compliant?

    • Susan Hallam MBE Susan Hallam MBE says:

      Great question, Faye!
      Having an SSL certificate means your website is using HTTPS send data over an encrypted connection which is really good and a first step towards compliance. But the real issue is how secure is the data being stored in the database itself, and is the database encrypted.
      If your website is not transmitting any personal information then this isn’t an issue. But almost all websites do: customer enquiry forms, email signups, and other types of interactions. You need to be asking yourself where is this data stored and how are you securing it.
      Irrespective of GDPR, you should have SSL implemented on your site. It gives people confidence in your site, and is a Google ranking factor.
      Here is an article for you to read

    • Kitty says:

      Many thanks for this great article!
      I have two questions:
      1) COOKIES: I’ve read that you need an active consent to cookies (for example to use remarketing), and messages like “by using this site you agree to cookies” are no longer enough. How will that be solved in practice, does every site need a banner at the beginning where users have to agree to cookies first ?!

      2) CONTRACTS: As a digital marketing freelancer, it seems I have to sign a contract with my clients if they grant me access to their CMS. And that they have to put my name in their privacy statement before “outsourcing” anything to me. Is this correct ?

      I hope someone can help, as I feel GDPR will make it very hard for me as a freelancer that clients will outsource work to me 🙁

      • Susan Hallam MBE Susan Hallam MBE says:

        Hi Kitty
        What we all need to keep in mind is that there is not yet any case law regarding the GDPR requirements, so it is impossible at this point to answer questions with any real certainty.
        That said, my view in a nutshell is a click to confirm acceptance of cookies has to be the surest way to ensure you comply, but I don’t really believe it is absolutely necessary
        Here is what the ICO say here

        1. Cookies:
        The ICO put it this way, and what will be interesting in the concept of acceptable “implied consent.”

        What counts as consent?
        To be valid, consent must be freely given, specific and informed. It must involve some form of positive action – for example, ticking a box or clicking a link – and the person must fully understand that they are giving you consent. You cannot show consent if you only provide information about cookies as part of a privacy policy that is hard to find, difficult to understand, or rarely read.

        Consent does not necessarily have to be explicit ‘opt-in’ consent. Implied consent can also be valid. If you are relying on implied consent, you need to be confident that your users fully understand that their actions will result in cookies being set. However, in some circumstances (for example, collecting sensitive personal data such as health details) it is likely that explicit opt-in consent is more appropriate.

        This means you are unlikely to need consent for:

        – cookies used to remember the goods a user wishes to buy when they add goods to their online basket or proceed to the checkout on an internet shopping website;
        – session cookies providing security that is essential to comply with data protection security requirements for an online service the user has requested – eg online banking services; or
        -load-balancing cookies that ensure the content of your page loads quickly and effectively by distributing the workload across several computers.

        However, it is still good practice to provide users with information about these cookies, even if you do not need consent.


        And yes, as a freelancer you are going to need to have a legal agreement is you are processing your clients’ data, and clearly a CMS is full of personal data..

        More information here:

        On the other hand, I do not believe they will have to name you in their Privacy Policy, no, but that may be something you need to get advice on.

  2. This is great thank you. Our challenge is that we sell an online lifetime membership subscription to women including monthly e-newsletters. If she (or her husband who may share the same e-address) unsubscribes to the newsletter in question, we effectively lose her within The Club. Our newsletter software doesn’t offer a warning facility here and we’re not able to do this as a second transaction. Still looking at options to maintain her membership record in these circumstances.

    • Susan Hallam MBE Susan Hallam MBE says:

      HI Steph
      I think you’ve already identified your problem: you are asking for two types of permission (being a member, and receiving the newsletter) as a single question. I think your solution is to have a newsletter unsubscribe button like you do now, and a separate, but still easy to use, mechanism for actually leaving The Club
      Good luck!

  3. Hi,
    I’ve just found your blog & have found it very informative- thank you. I don’t know if this is a silly question but here goes:
    I administer a local website for non profit making local society, the Local history group using a free “ community “ host service. We are doing our best to comply with the GDPR and now have shiny new Data Protection Notices and we will be refreshing our consents using a paper form at our future meetings. Although we may email members an occasional newsletter there is no facility to request this on our websites. In view of this do we need to do anything to our websites to comply with the GDPR? Do we need to mention the website in our Data Protection Notice.

