Bright White Space

Practical steps to take to ensure your website is GDPR compliant

This article is a guest article by McKenna Hughes.


The General Data Protection Regulation (‘GDPR’ or ‘Regulation’) will come into force on 25 May 2018. The purpose of the Regulation is to strengthen and protect the rights of individuals regarding the collection, storage and use of their personal data.

Whilst this article focuses on website compliancy, the Regulation will permeate your entire business and therefore the Regulation will also need to be considered in the wider context of your business.

Who does the Regulation apply to?

The Regulation applies to any business in the European Union (‘EU’) or any business outside the EU who offer goods and services or who monitor the behaviour of individuals living within the EU.  The UK is subject to the Regulation despite Brexit.

What data is affected by the Regulation?

Personal Data and Sensitive Personal Data are affected. These are defined within the Regulation.

Personal Data is any data that can be used to identify a living person (e.g. name, address, email address, national insurance number or IP address).

Sensitive Personal Data is a special category of personal data that needs to be even more carefully handled. It includes a living person’s sexual orientation, race, religious or political beliefs.

Preliminary actions to take without delay

What should you consider including on your website in order to be GDPR compliant?

Effective communication to users of your website is paramount.  You need to actively seek their consent to use their data along with setting out how and why you are collecting their data. If there is one buzz word to remember with GDPR, it is arguably ‘transparency’. Be as transparent as possible with your users. Under the Regulation, individuals have the right to request erasure of their personal data from your systems. This is also known as ‘the right to be forgotten’. Put in place measures to ensure you are able to respond to these requests promptly and to effectively erase the information from your systems.

Include the following GDPR compliant documents in a prominent place on your website:

The Nature of your Business

Depending on the nature of your business, there may also be additional measures you need to take. For example, if your business is involved in e-commerce, it is likely that a payment gateway will be used for financial transactions.  You will need to check whether your own website collects personal information before passing those details on to the payment gateway and if it does it will be important for you to implement measures to ensure that the personal information is removed after a reasonable period of time.  The Regulation does not define ‘reasonable’ and therefore you will need to consider what time period would be considered necessary and reasonable in your business’s circumstances.


Compliance with the Regulation is to be ignored at your peril. Penalties for serious breaches are eye wateringly large with fines up to 4% of worldwide turnover or 20 million euro (whichever is greater). You could also face litigation from disgruntled users whose personal data you hold.

Need further assistance?

McKenna Hughes can assist you with GDPR compliance? Call or email one of our specialists at McKenna Hughes Limited:; telephone 01789 721 831.

Note: this article is intended as a guidance note only. It does not constitute legal advice and should not be relied upon.

Exit mobile version