Is your business compliant with the personal data protection act?

Share this article:


Is Your Business GDPR Compliant?

On the 25th May 2018, the EU data protection directive came into effect - General Data Protection Regulation. It’s quite confusing, even for experienced marketers like us, so we’ve put together this small guide to help your site move towards GDPR compliance if you haven’t done so already.

GDPR Compliance In Five Steps

  1. Take another look at your privacy policy and really fine tune it
  2. You need clear consent to use cookies (such as Google analytics etc)
  3. Got a WordPress site? What about plugins?
  4. Cut down the data you collect and store using your website forms
  5. Clean up your mailing list

Share this article:

1) Your Privacy Policy

You really need to update your privacy policy to establish that it makes the use and collection of data completely transparent. This normally includes detailing your data collection methods, cookies and their usage and privacy rules around data detailing whether user data is shared. You need to make sure it also includes details about any data that is collected by any plugins on a WordPress site.

It’s really not a good idea to cut-and-paste someone else’s user policy, as its probably not going to contain the proper information relating specifically to your site. You may also need to include items like:

  1. We do not sell data
  2. We do not share data unless compelled to by the law
  3. We will only ask for your personal information if it is needed to provide some sort of service to you

Then it’s likely you should follow this up with details about the type of data you collect, how you use it, and what you do to protect it.

2) Obtain Clear Consent When You Use Cookies

The new GDPR compliance rules state that cookies definitely consist of ‘personal data’, mainly because what they collect can be used to identify an individual. It is best practice to obtain clear, and very specific consent from users to place cookies and track them.

This can be achieved by a pop-up shown to the user on their first visit allowing them to consent or decline overall cookie use.

However, be aware, to fully comply you must not have a default answer such as “decline”, it must force them to overtly select an option. You can’t place cookies on their browser if the user doesn’t explicitly give you permission.

3) Wordpress Plug-ins/plug-ins And GDPR Compliance

Plug-ins frequently make use of user data, although it’s challenging, it’s pretty essential that you take a look at which plug-ins do something with user data and what they use it for. This is because plug-ins must also comply with GDPR. A lot of plug-ins make use of cookies and therefore are subject to user consent and should be listed in your privacy policy.

Both WordPress and Joomla! Site owners should keep a close watch as many of the plug-ins currently installed on both platforms are definitely not compliant. Developers from both platforms are frantically working on these issues so it’s probably a good idea to follow the social media channels of any plug-ins that you currently use to stay abreast of their latest updates.

Basically it’s your responsibility to make sure any plug-ins used on your website can export, provide and delete the user data they collect.

To meet the GDPR compliance rules, in some cases it might be necessary to change to a different plugin altogether.

4) Cut Down On Data You Collect And Store Using Website Forms

As marketers, we always advocate collecting the least amount of data possible on any web form. This has always been because the less ‘form fields’ a potential client has to complete, the higher the likelihood of them converting into an actual lead.

It is best practice to improve conversion rate optimisation (CRO) by using landing pages when you’re running Pay Per click / Facebook advertising campaigns, a common thread is to keep the forms as simple as possible to ensure maximum conversions. In fact only 3% of users will fill out four fields on a contact page form. To stay on the right side of GDPR compliance, collect data only from fields actually needed for processing. Also be aware that many from plug-ins such as “Contact form 7”, or “Ninja forms”, store user data in a separate database within your CMS.

5) Lastly You Definitely Need To Clean Up Your Mailing List

Does your website and marketing already incorporate an email list? Best practice has always been to use double opt-in features for your list. In case you didn’t know double opt-in basically means that after the user provides an email address, you automatically send a message containing a ‘confirmation link’ that they need to click on to finalise their subscription.

For some reason, up until now, there was a prevailing panic amongst British businesses that you needed double opt-in for GDPR, you don’t. Double opt in is definitely something you can use as it is an excellent way of proving that you obtained proper consent, however it’s not actually required.

Lastly, if you ever purchased a mailing list from a third party you should stop using it now and definitely delete it forever.

Individual Rights-key Presumptions Of GDPR

The GDPR provides the following rights for individuals:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling

The full list can be found on their individual rights page but basically we’ve included the things that we feel most concern ourselves and our customers:

Access Rights And Data Portability

If you use a CMS (such as WordPress or Joomla!) it’s not that difficult to implement a system for exporting user data to a standard CSV file or other easy format. Often this will be accomplished through a pretty easy plug-in of some sort, if you don’t use one of the common CMS platforms this may be something you need to get hardcoded yourself.

The Right To Erasure

The GDPR rules introduce the right for individuals to have personal data erased (also known as the right to be forgotten). Website owners need to implement a system that deals with any request for data erasure either verbally or in writing. There are some exceptions that allow you to keep data, but if the user asks you to erase their data you must. This can include content created by the users themselves, such as forum comments or blog posts and form submissions.

Remember you have only one month to respond to any request of this nature.

Privacy From The Ground Up

Basically, you need to ensure that you have adequate safeguards to both restrict datasharing and protect the data itself. You should only collect data that is completely necessary, restrict any forms to less than four fields and get rid of any data that is no longer relevant.

You should also ensure that the minimum amount of staff members at your organisation have access to this data rather than everybody who works there. Lastly it is very much worth considering moving your website to HTTPS which also encrypts all communications between your users browser and the website itself.

It also has the added benefit of increasing your search engine optimisation score as Google is now taking HTTPS seriously as part of it’s algorithm.


While website GDPR compliancy isn’t simple, by taking the necessary steps you will be substantially more compliant than you were before. If you’re using any sort of CMS, you should definitely watch for changes to any plug-ins you use as well as the core version of the platform itself) WordPress has recently put out a new version that is significantly more compliant).

Continuing on with the subject of GDPR Compliance, take a look at how relevant gated content is under the new GDPR regulations with arguments both for and against the idea.

TALK TO US! CALL 0800 110 5923