Is your website GDPR friendly?
With the deadline having passed, attention to GDPR regulations has waned. This guide covers fundamental requirements most websites must meet to align with data protection legislation, along with practical approaches for achieving compliance if you’re currently lacking.
Key areas requiring consideration include:
- Cookie and privacy notifications
- Privacy documentation
- Cookie management policies
- SSL certificate implementation
- Newsletter subscription protocols
- Form data handling
Cookie and Privacy Notifications
Under data protection law, explicit user consent is mandatory before collecting or storing information. A notification popup serves this purpose by alerting users to data collection practices. User acceptance indicates agreement to information gathering procedures.
When collecting and storing user data, accompanying privacy documentation becomes essential. The popup should present both cookie and privacy policies, with acceptance signifying agreement to both documents.
WordPress users can implement popups using available plugins. Cookiebot provides free cookie management for smaller sites. Alternatively, manual implementation requires adding code directly to the site.
Privacy Policy
A dedicated privacy policy page is fundamental. This documentation must detail what data is collected and when. It should identify third-party involvement and relevant processes. Contact information for the Data Protection Officer (DPO), the person handling user data requests and deletion, is required.
Professional writers can create these documents, or templates are available online. Professional review of any template is advisable to ensure accuracy. WordPress provides built-in privacy policy templates and guidance in the tools section.
Cookie Policy
A dedicated page explaining cookie functions should be available. This policy must describe what data cookies capture and their intended uses. Third parties receiving access to this information require disclosure.
Templates exist online, though professional review remains recommended for all documentation.
SSL Certificate
Secure Socket Layer certification creates an encryption layer on hosting infrastructure, displaying a green padlock icon and “secure” label next to the URL. Without this certificate, browsers display “not secure” warnings.
Certificates are available for purchase. Alternatively, professional website hosting plans often include SSL certification at no additional cost.
Newsletters
Companies wishing to maximise newsletter reach must obtain explicit user permission for distribution. Email addresses alone don’t authorise contact. Data protection requirements mandate expressed consent, typically through an unchecked checkbox on forms. Users must actively opt-in since default selections cannot assume agreement.
Services like Mailchimp facilitate compliance through features including double opt-in functionality.
Contact Forms
Forms collecting information require specific security measures:
- SSL certificate implementation
- Encrypted SQL database storage (or alternative secure locations if unencrypted)
- Secure destruction of printed emails through shredding
- Unchecked consent checkboxes by default
- Email provider compliance with data protection standards
Email providers must adhere to relevant regulations, as email represents a frequent vulnerability point for data mishandling and abuse.
Conclusion
Data protection legislation affects websites in numerous ways. The guidelines presented represent foundational requirements. Compliance applies wherever data collection occurs, including methods not covered here. E-commerce sites exemplify this complexity, collecting substantially more information than contact details or cookies, requiring comprehensive legal consideration.
Disclaimer: This article provides guidance only. Neither Brink Media nor the author accepts responsibility for direct or indirect consequences from the use, application, or reliance on this material.