8 Steps to make your website GDPR compliant

8 Steps to make your website GDPR compliant

The GDPR, or General Data Protection Regulation, is one of those intimidating laws that most businesses have in the backs of their minds. However, many companies don’t have an adequate grasp of GDPR or how to become compliant in GDPR.

What is GDPR and what is a GDPR compliant business?

The GDPR is a law of the European Union, though the UK has essentially the same law of its own, which is meant to protect EU consumers’ private data. It’s a law that guarantees certain privacy-related rights to EU citizens and lists practices your organization needs to follow regarding data privacy, such as keeping data secure, giving users the option to delete their data, being transparent about your data collection, and so on.

Countries require compliance with GDPR to help their citizens stay safe from data breaches, manipulative or invasive marketing, and other risks that come from a loss of digital privacy. Unless you’ve led a concrete effort to implement measures to comply with GDPR on your website, chances are there are critical requirements you’re missing. And those missing pieces can cause you to not be GDPR compliant. A lack of GDPR compliance can be costly, to the tune of millions in penalty fees.

How do you make your website GDPR compliant? The exact process will depend on what measures you already have in place and which ones you don’t, but follow these 8 steps to make sure all your bases are covered.

1. Find out where you stand with GDPR compliance

For all those who say, “I don’t know how to make my website GDPR compliant or where to even begin,” becoming GDPR compliant is easier to get started than you might realize. Before you make any changes, you need to know where you stand with GDPR compliance.

When first starting your journey to becoming GDPR compliant, there are a few questions you’ll need to ask, specifically which GDPR requirements do you currently meet and which ones should be on your to-do list?

The best way to make an initial GDPR compliance assessment is with compliance software—a tool that scans your site and its operations against the GDPR requirements. The right compliance platform will identify all the requirements you’re missing so you can start off with a clear and efficient action list to become compliant with GDPR.

2. Add requests for permission where necessary

One of the cornerstones of GDPR for websites is a switch from implied consent to specified consent. Implied consent is when users implicitly agree to data collection by being on your website. Specified consent occurs when users explicitly opt-in to data collection. Any time you’re collecting any user data, you need a checkbox, button, or similar way for users to consent to it.

If you’re using cookies or gathering any other data that users don’t purposefully provide, you need a pop-up or notification they see as soon as they get to your site. If you’re using any data you obtained from web sources, you must gain consent before adding them to a mailing list. Sources include:

  • Forms
  • Surveys
  • Pages where users purposefully input data

3. Add data collection information to your site

Another key to GDPR compliance is being transparent about:

  • What data you’re collecting 
  • How you’re using it
  • How you’re processing it
  • Who can access it 
  • Who you’re sharing it with

If you already have terms of service or a privacy policy on your site, you can include this information there. Or, you can add a new page or document to your site with these details as part of becoming GDPR compliant.

4. Investigate any third-party apps, plug-ins, or tools

Many websites use third-party components in some way. You might be using Google Analytics or other tracking tools for website metrics. You might have implemented plug-ins to allow for certain features or designs, or you may use a third-party chat service for example.

However, it’s important to understand that some of these plug-ins may cause your website to not be GDPR compliant. Regardless, if you’re using a third-party tool that plays any role in collecting, storing, using, or processing data from users, you need to make sure that tool is GDPR compliant.

5. Create a way to get in touch

Among other requirements, GDPR guarantees users certain rights regarding their data, like:

  • The right to request all the data you have about them 
  • The right to request that you delete all their data

Users need to be able to reach the right person in order to act on their rights. Within your GDPR policy that details your use of user data, include the contact information of your data officer so users can reach out to them with these requests.

6. Update your data security

GDPR is all about the use and accumulation of user data, but it doesn’t just apply to you and how you use the data. To be GDPR complaint you also need to safeguard users’ data against unauthorized people accessing and misusing it.

For this reason, you need to implement data security measures to be GDPR compliant. This may look different at every company, but it can include tools and precautions like: 

  • Access controls 
  • Specific employee IDs
  • Anti-virus software
  • Firewalls
  • Other security measures

7. Develop policies for GDPR compliance

As we noted above, GDPR guarantees that users have certain rights when it comes to your data, so you need to comply with users’ requests. These include: 

  • Requests to see all the data you have for them
  • Requests to delete all their data from your servers
  • Requests to correct their data

To be GDPR compliant, you need a GDPR policy that outlines your protocols and processes for addressing these requests.

You also need policies regarding potential data breaches, like protocols for addressing a breach and notifying users that their data was compromised. Be sure to have systems in place to monitor site changes and ensure GDPR compliance. This step of becoming GDPR compliant can be as simple as using an automation tool like Vanta to regularly scan your system.

