Quick GDPR Guide

// This article will continue to be updated. Please note it is not giving any legal advice, just some ideas on how to improve your website’s data protection and privacy

We have been following GDPR to see what it means for small business websites.

GDPR will affect the way you collect and retain information from your customers. There are a few amendments you can make to your website to help, as you may not be aware what your site is doing or how it’s collecting information.

From what we can tell, the best approach to GDPR is to show you take data privacy seriously, and there’s a few simple things you can do to your website to help, such as a privacy policy, cookies opt in/out and SSL certificate.

Privacy Notice

Create a privacy notice which explains how your website collects information (contact forms, shop checkout, newsletter sign ups, google analytics) and how you store that data, for how long, and what you do with it (give to third parties for example). Also, how can users find out what data you have about them, how can they amend and or remove it? This can be as simple as asking for them to email or call with their request.

It would also be good to explain in your policy what rights the user has.

Your privacy notice / policy should be available to access on all pages. As far as we can see having a link in the footer is sufficent, as long as it’s not hidden.

Cookies Policy

This can be a separate page on your website, accessible from the same place as your privacy policy ideally, or as an additional heading on your privacy policy page. Small business websites typically don’t use many cookies, but often have Google Analytics which doesn’t store any personal data, just generic user data which isn’t assigned to any person. However it is still good to inform a user that your site uses Google Analytics and have them give consent before it starts tracking.

Ecommerce sites use more cookies which are used to track what items are in a user’s cart. Often these cookies are saved for 24 hours, so a user could come back several hours later and still have their items in the basket.

“Accept Cookies” pop up

You’ve probably seen this before,  a pop up which informs you that a website users cookies. Some of these pop ups will ‘assume’ consent, or just inform you that the site uses cookies, but with GDPR there can be no assumed consent, so you will need a cookies pop up that asks for the user to accept cookies first. Users also need to be able to ‘opt out’, so an additional page will be needed where a user can choose to revoke consent. – this must also be very easy to find, perhaps next to do your privacy policy.

No pre-ticked boxes or opt outs

A user shouldn’t have to untick a box or opt out of something (unless they previously chose to opt in). There are some sneaky check boxes which say “Tick here if you want us to not send you newsletters”. That is no longer acceptable.

Terms and Conditions

If your site has a terms and conditions page, make sure what it says is up to date and complies the GDPR. For example, your current terms may state that you give data to third parties.

Make sure to reword and use GDPR terminology, letting users know you only do those things if they have agreed to it.

Woocommerce / ecommerce sites

If your site uses Woocommerce (ecommerce plugin for WordPress), you should not keep order data indefinitely. We believe you should delete it after around 60 days, unless the user has created an account with your site, in which case make sure it’s easy for them to delete their account if they choose to, and that all of their personal information is deleted too. If you want to keep a record of your sales, you could keep the order information but update the user’s details to only include the town, rather than their full address.

Contact Form 7 / contact forms

If you have a ‘request a call’, ‘get a quote’, or ‘enquiry’ form on your website, chances are you haven’t deleted the emails from the sender. If you fill out a form online, are you allowing that company to retain your details forever? You should have a check box so that users ‘opt in’ to allow you to store their details and explain why you are storing it. Otherwise, once you have replied to the user you shouldn’t keep their information on file.

There is an extension for Contact Form 7 which stores all of the submissions in a database on your site, accessible from the WordPress dashboard. We would advise checking your database as it may have old submissions from years ago which you can delete. We think you shouldn’t store data for more than 60 days unless you have an opt it box, such as “please save my details so I can recieve special offers and email newsletter in the future”, or whatever it is you intend to do with it.

Know what your site stores and why

If someone asks, make sure you can answer.

Why has your site stored my details?

  • We track visits with Google Analytics once consent has been given to improve the usability of our site. Here is how you can revoke consent …
  • You chose to opt in to our newsletter when you contacted us with our enquiry form (checkbox). We store your name, address, phone number and email.
  • You created an account when you used our ecommerce website.


If a user hasn’t logged in to their account for over 1 year, we would recommend deleting their account, or deleting most of their data (such as billing address).

SSL Certificate

Any site that sends data should be encrypted, so if your site is ecommerce or has a contact form where a user can send their name, phone, email address etc, it needs to be encrypted. We recommend at least a DV SSL certificate. What are SSL Certificates.

Get help

We can help sort these things on your site. For Privacy Notice, Cookies Policy and Terms and Conditions, it may be worth seeking legal advice to ensure they comply with GDPR.