We hope you enjoy reading the MEANit blog with all the guides and tips. If you want our team to help with your web presence click here

The articles here will give you everything you need to plan, design, develop, market and maintain your website, if you have the time required – Enjoy.

GDPR – General Data Protection Regulation

by | Last updated: Dec 5, 2022

GDPR website compliance – General Data Protection Regulation

GDPR (2016/679) – General Data Protection Regulation was agreed by the European commission in January 2012 after 4 years of deliberations and this is the Data Privacy law which comes in to effect on May 25th 2018 or 9th January for Financial firms. It replaces the 1995 Data Protection Directive. Failure to comply will carry very large fines to be imposed by the Data Protection Commissioner. This is all about personal rights, security and protecting any identifiable persons data, such as email address, name, address, postcode etc, to avoid spamming or abuse or much worse, such as illegal accessing of bank accounts. This ‘personal data’ is also referred to as ‘data subject’.

GDPR governing websites and mailing lists

EU GDPR TipsGDPR website compliance – our focus is obviously on how GDPR affects us and our own SME clients, with regards the data we already hold and any data we may intend to hold in the future. Yes this legislation is aimed at large corporations and unscrupulous marketers, but it also affects small businesses too. We will curate this article to keep it up to date with any useful advice and tips, to help you become and stay compliant. There is no need to panic immediately. Meantime, someone does need to take responsibility for this, to ensure your compliance. Check what data you hold, apply new measures to be compliant and also update your terms and conditions and Privacy policy on your website. You may be asked to produce a copy of any data held by you. And any breach of your data, should be notified to the relevant data protections authorities and possibly the persons affected. Failure to comply can lead to fines of 4% of turnover or up to €20 million whichever is greater. The main thing to remember is that you need to be up front and tell your website visitors what personal identifiable information data you collect, if any, and what you will do with it.

GDPR website compliance – 15 recommendations to keep you compliant

GDPR website compliance – Here are 15 ways to help keep you compliant and avoid big fines
1. email opt-ins – include a double opt-in so that after signing up, the person gets an email asking them to confirm that they did indeed opt-in to receive your communications. It is a useful protection for you, to show that you were asked to sign this person up. Mailchimp will do it for you, if you have the settings correctly set up. This will cover you going forward.
2. Lists – If you have a current list, then do offer people the chance to opt out, which will be evidence that you did give people the opportunity to opt-out. Ideally do cleanse your ‘list’. Use it as a reason to reach out to that list and find out who cares. Remember that under GDPR people have the right to ‘be forgotten’. Platforms like Mailchimp have updated their platform to include GDPR optins.
3. Unsubscribe – get out of jail card. Always include the option to ‘unsubscribe’, in your emails. Make it clearly visible. By all means add a message to explain why it would be a good idea to stay on the list rather than unsubscribe.
4. T’s & C’s – Include your terms and conditions on your website and ensure you refer to how you handle personal identifiable information data. Are people signing up to a mailing list or just to get a one off FREE guide or something similar. Provide informed consent about what you would like to do with that data..
5. Essentials – Only ask for the minimum amount of data. What do you really need? Name and email might do, so why ask for address or postcode? Keep it at a minimum. If you need postal addresses or date of birth in order to ship goods, then ensure that you only have this for real customers.
6. Pirating – Never buy or sell ‘lists’ – it is just wrong.
7. 3rd Party – Beware of third party applications such as your CRM to ensure that they are GDPR compliant. They may by default ask for more information than they need for you. Your email programme needs to protect against misuse. Your website will have third party plugins and each needs to be checked to ensure that they are GDPR compliant or they need to be replaced with a better option.
8. Clarity – Do not make it confusing when asking for information in opt-ins or asking people to opt-in to something, be clear about what is being offered or asked. Be honest.
9. Security – Protect your list data, use some form of security, as you will be held responsible, if your data is hacked. You need to show that you did apply some security. Ask your insurers if you can get some form of cover, if you are worried that your data might be breached. Get your laptops encrypted.
10. Data retention – Consider how long you might hold data. If someone buys off you once, are they likely to buy again/ Or if someone buys in 2017, but does not buy again within a set time, say one year or five years, can you decide to cleanse their information from your records. decide on a best before date for this sort of data.
11. Cookies on a site can gather information, so check your settings or be up front about what you do with the PII personal identifiable information. In Google analytics settings set the option for anonymization/masking the IP data.
12. Pixels – If you are using things like the Facebook pixel you are recording visitors activities and you need to be clear when you explain what you are doing with that information. State your use of such pixels and any information gathered in your own Privacy Policy.
13. CTAs – Simple calls to action on your website may be set to gather information, so again make sure you state what you do with such information.
14. Platform – Your website is built on some platform, possibly WordPress, Drupal, Joomla, Wix, Squarespace. This platform itself needs to be GDPR compliant, so check that it is to cover your self. These platforms all have new GDPR plugins to make all this much easier.
15. Check boxes – ensure that if you have check boxes when asking people to opt in, that they are not pre checked. The visitor must check the boxes themselves.

