top of page

7 actions to ensure your website is GDPR compliant

Updated: Mar 15

Your website is a showcase for your business and your offering. But you should know that it is also a showcase for some of your internal processes, including your GDPR compliance and personal data and privacy protection processes.

Internet users are increasingly aware of the challenges of complying with the GDPR: they have a better understanding of the risks involved in processing their personal data, they are informed of their rights, and they no longer hesitate to exercise them.

The growing number of complaints lodged with the CNIL is proof of this: Internet users are concerned about how their personal data is used, and no longer hesitate to denounce companies that they feel are not complying with the rules.

So what website compliance actions are essential? What do you need to keep an eye on to ensure that your website is GDPR-compliant?

conformité RGPD site web
Photo de Lee Campbell sur Unsplash

1- Minimise personal data collection activities

The first essential element in ensuring that your website is compliant is to minimise as far as possible the personal data you collect via your site.

Your contact forms, newsletter subscription forms and event registration forms often collect personal data (a surname, first name, email address and/or telephone number).

The GDPR requires you to minimise this type of collection of personal data: so you are authorised to obtain only the personal information you strictly need. Let's take the example of a newsletter sign-up form: asking for an email address seems logical, asking for a first name may also be justified (I want to personalise my emails). However, you would not be authorised to ask for a postal address or a telephone number: why would you need this information to send your mailings?

As you will have gathered, the principle of data minimisation requires companies to collect and process only the data that is necessary and useful. It is forbidden to collect data "just in case".

Internet users no longer wish to share so much personal information online, so they are wary of these over-inquisitive forms, which they no longer hesitate to denounce.

2- Make sure that the people concerned are properly informed

This is known as the principle of transparency: Internet users must be informed in a clear and comprehensible manner of all stages in the processing of their personal data.

This means that Internet users must understand why their personal data is obtained, the purposes for which it is processed (why the data is being processed), the applicable legal basis, the potential recipients of this data and their 'Data Protection' rights.

And this applies to every data processing operation!

Let's say, for example, that you offer, on your website, a registration form for your newsletter as well as an online quotation request tool. These two forms should include very specific information that is specific to them, clearly explaining what data is collected and processed, how and why, as well as the rights that Internet users have.

This information is strictly compulsory. As the GDPR is a regulation that aims to encourage the ethical processing of personal data in a way that respects the privacy of the individuals concerned, this transparency approach is essential.

3- Make sure you obtain the consent of the people concerned

When you process personal data, the data subjects must be informed about the data processing (that's the previous part) but also, sometimes, they must have consented to the data processing!

Consent is just one of the six legal bases that enable a company to justify and legitimise the processing of personal data (for more details on these 6 legal bases, we have written a blog article on the subject). Consent is not always necessary or the most appropriate legal basis.

However, when personal data is collected from a website (thanks to cookies placed by the site or thanks to contact, subscription or registration forms, etc.), consent is THE appropriate legal basis!

So when you want to collect personal data with your website, you must have obtained the consent of the people concerned beforehand (and of course you must be able to prove the consent of the people concerned, by keeping proof of this consent somewhere).

4- Propose a privacy policy

The confidentiality policy is also a mandatory element on a website. The purpose of a confidentiality policy is to provide transparent and comprehensible information to Internet users about the data processing carried out via the website.

A confidentiality policy therefore makes it possible to summarise all the data processing carried out on the site, to explain and inform the people concerned about the terms and conditions of this data processing, and finally to make it easier for them to exercise their Data Protection rights.

It is not advisable to copy the privacy policy of another website, firstly for obvious reasons of plagiarism (the content published on other sites does not belong to you, so you do not have the right to re-use it) but also for reasons of accuracy! This confidentiality policy should inform Internet users about the real conditions under which their personal data is processed on YOUR site (and not on the neighbour's site).

5- Display a compliant cookies banner

The absence of a compliant cookie banner is probably the most noticeable feature on a website. Internet users know perfectly well that every website must offer a cookies banner, so that they can refuse marketing or analytics cookies.

And once again, Internet users have no hesitation in denouncing companies that may be acting in bad faith.

To be compliant, your cookies banner must:

  • Make it as easy to refuse cookies as it is to accept them (for example, there should be a clearly visible "Refuse all" button).

  • Be correctly configured. This may seem obvious, but when Internet users click on "refuse all", it is essential that cookies are effectively deactivated! It would be perfectly illegal to let visitors think that they have deactivated cookie tracking if this is not the case!

  • Provide a link to the privacy policy page (for more information on data processing).

  • Allow visitors to change their mind. In other words, if the web user consents once to being tracked by analytics cookies, it is not permitted to track this web user ad vitam aeternam, their consent has a lifespan and the web user must be able to change their mind!

6- Respect the rights of the people concerned

Internet users, and in particular those concerned by the processing of personal data, have rights: these are known as 'Data Protection' rights. They have the right to access their data, the right to ask for it to be modified, deleted, ported, etc. These rights are indisputable, and you are obliged to respect them.

These rights are indisputable, and you are obliged, as the company responsible for data processing, to make it easy for the people concerned to exercise their rights.

To do this, you must provide them with a dedicated contact, who must obviously be responsive and professional in dealing with requests from the people concerned.

7- Ensure data security

And finally, as a website publisher responsible for processing personal data within your company, you are obliged to ensure the security of the personal data entrusted to you via your website!

You must therefore ensure the confidentiality, integrity and availability of this data.

And of course you need to be able to prove that data security measures have been properly implemented.

To do this, you can put in place an access control policy, a data backup and restore policy, track and record all changes made to data, etc.

To conclude

A website's compliance with the GDPR therefore depends on a number of complementary elements.

Your website is a showcase for your activities, your company and your corporate mission. But bear in mind that it is also a showcase for your internal processes, and particularly your regulatory compliance and privacy protection processes.

Offering Internet users a website that complies with the requirements of the GDPR helps to send a very positive message to your audience, who can then judge how seriously you take these privacy protection issues.


Related blog posts:


Did you enjoy this blog post?

Find more content related to cybersecurity and GDPR regulatory compliance on the CyberSecura blog!


We need your answers!

By completing this survey, you will help us to better understand your interactions with our site and your potential needs.

Your answers are anonymous, and unless you ask to be contacted again by our teams, no personal information will be asked of you!

Thank you for your responses!


Would you like to be informed of our news and receive our latest blog articles directly in your mailbox? Subscribe to our monthly newsletter!

RGPD grenoble

Would you like to discuss your difficulties, your needs, our offers? Ask to be contacted, free of charge and without obligation, by one of our cybersecurity experts!




Commenting has been turned off.
bottom of page