How to make your website GDPR friendly

Is your website GDPR friendly?

How to get your website up to standard

With the GDPR deadline already gone, people are thinking less and less about the legislation. What I want to discuss with you is some of the basic rules that most websites need to follow to align with GDPR. As well as some easy was to make your website GDPR friendly if it is not already.

GDPR requires that you have considered the following:

  • Cookie and privacy pop up
  • Privacy policy
  • Cookie policy
  • SSL certificate
  • Newsletter sign up opt in
  • Enquiry and contact forms

Cookie and Privacy pop up.

GDPR means that you can never assume that anyone has agreed for you to collect or store their information. This is where a popup comes in handy, the pop up makes people aware that you are collecting information about them. By them click this popup they are then consenting for you to gather this information about them.

As you are gathering information about the user and storing it, a privacy policy also needs to be put in place. This is why the pop contains both the cookie policy and the privacy policy.  By accepting the cookie policy, they are also agreeing to your privacy policy.

If you don’t have a cookie policy on your website, then there are a couple of ways to put one on. Firstly, if your website uses WordPress, there are plugins available that will add the pop up for you. Cookie bot is a free cookie controller for smaller sites. Alternatively, you can add it manually by hand. This would involve adding code to your website and something we do for all our clients as part of our web designprocess.

Privacy policy

Having a privacy policy is a simple as having a privacy policy page on your site. This document needs to have details about what data is collected as well as when it is captured. It also needs to include information about third-party’s and their processes. The contact details of your DPO (data protection officer), if you need one, also need to be within this document. This is the person that the user can contact to requests their data or have it permanently deleted.

You can get a professional to write this for you. Alternative you can find a template online. We advise that you still have a pro to look over it just to make sure that everything is correct. WordPress recently added a template and guide for adding a privacy policy to your website, so if you use wordpress you might want to have a look in the tools section.

Cookie policy

A page that shows your cookie policy should be available. This policy should have information about what the cookies are capturing. As well as what you are using this data for.  Third parties that have access to this information should also be mentioned.

Templates for this policy can also be found online, but we would also advise you have a professional look over all of your documents.

SSL Certificate

Secure Socket Certificate is an encryption layer that sits on the hosting space of the site. This certification adds a green padlock and the word secure next to the URL. If your site doesn’t have this certificate, then it will show not secure.

If your website doesn’t have this certificate, then you can buy one. Alternatively, you can take advantage of our website hosting which includes an SSL certificate for free.

We posted on our blog about SSL certificates and you can find that here.


If your company produces a newsletter, you want as many people to see it as possible. However, you can’t just have email anyone. Even if they have already given you their email address. GDPR means that they will have had to express their consent to receiving your newsletter. This can be in the form of a tick box at the bottom of a form, but the boxes default must be unticked. This is so the user can opt-in to get your newsletter as consent cannot be assumed. Services like Mailchimp make it easy to be GDPR compliant when using a newsletter and offer double opt-in.

Contact forms

If your website has a contact or enquiry form, then it must have the following in place to ensure that the data that you are collecting is secure.

  • SSL Certificate.
  • The SQL database must be encrypted. If your database is not encrypted, then the data must be stored in another location.
  • Printed emails must be destroyed securely, this normally involves shredding. As printing emails can create an easy data breach and should be avoided where possible.
  • Any consensual tick box must be unticked by default.
  • Your email provider must also comply with the GDPR. All emails that are sent and stored must adhere to the legislation. Many email providers will have privacy policies that adhere to GDPR. As emails are one of the more common places that private data can get misplaced, missed used or abused.

There are many ways that GDPR effects websites. These are just some of the basic rules that websites need to follow. GDPR applies where ever a website collects data. This includes some collection methods that we haven’t covered. E-commerce’s website would be an example of this. This type of site will collect more data than an email address or cookies. So, this data collection needs to be considered in regard to the GDPR legislation.


This article was prepared by Brink Media as guidance only. Neither Brink Media or the author accepts any responsibility or liability that might occur directly or indirectly as a consequence of the use, application or reliance on this material.