GDPR website compliance – Next steps for you

How to ensure GDPR website compliance and manage your existing data, without this becoming available to the wrong people. Truth be told, we should not hold any data on people just for the sake of spamming them. We should only market to people who are likely to want to hear from us or people in our industry, who may have a legitimate interest in what we have to say. Now is a good time to delete any personal data held on people who are not current clients or very likely potential clients. Why chase after people who do not want what you have to offer, when you could be focusing on those who do.

If you have a ‘list‘, many people in it may have forgotten that they ever signed up to it, so get in touch with them and offer an opt-out to them. This is a re-engagement process that is recommended. It gives you an opportunity to connect with your clients or potential clients and offer them a chance to engage with you. It might even start a new conversation. It certainly shows good  intent on your part, to avoid being an unwanted intrusion going forward. You may lose people from the list, but if they do not want to hear from you, then let them go free. Remember amend your Ts & Cs and Privacy Policy to include a data protection agreement – read more on getting your own Privacy Policy and Tc & Cs here..

If you need someone to ensure that your website is GDPR compliant, contact us and we can arrange an audit and any remedial work. We offer monthly website care plans that help ensure GDPR compliance.
Things that simply need to be done for every website include:
1. Do an audit of the website to see how you are currently collecting personal data, through Contact Forms, Newsletter Subscriptions, Cookies, and any tool that collects IP addresses. Tip: Only collect the bare minimum of data and declare this practice in your Privacy Policy page.
2. Do an audit of all your website plugins, to see what data they are collecting via your website. Do you need them to collect this data? Can you change the settings or change the plugin? Note: It is your responsibility to ensure that any plugins used do not breach the GDPR.
3. Ensure that you devise a simple way for visitors to request what data you hold on them and give them the right to delete it or be forgotten.
To book your GDPR website audit click here.
4. Check the settings in your Google analytics to see what data you are collecting and how long you are holding it and what is being done with it. Add this to your GDPR statement or Privacy Policy or both.

WordPress news – If you are using WordPress as a platform, you can update it, because versions from 4.9.6 onwards includes GDPR in its core, which includes a default Privacy Policy. Now you can create a Privacy Policy right in your website dashboard, rather than have a legal firm write one specifically for you. (Although that would be a better option). The plugin also allows you to export personal data, in case someone asks you which data do you hold on them, It means you can find someones personal data in your site and delete it. Likewise it comes with a Comment consent box to include a Comment consent statement or anyone who wants to leave a comment.

Useful GDPR links:

A & L Goodbody website obligations guideline for online traders websites HERE

Suzanne Dibble – The Small Business Law Expert has a wealth of useful information here.
An you can check out your Personal Rights here.
Facebook explains its GDPR policy here.
Whilst here is Googles statement.
And Mailchimp. .

In the UK they have a great resource at the Information Commissioners Office which has a great Guide to the General Data Protection Regulation (GDPR). And the ICO has a good page on Key Definitions as well as a page on the Principles of GDPR and one specifically on Consent covering the gathering of any Personal Data and one on Contracts around the use of Personal Data, as well as one on our Legal obligations. It also has an explanation about Personal Data breaches and about GDPR in relation to Children.

Data Controller versus Data Processor
There is a distinction between these, as one is the person who controls data such as payslips and health records, whilst another is someone who send out payslips or appointment notifications using that data. The Data Controller is always responsible for the data and their data processors.

REMEMBER – Ignorance is not a defence in the eyes of the law. Putting in some form of Best Practice for GDPR website compliance  and responding quickly and efficiently to any GDPR queries from visitors, will go a long way to avoiding any fines. We are not solicitors so we are not qualified to give any Legal advice.

Share this information.
Feel free to share this information. This is what we use when we do a GDPR website Audit for clients, but you are welcome to use it to help you stay compliant.

