Practical steps to take to ensure your website is GDPR compliant

Posted in: Business News - 09 Apr 2018



The General Data Protection Regulation (‘GDPR’ or ‘Regulation’) will come into force on 25 May 2018. The purpose of the Regulation is to strengthen and protect the rights of individuals regarding the collection, storage and use of their personal data.

Whilst this article focuses on website compliancy, the Regulation will permeate your entire business and therefore the Regulation will also need to be considered in the wider context of your business.

Who does the Regulation apply to?

The Regulation applies to any business in the European Union (‘EU’) or any business outside the EU who offer goods and services or who monitor the behaviour of individuals living within the EU.  The UK is subject to the Regulation despite Brexit.

What data is affected by the Regulation?

Personal Data and Sensitive Personal Data are affected. These are defined within the Regulation.

Personal Data is any data that can be used to identify a living person (e.g. name, address, email address, national insurance number or IP address).

Sensitive Personal Data is a special category of personal data that needs to be even more carefully handled.  It includes a living person’s sexual orientation, race, religious or political beliefs.

Preliminary actions to take without delay

  • Identify and map out the categories of personal data held, used, shared or otherwise processed by your business.
  • Review the systems and data flows that are in place to determine how personal data flows through your business and how it is managed.  For example where is the personal data physically and geographically held? Is it held electronically (in house or remotely) or in hard copy format?
  • Is the personal data shared by the business with any other organisations or third parties and where are those parties based (within the EU or outside the EU)? Are cloud providers involved?  What supplier agreements do you have in place? Ensure you understand and can document what measures those third parties have in place to protect the personal data.  Under the Regulation, you must ensure that all third party suppliers you use are GDPR compliant.
  • Do you have any third party tracking software deployed on your website or do you track user behaviour through Google Analytics or Google Tag Manager? If you use Google Tag Manager you will need to analyse ‘who’ has access to your Tag Manager (e.g. your web designer or digital marketing agency) and ensure they understand their legal responsibilities.
  • How does your Company keep personal data secure? Does it use encryption, anonymise data and/or have access control restrictions in place?
  • How long is the personal data stored/kept for?

What should you consider including on your website in order to be GDPR compliant?

Effective communication to users of your website is paramount.  You need to actively seek their consent to use their data along with setting out how and why you are collecting their data. If there is one buzz word to remember with GDPR, it is arguably ‘transparency’. Be as transparent as possible with your users. Under the Regulation, individuals have the right to request erasure of their personal data from your systems. This is also known as ‘the right to be forgotten’. Put in place measures to ensure you are able to respond to these requests promptly and to effectively erase the information from your systems.

Include the following GDPR compliant documents in a prominent place on your website:

·       Privacy Notice/Policy (This should include what, how and why personal data is collected and used and how personal data is securely stored). Actively consider what personal information your business really needs in order to function.  Try to minimize the collection of personal information.  Remember that if a user of your website contacts you with a general query, you must not automatically include their details on your marketing database.  You would need to seek and obtain their express consent to add them to your database and this consent needs to be documented

·       Cookie Policy Ensure you are transparent about what types of third party tracking software is deployed on your website (e.g. CANDDI/Lead Forensics, Ruler Analytics.) You should also review any contracts or terms and conditions in place with these tracker providers to ensure there is GDPR compliancy.  Note that cookies are subject to the E-Privacy Directive which is currently under legislative review so you should keep a look out for updates on this when the new legislation is published.

·       Opt-ins You must actively seek consent to including a user on a marketing list. This cannot be wrapped up in your website terms and conditions. Ensure that any forms which invite users to subscribe to marketing materials or provide contact preferences default to ‘no’ or remain blank if no response is given.  Any opt-ins you give on your website should be un-bundled. For example if you are asking users for consent to contact them, you should specifically seek the user’s consent for each form of contact/processing you would like to undertake (SMS, email, post)). 

·       Updating other documents Your business’ terms and conditions will also need to be reviewed and updated to ensure GDPR compliancy. It is likely that you may also have a data processing policy in place and this too will need to be updated.

·       Opt-outs You must make it easy for your customers to opt out of any consents which have been provided to your business. A form should be displayed on the website to give customers the option to do this.  