    Many thanks

    • Susan Hallam MBE Susan Hallam MBE says:

      It’s not a silly question at all, Roger!
      It sounds like you are doing the right thing: getting consent on paper format at your meetings which should include permission to send your email newsletter (you can just scan these forms, by the way, and store them that way)
      It is a shame you don’t have the ability to sign up to your newsletter on your website. That could be a great way to get engage with more members. And if you do have an online signup, then you will just need to to include the permissions tick box, and give people the chance to unsubscribe easily.
      And yes, you should still update your website’s Privacy Policy to be GDPR complaint, which in your case should be fairly simple
      Hope this is helpful!

  4. Debbie Whitmore says:

    I found this very helpful and answered a number of my questions. Do you have any deeper advice about the “right to be forgotten”? I need to understand what would be considered compliance or not in the case of “being forgotten”. We have organizations that apply to us for grants. When we hand out funds, we track the organizations performance and should they fail to adequately perform the requirements of the grant, that becomes a factor for future funding. As tracking a person’s performance, it would be detrimental to our business should we have to “forget” their performance with our funds. How does an organization comply with the GDPR while protecting their business as well? In simple terms, it’s kind of like how grocery stores track someone who writes bad checks. They don’t want to continue taking checks from a bad actor. How can individual and business needs be balanced? Can you point me to further reading on this topic that is explained as beautifully as you have for website requirements? thank you!

  5. Great article Susan.

    Can you offer any advise on GDPR when Cookies are being used?

  6. Good examples with the points, thanks for this.
    We are currently looking into adding Web Push notifications onto our website with an ability to unsubscribe.
    As this just stores an anonymous token, does this (like google analytics), fall out of the boundaries of GDPR?
    Or do we need to add to our privacy policy, similar to as if it was an email mailing list?
    Thanks in advance.

  7. I have adjusted all the forms on our new site, have altered our privacy agreement and terms of use – and any other documents that I could find too – but I have one remaining issue …

    What to do about the 550 email subscribers that we have – they were all opt-ins – and can opt-out at any time they like – but do I need to re-confirm consent with them prior to GDPR coming into law?

    • Susan Hallam MBE Susan Hallam MBE says:

      Hi David

      It sounds to me like your subscribers have already granted you permission to receive your newsletter (and you probably have a record of that opt-in in your email newsletter management system) and you are always giving them the chance to opt out.

      Re-permissioning is a powerful way to keep your marketing data clean and up to date, but I think you are already compliant with your existing processes.


  8. Andrea Appleton says:

    Hello Susan
    Thanks for the really useful examples.
    One question please:
    When a customer enters our side to purchase a product, we guide the customer through a number of pages before we are asking them to consent for us to keep their data. However, we are keeping their data from the moment they pass the first page. Does that mean, we will need to ask for consent at the start of the website rather than the end?


    • Susan Hallam MBE Susan Hallam MBE says:

      Hi Andrea

      I think I’m going to need a bit more information, but I’m assuming the data you are collecting as soon as they pass the first page is either cookie data or other types of tracking.

      If this is indeed the case, then the ICO says:

      “You must tell people if you set cookies, and clearly explain what the cookies do and why. You must also get the user’s consent. Consent can be implied, but must be knowingly given.
      To be valid, consent must be freely given, specific and informed. It must involve some form of positive action – for example, ticking a box or clicking a link – and the person must fully understand that they are giving you consent. You cannot show consent if you only provide information about cookies as part of a privacy policy that is hard to find, difficult to understand, or rarely read.”


  9. Adrian Bennett says:

    I think people are panicking unnecessarily, If you follow the uk data protection laws which are quite strict anyway you cant go wrong, i appreciate the need for online protection but i think this really only applies to the big boys who hold vast amounts of data. For the normal business owner who only has a few hundred customers and keeps everything tight with up to date security software and fire walls. they will be fine. In all the years of business i have never once had my data protection processes checked. as i say i follow all uk data protection laws and am fully compliant. This GDPR will be very hard to police any any error will only show up if there is a material breach and your systems hacked and the data stolen and sold on and it’s traced back to you. Keep your security up to date add the correct privacy policies and terms and conditions (you can get these free through My Business works) If your going to do email runs make sure you have permission to send them. Thats it…don’t panick!!!!!

