GDPR website compliance checklist: Are you ready?


Times have changed. Today, we do not know how valuable the data that we share with websites is. 

Did you know – the value of each WhatsApp user by the time it got acquired by Facebook was $42? So my argument here is whether you tried reaching out to companies like WhatsApp and ask your commission! You could not even think about it because firstly you do not know, and secondly, WhatsApp had their policy to share data but you chose not to read them.

The implementation of GDPR forces websites to notify visitors that they are using cookies, location data, and other information that users are about to provide. Essentially, the concept of consent given freely, effectively, quickly, and specific is being restructured with new rules and regulations. This means that businesses need to be more transparent. Entrepreneurs and business owners do not have the option to skirt it and they must comply with the policies or face heavy fines.

What personal data are we talking about?

  • First name, Email address, Address
  • IP Address, location data
  • Race, sexual orientation, religious and political belief

What Rights Do Data Subjects Have Under GDPR?

  • Information
  • Access
  • Rectification
  • Erasure
  • Restrictions on processing
  • Data portability
  • Objection
  • Revision of automated decisions or profiling

To comply with GDPR, a website being the face of the business should tell their users that the website is GDPR compliant. There is a massive checklist to complete for being GDPR compliant.

Below are a few points that websites should take care of to be GDPR compliant:

  • Option to withdraw consent (opt-out)

    Websites should provide users with the option to withdraw the consent of their data. Users can revoke a company to not use their data. For example, the unsubscribe placement should be highly noticeable. For websites with payment gateway enabled, the information provided by the user before passing to the merchant servers is stored in their own database. If that is the case, it should be deleted after a specific period of time as mentioned in the privacy policy. Moreover, it should be delivered to the user as and when they require it must be deleted from the organization after sharing with them.

  • Separate consent from T&C

    Websites should make users acknowledge that it has a T&C page of their own. For this, they should be redirected towards it.

  • Seek less information

    Remember those applications where they ask more information than they require even when the app’s sole purpose has nothing related to the information they are asking? Well, even a website should not request information if they do not require either from social media apps/ widget or contact forms.

  • Make nothing by default

    For example, if a user has the ability to choose whether they want to receive promotional emails, it is unacceptable for the “yes” box to already be checked. Everything should be unchecked by default.

  • SSL Certificate is green!

    An SSL gives the website a boost in subconscious minds of visitors about the overall security of the website.

  • Data protection officer

    A DPO (Data Protection Officer) is not mandatory but it is a benefit that will secure the company data. Therefore, it should be displayed and notified to users in the privacy policy.

  • IP address tracking message to users

    Users must be notified if a website has integrated 3rd party tools that trace the user’s IP address. Additionally, if the website has a comment system, they should notify users in their privacy policy.

  • Cookie opt-in

    It is mandatory for websites to have users accept the fact that they are using cookies as data. Cookies are used to build better customer experience. According to GDPR, websites must “get their clear consent to process the data.”

  • Data breach procedure

    In the event of a data breach, websites are responsible for notifying all users and explain the reason for the breach. This also must be mentioned in the privacy policy.

  • Privacy policy

    One can take references from other websites on how to create a privacy policy. Don’t just copy and paste it – it needs to be tailored according to the business and data it is holding.

One of the purposes of GDPR is to improve a customer’s journey for business to make themselves better. Making the journey less offensive and more productive is something any customer would want. Customers need to know what data they are providing and websites must convey what they are acquiring.


About Vikas Bhatt

With 10+ years of B2B Lead Generation, Vikas Bhatt now runs OnlyB2B, a reputed B2B Demand and Lead Generation company from India that serves most European nations, the US, Mexico, and Canada. Vikas is a renowned Demand Generation expert, motivational speaker, and a B2B entrepreneur. You can connect with Vikas over email:


Please enter your comment!
Please enter your name here