Thank you for your submission!

Make Your Website GDPR Compliant

26th April 2018

What is GDPR?

The GDPR (General Data Protection Regulation) is the new EU Data Protection regulation that replaces the Data Protection Act 1998 and comes into force on 25th May 2018. It enhances the protection of the personal data of EU citizens and increases the obligations for organisations who collect and process personal data of these citizens.

The ICO has published an excellent set of webpages aimed to inform you about GDPR, which you can find here. But we aim to give you an overview of some key points and practical tips to help your website become GDPR compliant.



Q. What is personal data?
A. Personal data is any information relating to an identified or identifiable natural person for example, name, address, email address, phone number and so on.

Q. I’m only a small business, do I have to comply?
A. Yes, if you hold and process personal information about your clients, prospects, employees or suppliers, you are legally obliged to protect that information in line with the regulations.


Under GDPR, you will need to have a lawful basis to collect & process any personal data, and importantly document that this is what you have decided. There are six lawful bases’, which are: -

Legal Obligation
Vital Interest
Public Task
Legitimate Interest


GDPR Considerations for your Website


Forms that invite users to subscribe to newsletters or indicate contact preferences must default to “no” or be blank. You will need to check your forms to ensure this is the case. The consent that you're asking for should also be set out separately from accepting terms and conditions. It is also essential that users are informed as to what they're signing up for. Rather than 'sign up to our newsletter', you must state what the user will receive once signed up, I.e. latest offers, promotions, new product information etc and you should link to your privacy policy.


Methods of Contact

Users should be able to provide consent for different types of contact. Giving your customers the option to be contacted by post, email, or phone.


Easy Opt-Out

It must be easy for customers to remove their consent. Having an un-subscribe button at the bottom of your emails, and a clear un-subscribe procedure on your marketing documentation is essential. We would also recommend an area within the website where users can amend their preferences.



If your website uses cookies, then you will need consent from your website visitors to use these cookies on them. This involves adding a cookies bar to your website to gain consent and ensure that all data is passed in an encrypted format.


Latest Version

You must ensure that your website software is on the very latest version available. It is essential that security updates and patches are completed as soon as possible to ensure that the website stays secure.


Right to be Forgotten

The GDPR requires that data be forgotten / deleted from the system at the customer’s request. In Magento, it is possible to implement a module that would allow for the removal of this data from Magento with ease. This will ensure that data that should not be stored under new laws is also removed from the system. It’s worth pointing out that this is not an absolute right to have data erased and can be a bit confusing, for example you will need to process your customers data so that you can process their order. You can read more about when this right applies here.


Online Payments

If your website is transactional, it is important to check that your payment gateway provider is GDPR compliant and document the evidence that you've made contact with them to confirm this. It is important to be able to provide evidence which demonstrates that you have taken adequate action to ensure compliance is met.


Third Party Software

Similarly, and in addition to the above, it is essential to ensure that all third-party software in connection with your website (I.e. module extensions, email marketing software, live chat functions, etc.) are GDPR compliant. You should also need to state if data is being passed to or via a third party software. There is also a requirement to ensure you have a contract or agreement in place with any processors that details what they are allowed to do with the data, and other accountabilities under the GDPR, you can see a simple checklist here.


Terms and Conditions

Terms and conditions including your Privacy Policy, Terms of Use and Cookie Policy, on your website will need to be updated to reflect the new GDPR legislation. The Information Commissioner’s Office (ICO) has kindly provided a sample Privacy Notice that you can use as a template for your website. You can find out more here.


SSL Certificate & Server Security

Ensuring that your website is protected from hackers who can steal your customers personal information is essential and means that both your website and the hosting server have to be of GDPR standard. SSL stands for Secure Sockets Layer and it is a technology that uses the encrypted connection between server and web browser. An SSL certificate can be easily purchased and installed on a website's server. When this is done, every connection between the web server and browser is encrypted, which means that all data sent via submitted forms is protected.

If you have any specific questions on GDPR, please contact our GDPR team at



The information provided here is our views of the GDPR. It does not constitute legal advice and our views may change as the Information Commissioners Office publishes more guidance. You should consider taking your own legal advice as you see appropriate.

news image