How to Make Your Website GDPR Compliant
By Lauren Dingus, Director of Web and Social Media Department

Lauren Dingus of Speros

Lauren Dingus of Speros

With data security becoming more and more of a concern, the General Data Protection Regulations (GDPR) being implemented in the European Union is sure to become the precedent for other countries, like the United States.

Your company can use GDPR as an advantage by becoming compliant with these regulations as soon as possible. By adopting these regulations, you will show your customers that you value their privacy and security. In turn, your customers will trust you. Here are a few quick ways you can get ahead of the competition.

Privacy Policy and Terms & Conditions
You want to make sure you have an updated privacy policy. Your privacy policy needs to clearly lay out how you are acquiring data from users, where the data is being stored, how long you intend to keep the data, how users can view the information you’ve stored, and how the user can have the data removed from your systems. Along with your privacy policy, your website should also include its terms and conditions for users on the site. This should briefly outline how users are allowed to interact with your site.

Easy Opt-in and Opt-out
Your website visitors need to be able to opt-out just as easily as the opted in. Normally you have your users subscribe their email as your opt-in option. Opting out should be just as simple. For example, if you are sending your users email marketing, have a link at the bottom where they can choose to opt-out. You can include this link in your privacy policy as well.

SSL Certificate
A Single Socket Layer, or SSL certificate, is a small file that you put into your website. It makes all your content secure between servers, can help your Google search engine optimization (SEO), and help build trust with your customers. The SSL certificate provides the “padlock” symbol that you often see in web browsers and the “https://” in front of your domain name. When your customers see this, they know that your website is secure.

IP Tracking
If your website uses IP tracking that provides you with identifiable details about your visitors, then you need to make it known in your privacy policy. This data is different than what is collected with Google Analytics and is considered personal data.

Re-marketing is when a website uses cookies to track your online activity and serve you ads based on your online activity. For example, if you’re on a website that sells a product and then you later log onto Facebook and see an ad from that site, it used cookies to track your information. You must make website visitors aware of this in your privacy policy.

Advertising the use of and the acceptance of using cookies is law. It needs to be clear immediately on the website for the user to be able to accept or deny the use of cookies. In addition, it needs to be outlined in your privacy policy that you use cookies and what you use them for.

Social media advertising
If you plan on using email addresses for social media marketing lists you must make users aware. They have to willingly opt into the social media marketing and you must provide them with an easy method to opt-out.

Website forms
Input forms on your website cannot have prefilled form fields. This is considered implied consent. Your forms must be clear and allow your website visitors to give explicit consent for each type of processing. The user must give their consent freely for everything they are opting into.

Online payments
If your website uses a payment gateway like PayPal, your own website may be collecting personal data from the transactions made. You must make sure your website has an SSL certificate to ensure your users it is safe. You need to make it clear in your privacy policy that what information is being collected. If the information is being stored, then you need to make it clear how long the information will be stored, and if the user wants the information removed you must do so.

Data breaches
Lastly, you must notify users of any data breach that takes place within 72 hours. Furthermore, if the breach puts users’ freedoms and rights at risk, then the Information Commissioners Office website must also be notified.

Ultimately you want to get ahead of the competition and comply with the regulations of GDPR as it will quickly become the standard. By doing so you will build trust with your customers and build your company’s reputation as a trusted source.

Lauren Dingus is the Director of Web and Social Media Department at Speros, responsible for the website development division including high-end graphic design, integrated functionality and security components. For information, contact Dingus at or 912.790.5117.