Helpful guidelines to GDPR on your business’s website.

Disclaimer: This article is not provided as authoritative legal guidance. Gem Internet does not accept any responsibility or liability that might occur directly or indirectly as a consequence of the use, application or reliance on this material.

Here are some helpful guidelines for businesses to follow to help them in making their website more compliant with the GDPR Data Protection regulations that will become enforceable after 25th May 2018. This is not a complete guide for all data protection best practice, but helpful guidance in respect to how to ensure a website can become more compliant.

The General Data Protection Regulation (GDPR).

GDPR is in place to make sure that businesses that store a users data do it in a secure & proper way. It’s about looking after of the information you, as an business, hold about other people and how it’s used.

The questions you need to review:

It should start with a data risk assessment which is not limited to just the data revolving around a website but the whole business’s practices. You should address the following questions about your website:

  1. What data is being captured and held?
  2. When and where is it captured?
  3. How long will the data be stored?
  4. How is it being used?
  5. Do you have explicit consent from the user to have and use the data?
  6. Do you display who to contact to find out what data is held about a user and request how it’s being used?
  7. Do you display the process for a user to ask to have all the data you hold about them permanently removed from your system? (The Right to be Forgotten)

You must prove you have been given explicit consent to hold the data and what it will be used for.

The user must be able to withdraw consent at any time.

Organisations need to make sure they:

  • Have a data breach process
  • Appoint a Data Protection Officer (DPO)
  • Have a ‘Right to be Forgotten’ process (also known as Right of Erasure)
  • Have good default privacy settings
  • Improve data encryption and work towards storing user profiles as pseudonyms

Compliant connected systems: Google, Mailchimp, Salesforce, Facebook etc

You need to make sure that your processes and policy clearly states what third party data processors you use and where a subject’s data is passed to.

The website GDPR compliance guideline checklist:

As an organisation you need to make sure you are registered on the ICO (Information Commissioner’s Office) website as a data controller (you may also be a data processor, too). Go to for more information.

The website checklist:

1. Cookie policy

A page on your website that states what cookies are used on the site, both yours and from third parties and what data you capture with them and what you do with it.

2. Cookie & privacy popup notice

The easiest way to handle this for most website owners is to provide a simple explanation that users can clear and block cookies on their browser settings.

3. Privacy policy

A privacy policy is a more thorough document that states the website owner’s full statement of what data is captured, when it was captured, what the data is used for, the third party’s details and the process as the process of requesting the user’s details and request that they be permanently deleted.

4. SSL certificate

The purpose is to securely encrypt all the details that are sent through any forms or fields on a website.

5. Pseudonymisation or anonymisation

As part of GDPR, ‘pseudonymisation’ means that websites will need to start moving towards the users being identified by a username only.

6. Newsletter signups

You need to make sure the tick box that handles this subscription is set to the user has to opt-in and not opt out. Emails you send out all have an unsubscribe link, too.

7. User account creation

If your website is an online shop or allow a user to set up an account for access to services behind a login area, you will need to ensure that you have both the SSL installed and also start work towards the data being stored using pseudonyms.

8. Payment gateways

If you have an ecommerce website and use one of the popular payment gateways, such as PayPal, Sagepay, Worldpay or Stripe, you need to make sure that the payment gateway privacy policies are checked and referenced in your own privacy policy.

9. Enquiry & contact form

If your website has an enquiry form for people to send you messages, you need to ensure the following are adhered to:

  • The website has an SSL
  • The details are not stored in the website’s SQL database unless stored encrypted
  • If they are sent to you by email, your email service provider adheres to GDPR rules and that the email is stored and sent according to GDPR secure methods
  • No pre-ticked boxes to automatically sign the enquirer up to a newsletter or mailing lists

The enquiry is explicit to that instance. You cannot then add the user’s details to your marketing database unless they have explicitly agreed to it using a separate tick box.

10. Live chat

If you have a live chat service on your website, you need to make sure that you refer to this third-party service in your cookie policy and privacy policy.

11. Email

Whilst not strictly website-related, all email services and the storage of email from all with whom you are connected, must be stored in accordance with DPA (Data Protection Act) & GDPR guidelines.

12. Social media account connection

Using social media sites for your organisation also falls under GDPR.

You also need to make sure that your privacy policy refers to these third-party data controllers, especially as people use SSO (Single Sign-on) for logging into sites also using their social media account logins for convenience. You also need to ensure that, if you use the details of your customers or connections on your social media page to promote your business that you have their consent to do so.

13. Google Analytics (and any other user tracking systems)

If you run Google Analytics on your site (or other tracking services) you will need to make sure that it is referred to in the cookie policy and the privacy policy. You must also enable the anonymisation option in Google Analytics to properly conform to GDPR.

14. A CRM connection

If your website captures user’s data and then writes it into a CRM, you need to make sure that the data collection process is secure, and that you refer to the third-party service in your privacy policy.

New website launched

We have just launched a new website for the Chepstow Cosmetic Clinic in Chepstow, Monmouthshire. They specialise in non surgical cosmetic treatments. There service is second to none & they needed a new website to represent their excellent business. They provide Botox in Bristol, Mole removal, Skin tag removal & laser skin cosmetic treatments.

We built them a CMS website so that they can edit the content of the website themselves. We also provided them with an onsite SEO package to help them to rank higher in the search results for the local area.

Check out the new website here:

Google warns of poor search rankings for non mobile websites

Google has been altering its search results to improve the mobile search experience for its users.

One of the latest changes is showing a “mobile friendly” tag next to a websites listing in the search results that are checked to display correctly on a mobile device.

To check if your website earns this status you can use the mobile-friendly website test tool.

Google has even started sending warnings to webmasters to inform them that their website is not mobile friendly!

If Google sees your website displaying or functioning incorrectly on a mobile they will email your webmaster account with a warning that your website may not rank as well in the mobile search results.

Needless to say these search results are very important to all businesses online. This underlines the need to have a mobile friendly website, its not an option these days if you value your SEO rankings.

If you would like a new mobile friendly website, or to discuss your SEO please get in touch to see how we can help you.


Happy New Year to all of our customers

We hope your websites have served you well through 2014. We will be continuing to provide all of our clients the best service & website options we can through 2015! It should be an exciting year as we will be offering a range of new services to push your online presence to the limits.

So stay tuned & happy new year!

Why is SEO so important for your business website?

If you have a brilliant website but nobody can find it, or if your competitors are ahead of you in the search listings then you need search engine optimisation (SEO) to help your business to grow.

Even if your business is being found the chances are that we can provide you with even more customers & which business doesn’t want that!

Search engine optimisation is an ongoing service which includes many different factors to ultimately increase the number of visitors & conversions your business can achieve.

While it is possible to optimise your websites code alone, there are now so many factors  that effect your website ranking that we provide an ongoing monthly SEO service to our clients to help their ongoing market strategy.