GDPR compliancy for website owners

With the deadline of May 25th, 2018 fast approaching, OSD Digital Agency has been asked what actions or recommendations would we advise for GDPR compliancy of websites?

It cannot be overstated that the business owner is responsible for seeking legal advice on GDPR compliancy for their business, a part of which might include their website or digital marketing activities.

Businesses can’t expect their web developer or hosting provider to oversee an important law – it’s an issue for the business owner just like health & safety, insurance etc.

The business owner is a data controller and the data controller is ultimately responsible for the protection of any personal data stored. That being said, hosting providers and web developers have a responsibility to GDPR also, they are data processors. Other data processors include tools like MailChimp, SalesForce, Hubspot etc.

All personal data is subject to GDPR whether that data is stored by your organisation or with an external data processor.

Privacy Policy

The privacy policy on your website should be addressed first, and the changes to make include:

  • Include a GDPR compliance line.
  • State exactly what information you collect and store from website visitors, which includes but is not limited to IP addresses, cookies, email, phone, name, addresses.
  • How and where personal information is processed should be clear and concise.
  • Indicate exactly who has access to personal data. (MailChimp, Xero, Hubspot, you, your team)
  • Specify who is the Data Protection Officer and how to lodge a data subject access request.
  • State how long personal information is held.

Automatic opt-ins

You must not automatically have check boxes ticked on contact forms, or assume that an unchecked box is consent to be contacted.

Necessary data

All personal data that you have stored should be deleted if you no longer need it. This includes emails and attachments which contain personal information. Keep only one version of personal information, and you may keep a copy for backup.

Data requests

You may receive requests from your clients asking about any data you hold.  Here are some pointers if asked for a copy of their data, right to be forgotten requests and withdrawal of permission to process data.

  • Verify their identity.
  • Ensure that you have the data before processing the request, if you do not have it respond and state that you don’t have the data.
  • While performing the request, don’t create more personal data.
  • Process their request.
  • Record it in the data audit log.
  • Do not reveal other peoples personal data, e.g, in eCommerce shipping, names other than that of the requester.
  • Contact the person that you have received their request and flag their data to be excluded from further data processing.
  • If the request is for withdrawal of permission for further processing, then flag the data in your databases as not to be used in marketing reports or data mining.
  • If the request is for removal, delete and/or redact the personal information stored. Remove it from all systems and marketing suites.
  • Comply with the request within 20 days.

Data Breach

It is advisable to have a plan for a data breach. Here are a few steps that you should take.

  • Investigate the breach and determine the source.
  • Put actions in place to prevent the breach from occurring again.
  • Report the scope of the breach to affected data subject.
  • Notify the Data Commissioner of the breach including:
    • The scope of the breach.
    • Number of affected subjects.
    • The source of the breach.
    • The measures taken to prevent and stop the breach from happening again.


GDPR states that before sending an email marketing campaign you must obtain consent. You can’t just send promotions to anyone who has signed up to any other services. You must also ensure that marketing automation tools, in particular email lists, are up to date and every email address owner has given consent. Again it is not permissible to pre tick boxes. The example below from Hyundai shows that you must obtain permission for particular types of communication if you offer more than one.


GDPR example for Hyundai

Cookies are considered as personal data under GDPR, and as such marketers can still collect them but they must obtain permission and offer the user an easy way to withdraw permission.

Whether its marketing or website GDPR that you are concerned about before the deadline day, it is important to map a data flow of how you receive and what you do with personal data. The pointers discussed in this blog post are a great starting point, but there is nothing like hiring a professional to help your business achieve GDPR compliancy. As always the website GDPR and you is great for all you need to know.