The Nature of your Business Depending on the nature of your business, there may also be additional measures you need to take. For example, if your business is involved in e-commerce, it is likely that a payment gateway will be used for financial transactions.  You will need to check whether your own website collects personal information before passing those details on to the payment gateway and if it does it will be important for you to implement measures to ensure that the personal information is removed after a reasonable period of time.  The Regulation does not define ‘reasonable’ and therefore you will need to consider what time period would be considered necessary and reasonable in your business’s circumstances.

ICO Checklists

The ICO has two self-assessment checklists to help organisations determine their high level of compliance with GDPR.

Data Controller checklist 

Data Processor checklist 

New ICO Fee Regime

Under the new GDPR the requirement to notify (or register) the ICO is gone but is replaced with a requirement for all organisations that determine the purpose for which personal data is kept, “data controllers”, to pay an annual fee. There are three levels of fees which are calculated based on the size of your organisation.  There are exemptions for public authorities and charitable organisations.

Tier 1:  £40 for organisations with a turnover of less than £632,000 or less than 10 members of staff.

Tier 2: £60 for organisations with a turnover greater than £632,000 but up to or less than £36million or less than 250 members of staff. 

Tier 3: £2,900  for all other organisations that do not meet the criteria for Tier 1 or 2.


Compliance with the Regulation is to be ignored at your peril. Penalties for serious breaches are eye wateringly large with fines up to 4% of worldwide turnover or 20 million euro (whichever is greater). You could also face litigation from disgruntled users whose personal data you hold.

Need further assistance?

Can we assist you with GDPR compliance? Call or email one of our specialists at McKenna Hughes Limited:; telephone 01789 721 831.

Note: this article is intended as a guidance note only. It does not constitute legal advice and should not be relied upon.

Latest Newsletter

Posted in: Business News - 03 Dec 2013

Our latest Newsletter is out with information for clients on the new top-level domains such as .CLOTHING.

Free Website Audit

Posted in: Business News - 12 Oct 2012

Autumn Newsletter

Posted in: Business News - 10 Oct 2012

New Guidance on Cookies

Posted in: Business News - 03 Feb 2012

The Information Commissioner's Office ("ICO") has recently published further guidance on the implementation of the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011. We take a look at the guidance and summarise the key messages for businesses.


The Privacy and Electronic Communications (EC Directive) Regulations 2003 (the "Regulations") cover the use of cookies and other similar technologies for storing and accessing information on a person's computer or mobile. In May 2011 the UK Government introduced an amendment to the Regulations. The main change introduced in the amendment required that users or subscribers to a website must consent to the use of a cookie before the cookie is activated.

What do I need to do?

Whilst there is an acknowledgement amongst law enforcers that implementing the rules will require considerable work this will not constitute a reason for not complying with the new law. As of May 2012 website owners will be required to ensure that consent is obtained from users to the use of cookies. The guidance is very clear that " those setting cookies must -
•tell people that the cookies are there,
•explain what the cookies are doing, and
•obtain their consent to store a cookie on their device." (ICO Guidance 13 Dec 2011).

What is very clear is that you must ensure that information about the use of cookies on your site is prominent and clear to the user. This can be achieved by positioning the hyperlink to a Privacy Policy in a more prominent location at the top of the page and highlighting this. For example, "Read about how we use cookies" could be displayed on the top right hand corner of the page containing an imbedded link to the Privacy Policy or Terms and Conditions which contain more detail about the cookies.


The Regulations cover both persistent and session cookies however cookies which are "for the sole purpose of carrying out the transmission of a communication over an electronic communications network" or which are "strictly necessary for the provision of an information society service by the subscriber or user" are excluded from the requirement to obtain consent. This means that cookies such as those which remember what a user has put in the shopping basket would be considered to be "strictly necessary" and exempt from the requirement to obtain consent. The following types of cookies will be likely to fall within the exception:
•cookies used to remember what a buyer has placed in their shopping basket

•cookies used with online banking services which provide security in order to comply with the seventh data protection principle
•cookies which help to ensure that content is loaded quickly.

How do I obtain consent?

There are a number of ways in which you could obtain user consent to the use of a cookie. Which method you use will largely depend on how your site is configured and which cookies you deploy. Examples of ways in which consent may be obtained include:

  • Pop ups or splash pages.
  • Specific consent to Terms and Conditions which include a clear statement on the use of cookies.
  • Settings led consent. You could obtain the users consent up front to the use of cookies to remember preferences.
  • Features led consent. This can be achieved at the time the user has to click on the link or switch on the feature e.g. using a video.

Can I rely on a User's Browser Settings?

