Check your website is GDPR Compliant

11 things you should know about...

  • Make sure your Website is GDPR Compliant

    1 May 2018

    We are often asked about GDPR and how it affects websites, analytics, sign up forms etc.

    So we have put together a checklist of 11 issues you should consider when making your website GDPR compliant.

    We hope this information helps. If you have any comments or additions you think we should add please email  

    This is not legal advice - the below are just pointers to the things you should be thinking about.

    1. Google Analytics, Tag Manager and Other Tracking Tools

    If you are using Google Analytics (who isn't!), then you will be glad to know that Google has stated that the use of Google Analytics is compliant with GDPR as no personal data is collected.  However, you should give website users the chance not to accept the use of cookies and give them a link to your privacy policy which should tell users about how you use cookies.

    For advanced Analytics users and Tag manager users, you should also make sure that you are not importing data into Analytics to help you identify people. This would break Google's Guidelines as well as creating issues with GDPR compliance.

    2. Call Tracking / IP Look-up Applications

    If you are using other tracking software such as Lead Forensics or CANDDI, or call tracking apps such as  CallRail,  Infinity or KeyMetrics, then you need to tell people you are doing this.  You need to make it clear what data you are collecting and what you are going to do with this data.  You will need to get their consent - you can't hide this in your terms and conditions!.

    3. Website Enquiry Forms

    When someone completes an enquiry form on your website this data is passed over the web and can easily be intercepted/stolen. Under GDPR it is your legal responsibility to keep any personal data safe.

    So if you have any contact forms on your website you have two choices

    A/ Change to HTTPS  (HTTPS is the secure version of HTTP, the protocol over which data is sent between the users' browser and your website)

    B/ Remove the form and just have an email address 

    The second option is not really an option for most companies as it removes your ability to ask key questions and it makes tracking enquiries less reliable and more complex to measure.

    Changing to HTTPS is, therefore, the route most companies are taking.  Not just to ensure GDPR compliance but also because Google has begun showing a  'Not Secure' message to your website visitors where you have a web form on a page that it is not HTTPS. 

    However, changing your website to HTTPS has its own issues - see our article on changing to HTTPS

    4. Changing your Terms & Conditions 

    It is very likely that you will need to change your terms and conditions on your website due to GDPR
    You will need to make sure that you tell people clearly:

    i/ If and how you are using cookies

    ii/ What data you will collect on people who use your website

    iii/ What you will do with any data users provide to you when using your website, including marketing purposes, profiling, or any processing

    iv/ Whether you are going to share any of this data (including to any group companies)

    v/ How they can change or request deletion of the data you store on them

    5. Changing your Privacy Policy

    Your privacy policy will also need to change to let users know:

    - What personal data you store
    - What you will do with any personal data you store
    - How long you will store this personal data 
    - How you are keeping this personal data secure
    - Who is the 'data controller' within your organisation
    - Whether you are going to share any of this data (including to any group companies)
    - How they can access the data you store on them
    - How they can request the data you store on them is changed or removed (Subject Access Requests)
    - If you are going to use their personal data for profiling, credit checks or any other processing

    6. Including a Data Protection Policy?

    Your Data Protection Policy will also need updating for GDPR.  This is policy is primarily about how you store, process and transfer data.

    This is usually an internal policy document that provides key information to employees, contractors and other relevant parties on the policies and procedures regarding data protection and security.

    You should review this and include the relevant sections of this on your website to show users how you will keep their data secure. Some organisations incorporate this into the Privacy Policy and / or Terms & Conditions of use.

    7. Getting visitors to opt-in transparently

    No longer will you be able to automatically start sending marketing emails to a user the has sent an enquiry along with their details or using pre-ticked boxes or bundling promotional material consent with other necessary T&Cs

    Users will need to give active consent to receive content from you.  This means that you need to spell out, in an obvious, clear and transparent manner exactly how you will use the their data and what the users will receive from you and how. Whether that is special offers, company newsletters, product information etc and if it will be by email, phone call, text messaging or direct mail. 

    Leading on to the next point...

    8. Getting your opt-ins to select the information they are happy to receive

    Users should be given the option to receive or not receive certain materials from you, for example; you are going to send them:

    A/ updated information on the products they have bought from you

    B/ marketing for other products they may be interested in

    C/ related information (By Law you cannot send then unrelated information!)

    D/ related information from third parties

    The user needs to have the option to receive one or more of the above.  Again, this should be clearly stated and users have the right to update their preferences at any time. The only time you are exempt from this is if you have a legal or contractual obligation to send information to the user.

    9. Considering how and where this data is stored

    You should ensure that any data that is being collected by your website is transferred securely (see HTTPS above) and is being stored securely.  If this data is being stored by a third party such as Google, MailChimp, SalesForce or other CRM systems you need to ensure that access to these systems is limited and controlled.

    If you are transferring the data to be stored outside the EU you should let users know within your Terms & Conditions and Privacy Policy.

    10.  Who has access to this information (particularly for Ecommerce Companies)

    You should review who receives the data that is sent to your organisation via your website(s). 

    You should restrict this to those who need to know and those people need to be trained in data protection and security. 

    This includes any agencies you use, contractors and sub-contractors. 

    Limits should be put on staff and external contractors ability to download this data and those with access to any personal data are fully trained in GDPR.

    11. Get your external website contractors to sign a non-disclosure agreement

     You should ensure you have a Non Disclosure agreement in place with any third party who has access to any personal data.  Your staff should also have a non-disclosure clause within their employment contracts.


    It is quite a list but you will already be doing most of this (hopefully!). 

    Please note: You don't have to have done all of this for the 25th May 2018 but you do have to show that you are working towards compliance.


    Make sure you are kept up to date with Digital Marketing tips and help from M Training - Sign up here


    If you want to have a chat with us  you can get in touch with us on or you can view our courses here




  • AZ 2.png
  • Amazon
  • barclays-course.png
  • BC 2.png
  • Bt
  • Bupa
  • chanel 2.png
  • Jd Sports
  • Jet2com
  • Manchester client logo 8.png
  • Manchester City training 2.png
  • nestle training 2.png
  • Next
  • nhs-logo.png (1)
  • M Training Clients 10.png (1)
  • PTL-Manchester-training-client-logo-200.png
  • skym-courses.png (1)
  • client logo leeds.jpg
  • coop manchester 2.png
  • Tui
  • liverpool training 2.png
  • Siemens
  • Kraftheinz
  • HM Government
Click here to sign up for offers, advice and industry news Subscribe