8. Confirm and document your GDPR compliance

If you’ve followed the steps above and followed the guidance from your initial automation scan, your website should now be GDPR compliant. You need to confirm and document GDPR compliance.

The simplest strategy for how to make sure your website is GDPR compliant is to run your scan again. This thoroughly documents your compliance with each GDPR requirement so you can rest assured that you’ve checked all the boxes and that you’re adequately protecting your users’ data.

Get GDPR Compliant

GDPR compliance software

Ultimate GDPR compliance checklist

How can GDPR compliance software make a difference to your business?

Written by
No items found.
Access Review Stage Content / Functionality
Across all stages
  • Easily create and save a new access review at a point in time
  • View detailed audit evidence of historical access reviews
Setup access review procedures
  • Define a global access review procedure that stakeholders can follow, ensuring consistency and mitigation of human error in reviews
  • Set your access review frequency (monthly, quarterly, etc.) and working period/deadlines
Consolidate account access data from systems
  • Integrate systems using dozens of pre-built integrations, or “connectors”. System account and HRIS data is pulled into Vanta.
  • Upcoming integrations include Zoom and Intercom (account access), and Personio (HRIS)
  • Upload access files from non-integrated systems
  • View and select systems in-scope for the review
Review, approve, and deny user access
  • Select the appropriate systems reviewer and due date
  • Get automatic notifications and reminders to systems reviewer of deadlines
  • Automatic flagging of “risky” employee accounts that have been terminated or switched departments
  • Intuitive interface to see all accounts with access, account accept/deny buttons, and notes section
  • Track progress of individual systems access reviews and see accounts that need to be removed or have access modified
  • Bulk sort, filter, and alter accounts based on account roles and employee title
Assign remediation tasks to system owners
  • Built-in remediation workflow for reviewers to request access changes and for admin to view and manage requests
  • Optional task tracker integration to create tickets for any access changes and provide visibility to the status of tickets and remediation
Verify changes to access
  • Focused view of accounts flagged for access changes for easy tracking and management
  • Automated evidence of remediation completion displayed for integrated systems
  • Manual evidence of remediation can be uploaded for non-integrated systems
Report and re-evaluate results
  • Auditor can log into Vanta to see history of all completed access reviews
  • Internals can see status of reviews in progress and also historical review detail

The ultimate guide to scaling your compliance program

Learn how to scale, manage, and optimize alongside your business goals.

PCI Compliance Selection Guide

Determine Your PCI Compliance Level

If your organization processes, stores, or transmits cardholder data, you must comply with the Payment Card Industry Data Security Standard (PCI DSS), a global mandate created by major credit card companies. Compliance is mandatory for any business that accepts credit card payments.

When establishing strategies for implementing and maintaining PCI compliance, your organization needs to understand what constitutes a Merchant or Service Provider, and whether a Self Assessment Questionnaire (SAQ) or Report on Compliance (ROC) is most applicable to your business.

Answer a few short questions and we’ll help identify your compliance level.


Does your business offer services to customers who are interested in your level of PCI compliance?


Identify your PCI SAQ or ROC level

The PCI Security Standards Council has established the below criteria for Merchant and Service Provider validation. Use these descriptions to help determine the SAQ or ROC that best applies to your organization.

Good news! Vanta supports all of the following compliance levels:


A SAQ A is required for Merchants that do not require the physical presence of a credit card (like an eCommerce, mail, or telephone purchase). This means that the Merchant’s business has fully outsourced all cardholder data processing to PCI DSS compliant third party Service Providers, with no electronic storage, processing, or transmission of any cardholder data on the Merchant’s system or premises.

Get PCI DSS certified


A SAQ A-EP is similar to a SAQ A, but is a requirement for Merchants that don't receive cardholder data, but control how cardholder data is redirected to a PCI DSS validated third-party payment processor.

Learn more about eCommerce PCI

for service providers

A SAQ D includes over 200 requirements and covers the entirety of PCI DSS compliance. If you are a Service Provider, a SAQ D is the only SAQ you’re eligible to complete.

Use our PCI checklist

Level 1 for service providers

A Report on Compliance (ROC) is an annual assessment that determines your organization’s ability to protect cardholder data. If you’re a Merchant that processes over six million transactions annually or a Service Provider that processes more than 300,000 transactions annually, your organization is responsible for both a ROC and an Attestation of Compliance (AOC).

Automate your ROC and AOC

Download this checklist for easy reference


Learn more about how Vanta can help. You can also find information on PCI compliance levels at the PCI Security Standards Council website or by contacting your payment processing partner.

The compliance news you need. Delivered securely to your inbox.

Subject to Vanta's Privacy Policy, you agree to allow Vanta to contact you via the email provided for marketing and other purposes