  10. Adam says:

    Hello Susan!
    Lately i read as much as i can about de GDPR and how it will affect businesses all over the world. Is it really that hard to comply? I mean clearly you must store the ‘personal info’ as secure as possible and erase it when asked (only if you comply with the law to because sometimes you must Keep some records for years or does GDPR not affect documents and Information that you must clearly store?)

    My simple question is exactly as this message that i post.
    If on my Website someone leaves a message/comment with his Name and email as i do here, do i Need any Special consent from that user? He clearly knows as i do here that i am entering my Name and email adress to contact you or get in touch but do i Need any Information about storing the Clients Name and email adress or can i simply state that it is only used for the sole purpose of replying to their message with the Information they asked for and that we store their data only after we enage in a signed contract otherwise it is not stored?

    Any help is greatly appreciated!
    Thank you.

  11. Ben says:

    Hi, this is the most useful article I’ve read on the subject so far.

    But of course I have questions in my specific scenario!

    We are revising our current website and want to add a basic contact form: First name, surname, email address, subject, message. We don’t have a database as we’ve not harvested any data before and we don’t envisage needing one beyond adding a successful contact that proceeds forward to a shared contacts folder in our gmail system. We don’t send newsletters or marketing mailing of any kind, and we certainly wouldn’t share our contacts with anyone else.

    Most things I have read involve opt-ins for this and that, sites that involve logins, accounts, and lots of complex functions and features; none of which applies to us and our simple M.O. as far as I can tell, so I deduce that we will not be affected by GDPR… or are we?

  12. Enrico says:

    Great article Susan.

    Is anyone else in the ‘industry’ surprised how slow businesses are to pick up on GDPR?

    Personally, I’m amazed how poorly prepared many UK companies are for GDPR.
    I work for an agency, we build a lot of websites, more than 200 a year.

    And unless our clients are attending to basics – like changing out their webforms and privacy policies – in house, it looks like less than a third of the sites we’ve built over the last 3 years are compliant.

    I landed on this page while searching for industry uptake and noted similar figures from other sources.

    Just how long do you think it will take most companies to understand this is mandatory? And what do you think the penalties will be during the first phases of implementation?

  13. Gemma Bates says:

    Hi Susan,

    thank you for the article, was hoping you could help me with a query. Our organisation does not undertake any mass email marketing to customers but we do all have email contact lists in gmail which are automatically gathered – as soon as you reply to someone they are in your contacts list -, so even though we’re not using them for mass mailout out we could recall someone. Do we need to email everyone we’ve ever been in touch with to check they’re still ok for us to have their email address? Seems excessive.
    For that matter emails – potentially in an ideal world we’d have an email retention policy that would automatically delete emails after x amount of time, however we have a lot of repeat annual jobs and so the company policy is to keep emails – is that an issue? (and if we do have to delete after a certain amount of time, how long should that be)

    • Susan Hallam MBE Susan Hallam MBE says:

      Hi Gemma

      Remember, GDPR doesn’t just apply to mass emailings; it covers all the data you hold about any individuals for even something as apparently insignificant as an email address.

      You raise a couple of issues that you need to be thinking about. First, you need an awareness of what personal data you have and how you are storing and processing it. You need to consider how you keeping the email address data secure, how it is being updated, and how people can correct the information you hold.

      And you need to consider the retention policy that you mentioned: just how long do you need to keep the data, what is the purpose of retaining the data, and do you have a legitimate business interest that would inform your retention policy.

  14. Jack says:

    Hi Susan,

    I have a question regarding google analytics. You mentioned that you think it’s not affected by the new GDPR law because it doesn’t track any personal data.

    But google analytics tracks IP Addresses, doesn’t that fall under personal data?

    I was just wondering if I have missed anything here?

