9 steps to GDPR compliance for your first business website

We've partnered with The UK Domain to tell you what you should do to make your business website GDPR compliant.

When you’re setting up your business website, checking that you’re GDPR compliant may be lower down on your list of priorities.

However, even as a one-person operation, you must be in line with the law – or else you could be slapped with a serious fine.

We want to take the intimidation out of the process by guiding you through these nine steps to GDPR compliance for your new site.

1. Establish where your data comes from and how to handle it

As a quick reminder, personal data is defined as any information which can be used directly or indirectly to identify a person. It could be a name, photo, email address, bank details, medical information, computer IP address, cookies or social media posts.

Your starting point is to know where data comes from and what you do with it. Data can be collected through Google Analytics and GPS location trackers as well as through email sign-ups. Next, pinpoint where the information is stored and who can access it.

Work out your procedures for:

  • Proving someone has given you consent
  • What to do if someone wants their data to be erased
  • What to do if you suffer a data breach

At this point, think about the type of data you’ll be collecting. If you’re asking about their favourite food and you’re not a food or drink business, that teeters into the territory of unnecessary information. The data you collect must have a ‘lawful basis’, which can be one or more of the following:

  • Consent
  • Contract
  • Legal obligation
  • Vital interests
  • Public tasks
  • Legitimate interests

Ensure you’re able to handle requests for a person’s data to be removed or changed.

2. Make your marketing emails GDPR compliant

To draw people to your site, you’re likely to include marketing emails in your business strategy.

The most important consideration here, as with any area of GDPR, is consent. You must be able to prove that a user or customer has given you consent to send them marketing emails. This includes everyone on your email database.

As well as ensuring everyone has consented it’s got to be easy and fuss-free for them to opt out. This could include an unsubscribe link at the bottom of emails or an option to edit email preferences through their online account. Include unsubscribe options in every email.

3. Perfect your opt-in forms

Opt-in forms will be in your registration forms, cookie pop-ups/banners and privacy policy.

It’s crucial that opt-in forms are not pre-ticked – users must actively tick the box themselves. Label the checkbox in a way that isn’t confusing, avoiding the ‘if you don’t want to receive marketing emails, don’t tick the following two boxes’ trap.

To save yourself from an accidental subscribe situation, you could go for a double opt-in process. This could be a tick box to sign up to your mailing list and a follow-up email to confirm subscription.

Be careful with automation too. If an email gets sent to someone who has opted out, that could land you with a penalty.

4. Write a privacy policy

A privacy policy outlines how you collect and release information about a user. It should clarify what is confidential or shared with other firms, researchers or sellers.

You’ll need to say what personal information you collect, how you collect it, use it and whether you share or sell it. Be clear in your language and avoid jargon as far as possible. Formatting clearly is important too, such as bullet points. Include the lawful basis, or bases, you use as well.

Keep in mind that the more data you request and store, the more difficult it’ll be to write a privacy policy.

Next, tell users that their data is stored securely. You don’t have to go into specifics here, but it’s reassuring for them to know. Outline user rights, including making amendments to their data, deleting data and to having their information erased on request.

Let them know if you’ve made changes to your privacy policy, like changing the type of data you collect or how you store it. It keeps users up-to-date and helps you remain transparent.

Finish up with a contact information section should anyone have questions about the handling of their personal data.

5. Write a cookie policy and create a pop-up/banner

A cookie is a file which is saved to your device and stores the website’s name, giving you a unique ID to show that you’ve been there before. It can also store how long you’ve been on a website, which links you’re clicking on, preferences and settings, accounts you log on to, pages viewed and items in your shopping basket. When you revisit a site, they’ll remember you and give you a more personalised experience.

To help you create a cookie policy, it helps to know how said cookies are being used. It could be to remember login details, to create custom ads on subsequent visits, to remember preferences or to target marketing campaigns.

In your policy, tell users what kind of cookies you’re using, how you’re using them and how they can control the way that cookies are managed. Include this info on a summarised version in your privacy policy too.

You must have an opt-in checkbox here too. Like your emails, it must be easy to opt out of cookies – give users the option to change preferences in their settings.

Your pop-up/banner notification confirms consent and must be easy to understand with a link to your full cookie policy. Some website builders like WordPress will have a plugin that you can use to create the pop-up or banner and others can be created online.

6. Protect yourself from data breaches

You can protect data by encrypting it, restricting sharing and data retention policies, minimising the amount of data you hold and maximising user privacy as standard. With less data to steal, the risk of theft will be lower. To further protect data from hackers, you can’t store it across multiple devices and programmes and check that only authorised members of staff can access the info.

Privacy Impact Assessments (PIAs) also need to be carried out if there are changes to the company like a business acquisition, a new IT system or a new surveillance system.

At every stage of the process, you should encrypt, pseudonymise or anonymise personal data where you can.

It’s just as important that you know what to do in the event of a data breach. Contact ICO within 72 hours of becoming aware of the breach and notify all customers that may have been affected as soon as possible.

7. Train your staff

Staff must have training and awareness of GDPR. This could be done by bringing someone in to lead training or by giving employees an online training course with a quiz.

8. Set up a GDPR compliance folder

This is where, if requested, you can prove how you obtained permission to gather someone’s personal data, what you use it for and how you keep it safe. It’s the place to store opt-in forms, privacy policies, pop-ups and other ways users have actively engaged to give you consent.

In your folder, you should include:

  • The name and address of data controller
  • The name of your data protection officer (if you need one)
  • A record showing how your business processes personal data and what you do to protect it
  • Personal data impact assessment template
  • Privacy notices
  • Data retention policy
  • Procedure for subject access requests
  • Responses to data breaches
  • A data breach log
  • A notification template for the Information Commissioner’s Office (ICO) in case you need to report a breach
  • Records of staff training
  • Third party processors and copies of their contracts

The whole folder should be stored on the company’s file system and be ready to send to ICO at short notice.

9. Create a regular review process

It’s a good time to review who wants their data removed and any data that you have and no longer use. Look at whether you might be holding on to more information than you need and if so, get rid of it.

This should give a sense of what you need to do to make your website GDPR compliant. For more detail, have a glance over the following links:

GDPR compliance for small businesses

Writing a GDPR-compliant privacy notice

How to write a cookie policy for your website

Read more

Building a business website: what key steps are involved?

Avatar photo

Anna Jordan

Anna is Senior Reporter, covering topics affecting SMEs such as grant funding, managing employees and the day-to-day running of a business.

Related Topics

GDPR