Bottom Line
GDPR is a good thing, however there are steps we all have to take in order to improve compliance, avoid penalties and upsetting visitors.

To get started book your GDPR website audit here


To get Googles take on GDPR with regards to Google Analytics – see below their recent email titled ‘Review your data retention settings before they take effect on May 25, 2018’:

“Dear Google Analytics Customer,
We recently sent an email introducing new data retention controls that allow you to manage how long your user and event data are stored by Google Analytics. We would like to remind you that the new data retention settings will soon take effect – on May 25, 2018.
If you haven’t already done so, please review and confirm these settings (Property ➝ Tracking Info ➝ Data Retention) as Google Analytics will begin to delete data according to these settings starting May 25.
Impact of this setting as of May 25 is the following:
• Any user and event data that is older than your retention setting will be marked for permanent deletion, and will no longer be accessible in Google Analytics.
• Deletion will affect the use of segmentation, some custom reports and secondary dimensions when applied in date ranges older than your retention setting.
• Reports based on aggregated data will not be affected.
Find out more
You can also learn more about these data retention settings or how Google Analytics is committed to safeguarding your data.
The Google Analytics Team”

Optout options – some tips

Do not Opt In for stuff if you can avoid it. Do not buy personal items online or even instore using a loyalty or credit card. Giving over any data that tells Data Collectors what your preferences will lead to you being sold to OR worse. If you do not opt in then you wil not have to opt out.

When sites like Facebook or Linkedin ask you to share your Contacts or Address book with them, click NO.

You can go to https://simpleoptout.com/ and find links to opt out from all of these companies, one at a time:
1stdibs • 23andMe • AAA • Adobe • Ancestry.com • Amazon.com • American Express • Apple • AT&T • Bank of America • BeenVerified • Biden 2020 Campaign • CapitalOne 360 • Carnival Cruises • CB2 • CenturyLink • Chase • Choice Hotels • Comcast Xfinity • Condé Nast • Costco • CoreLogic • Crate & Barrel • Disqus • Facebook • Frontier Communications • Google • Guitar Center • HBO • Hearst • Home Depot • Hulu • Instant Checkmate • InterContinental Hotels • Kustomer • LendingClub • Lexis-Nexis • LG • LinkedIn • Marriott Hotels • Mastercard • Meredith/Time Inc. • MetLife • Microsoft • National Geographic • Nature Conservancy • Netflix • NYTimes • OptOutPrescreen.com • PayPal • PeekYou • People Search Now • PictureFrames.com • Pinterest • Reddit • Retail Equation • Riskified • Rockler • Roku • Roomba (iRobot) • Samsung • Saatchi Art • Seattle Art Museum • Seattle Times • Slashdot Media • Southwest Airlines • Spokeo • Sprint • Taunton Press • T-Mobile • TruePeopleSearch • Trump 2020 Campaign • Tuft & Needle • Twitter • United Airlines • US Postal Service • Verizon • Visa • Vizio • Wells Fargo • Whitepages.com • Wiliams-Sonoma • Woodcraft • Yahoo/Oath • Yelp • YouTube • Zeta Global

What about cookies and GDPR in 2022?
Lots of users block any unwanted cookies by default in their web browser software especially in Chrome. Website Developers can add a general cookie notice with a page outlining the actual cookies in use on the website. The website will or should only include cookies necessary to the use of the site, such as to log in to an account and edit any of the website content, and to record website usage without PID personally identifiable data through Google Analytics.  This should referred to your IT department or whoever is responsible for security, as it is not something that should be left to your web design agency.

About The Author

Do you want more traffic?

Hi, at MEANit we help 34 ‘Professional Services Firms‘ to be effective online annually. Will your business be one of the 34 in 2024?


Written by Michael MacGinty

Michael is a well known speaker, author and coach on SEO and how to use the web to grow a business. He is also WP Elevation certified as a Digital Business Consultant.
Blog Categories
Website Design
Search Engine Optimisation
Website Support Info
Website Tips
Digital Marketing
Business Tips

Get ‘loved’ by

MEANit Web Design SEO Google Logo

You May Also Like…

Marketing Strategies for Accountants in Ireland

Marketing Strategies for Accountants in Ireland

The plan is to highlight why digital marketing strategies are imperative and how to craft an effective digital marketing plan for your own accountancy firm that also aligns with the unique requirements of this particular Accountancy services sector.

read more