    • Susan Hallam MBE Susan Hallam MBE says:

      Hi Jack
      Sorry I wasn’t clear about that…
      Google Analytics uses cookies to track visitor activity, so yes that is covered by GDPR and you will need to inform people accordingly.
      The data inside Google Analytics (the reporting) normaly does not have any personal information contained within it and hence there isn’t an issue with the data in the application.

  15. Lucy says:

    A very valuable article, thank you. Why couldn’t I find this type of article on the government website? A few questions for you to which I would be very grateful for a reply:

    – Being an internet retailer, we pass on almost every customer’s information to couriers and, on occasions, to suppliers for direct deliveries. Do we need individual consent tick boxes for information to be passed onto the courier and supplier? Do we need a contract between ourselves and the couriers and suppliers?

    – Again, having a website, our website host and web developers have access to our customer data. Do we need individual consent for these? Do we need a contract between ourselves and them?

    – We keep a customer’s details for at least the length of the warranty on the products they purchase for traceability. Is this no longer acceptable? You would be surprised how many customers rely upon us to trace their original order, because they cannot find their proof of purchase.

    – Potential customers often provide their name, email address, etc, over LiveChat, especially when it is ‘off-line’ and they leave a message for us to respond to. How is their data protection covered in this scenario?

    Thank you in advance.

    • Susan Hallam MBE Susan Hallam MBE says:

      Hi Lucy, and thanks for your kind words about my post.

      I really must start by repeating I am not a solicitor, and this blog post does not constitute legal advice. It is just my personal interpretation,

      You asked several questions, so here goes:

      1. Consent is just one of six grounds for processing data. Another lawful ground is having a contract in place, for example to buy something. Delivery companies will almost always be able to use contracts with the individual to collect personal data. It is elf evident that delivery companies need people’s names, addresses and contact information to send packages to their destination and confirm their delivery.

      2. Yes, you do need to review your contracts with your various partners who process data on your behalf, including your web development partner. Here is some useful information for you:

      3. GDPR states that personal data shall be kept for no longer than is necessary for the purposes for which it is being processed. Your warranty period sounds reasonable to me, and you just need to document it in your GDPR documentation

      4. With regards to LiveChat, under new GDPR legislation, companies who use live chat software to collect customer data are classed as “data controllers”. Simply, a data controller is an individual or organisation that determines what, why, and how data can be collected. The consumers tracked and chatted to via live chat software are classed as “data subjects”. This term refers to an individual who can be directly or indirectly identified via the information collected about them. Businesses, then, are under new obligations to work within a clear data protection framework, and handle data legally and in compliance.

  16. Really good article thank you. I am in the middle of the long process of re writing policys in line with addressing what we need to do as a small business.

    Perhaps this is a strange/daft question but thinking in terms of duplicate content, judging by the repetition of certain words/phrases (GDPR repeats amongst others including data). Not to mention the non relevancy to our product range, do you think this will place at risk of ‘google slaps’

    Kind Regards


    • Susan Hallam MBE Susan Hallam MBE says:

      I’m not sure I understand the question, but if you are referring to policy pages on your website, then no, there is n issue with duplicate content.

  17. Sabri Elia says:

    Hi Susan,

    Thank you for your article.

    There are some question I’d be happy if you could help me with.

    In order to manage our sales activities we use a third party service provider. Once we have a new sign up on our platform, we transfer potential partners to the third party service. The third party service provider facilitate the communication through different channels. With this in ming, do we need a specific consent during the sign up process in order to use this specific sales tool?
    Generally speaking, do we have to mention each third party service provider by name including an opt-in check box in our privacy notice in order to be able to use any third party services?

    Many thanks in advance!

    • Susan Hallam MBE Susan Hallam MBE says:

      Hi Sabri, and you’ve asked a great question. My answer at this point has to be I just don’t know

      The draft guidance does state “‘give granular options to consent separately to different types of processing wherever appropriate.’

      And “Name your organisation and any third parties who will be relying on consent – even precisely defined categories of third-party organisations will not be acceptable under the GDPR.”

      But this could lead to quit complex consent statements and could be seen to go against the very essence of the GDPR, which emphasises the requirement to make information notices clear and concise.

      So…. all I can say a this point is watch this space!

Leave a Reply

Your email address will not be published. Required fields are marked *