Vanta automates security compliance.
Please enter your first name
Please enter your last name
Please enter a valid email address
Please enter a job title
Please enter your company name
Please enter your company website
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

8 Steps to make your website GDPR compliant

November 24, 2021

The GDPR, or General Data Protection Regulation, is one of those intimidating laws that most businesses have in the backs of their minds. However, many companies don’t have an adequate grasp of GDPR or how to become compliant in GDPR.

What is GDPR and what is a GDPR compliant business?

The GDPR is a law of the European Union, though the UK has essentially the same law of its own, which is meant to protect EU consumers’ private data. It’s a law that guarantees certain privacy-related rights to EU citizens and lists practices your organization needs to follow regarding data privacy, such as keeping data secure, giving users the option to delete their data, being transparent about your data collection, and so on.

Countries require compliance with GDPR to help their citizens stay safe from data breaches, manipulative or invasive marketing, and other risks that come from a loss of digital privacy. Unless you’ve led a concrete effort to implement measures to comply with GDPR on your website, chances are there are critical requirements you’re missing. And those missing pieces can cause you to not be GDPR compliant. A lack of GDPR compliance can be costly, to the tune of millions in penalty fees.

How do you make your website GDPR compliant? The exact process will depend on what measures you already have in place and which ones you don’t, but follow these 8 steps to make sure all your bases are covered.

1. Find out where you stand with GDPR compliance

For all those who say, “I don’t know how to make my website GDPR compliant or where to even begin,” becoming GDPR compliant is easier to get started than you might realize. Before you make any changes, you need to know where you stand with GDPR compliance.

When first starting your journey to becoming GDPR compliant, there are a few questions you’ll need to ask, specifically which GDPR requirements do you currently meet and which ones should be on your to-do list?

The best way to make an initial GDPR compliance assessment is with compliance software—a tool that scans your site and its operations against the GDPR requirements. The right compliance platform will identify all the requirements you’re missing so you can start off with a clear and efficient action list to become compliant with GDPR.

2. Add requests for permission where necessary

One of the cornerstones of GDPR for websites is a switch from implied consent to specified consent. Implied consent is when users implicitly agree to data collection by being on your website. Specified consent occurs when users explicitly opt-in to data collection. Any time you’re collecting any user data, you need a checkbox, button, or similar way for users to consent to it.

If you’re using cookies or gathering any other data that users don’t purposefully provide, you need a pop-up or notification they see as soon as they get to your site. If you’re using any data you obtained from web sources, you must gain consent before adding them to a mailing list. Sources include:

  • Forms
  • Surveys
  • Pages where users purposefully input data

3. Add data collection information to your site

Another key to GDPR compliance is being transparent about:

  • What data you’re collecting 
  • How you’re using it
  • How you’re processing it
  • Who can access it 
  • Who you’re sharing it with

If you already have terms of service or a privacy policy on your site, you can include this information there. Or, you can add a new page or document to your site with these details as part of becoming GDPR compliant.

4. Investigate any third-party apps, plug-ins, or tools

Many websites use third-party components in some way. You might be using Google Analytics or other tracking tools for website metrics. You might have implemented plug-ins to allow for certain features or designs, or you may use a third-party chat service for example.

However, it’s important to understand that some of these plug-ins may cause your website to not be GDPR compliant. Regardless, if you’re using a third-party tool that plays any role in collecting, storing, using, or processing data from users, you need to make sure that tool is GDPR compliant.

5. Create a way to get in touch

Among other requirements, GDPR guarantees users certain rights regarding their data, like:

  • The right to request all the data you have about them 
  • The right to request that you delete all their data

Users need to be able to reach the right person in order to act on their rights. Within your GDPR policy that details your use of user data, include the contact information of your data officer so users can reach out to them with these requests.

6. Update your data security

GDPR is all about the use and accumulation of user data, but it doesn’t just apply to you and how you use the data. To be GDPR complaint you also need to safeguard users’ data against unauthorized people accessing and misusing it.

For this reason, you need to implement data security measures to be GDPR compliant. This may look different at every company, but it can include tools and precautions like: 

  • Access controls 
  • Specific employee IDs
  • Anti-virus software
  • Firewalls
  • Other security measures

7. Develop policies for GDPR compliance

As we noted above, GDPR guarantees that users have certain rights when it comes to your data, so you need to comply with users’ requests. These include: 

  • Requests to see all the data you have for them
  • Requests to delete all their data from your servers
  • Requests to correct their data

To be GDPR compliant, you need a GDPR policy that outlines your protocols and processes for addressing these requests.

You also need policies regarding potential data breaches, like protocols for addressing a breach and notifying users that their data was compromised. Be sure to have systems in place to monitor site changes and ensure GDPR compliance. This step of becoming GDPR compliant can be as simple as using an automation tool like Vanta to regularly scan your system.

8. Confirm and document your GDPR compliance

If you’ve followed the steps above and followed the guidance from your initial automation scan, your website should now be GDPR compliant. You need to confirm and document GDPR compliance.

The simplest strategy for how to make sure your website is GDPR compliant is to run your scan again. This thoroughly documents your compliance with each GDPR requirement so you can rest assured that you’ve checked all the boxes and that you’re adequately protecting your users’ data.

Get GDPR Compliant

GDPR compliance software

Ultimate GDPR compliance checklist

How can GDPR compliance software make a difference to your business?