In time, you may well be able to rely on the user's browser settings as a way to satisfy yourself that consent has been given. At present, however, most browser settings are not sophisticated enough to rely on this mechanism. The Government is working with major browser manufacturers to establish which browser settings will be available and when.

Third Party Cookies

If you display content from a third party on your website (e.g. an advertisement or a video service) then you will need to ensure that information is provided to the user about the cookies which may be used by the third party. This information can either be provided by you or the third party. It is therefore important that you establish this upfront with the third party.

What if I do nothing?

The ICO has given businesses a lead-in time of 12 months in order to achieve compliance (i.e. until May 2012). After this time it will follow up complaints made by users and take enforcement action where appropriate. In the first instance it will contact the website owner to discuss the complaint. The ICO has a number of remedies which are open to it including the imposition of monetary penalties of up to £500,000.

McKenna Hughes is currently working with web developers to provide a solution to its clients. If this is of interest to you please contact us on or 01789 721831. You can download a copy of the ICO guidance by going to

Extension of Cancellation Rights - the new EU Rules on Consumer Rights

Posted in: Business News - 14 Nov 2011

On the 10th October 2011 the EU Council of Ministers formally adopted the new EU Consumer Rights Directive. This will have implications for many of our clients, especially those who are online retailers. We have summarised the ten most important changes.

  1. Hidden charges and costs will be eliminated on the internet. Consumers will be required to explicitly confirm that they understand that a fee is payable before ordering goods or services.
  2. Increased price transparency. Traders must disclose the total cost of a product or service. If all of the costs are not disclosed to the consumer then these will not be payable.
  3. Banning of pre-ticked boxes on websites.  Pre-ticked boxes will be banned across the EU. So, for example, sites which currently have pre-ticked items such as insurance will need to change this practice.
  4. Cancellation period extended to 14 days. The current period of 7 days will be extended to 14 calendar days during which time the consumer may change his/her mind and cancel the order. If the consumer has not been clearly informed of his/her cancellation rights the return period will be extended to one year. Buyers at online auctions will also be offered the protection of the cancellation period if they are purchasing from a professional seller. No distinction will be made between solicited and unsolicited visits for traders who visit consumers at home.
  5. Refunds must be made within 14 days. Traders must refund consumers within 14 days of the cancellation and this will include the cost of delivery (as is the case now).
  6. An EU wide model withdrawal (cancellation) form to be introduced. Consumers will be able to use a standard EU template withdrawal form which they can complete and send to the retailer.
  7. Credit card and telephone hotline surcharges to be eliminated. Traders will only be permitted to pass on the actual costs which they incur when accepting credit card payments and using a hotline telephone number.
  8. Clearer information on who pays for returning goods.  The retailer must make it very clear beforehand if the consumer is to pay the costs of returning the goods if he/she changes his/her mind. An estimate of the costs of returning large items should be provided to the consumer.
  9. Better consumer protection in relation to digital products. Information on digital content, compatibility with hardware and software and the application of any technical measures or restrictions will need to be made clear before a purchase is made. Cancellation of the goods can only be made up to the point that downloading begins.
  10. Common rules for businesses across Europe. These will include a common set of rules for distance selling contracts; the use of standard forms (e.g. the cancellation form); and specific rules for small businesses and craftsmen such as no right of withdrawal or cancellation for urgent repairs or maintenance and Member States may include exemptions for traders who are requested to undertake work in a home where this is less than €200.

Member States have been given a period of 2 years to implement this legislation so there is time to prepare and the changes won’t be immediate. Some of these changes however do pose an added burden on businesses and will result, in some cases, in a loss of revenue. McKenna Hughes will be updating clients when the UK Government confirms the implementation dates for this new piece of legislation. We will be able to offer our clients assistance with changing existing terms and conditions and advise on implementation. If you would like to discuss any of these changes and the impact it may have on your business please get in touch – or call 01789 721831.

Qualifying Period Increases for Tribunal Claims

Posted in: Business News - 06 Oct 2011

As from the 1st April 2012 the qualifying period to bring an unfair dismissal claim in front of an Employment Tribunal will increase to 2 years.

The current requirement is that the employee must have been employed by the employer for a minimum period of 1 year before he/she can bring an unfair dismissal claim. The change follows the recent "Resolving Workplace Disputes" consultation which the Government launched earlier this year. More changes are due to be announced in the next few months. It is anticipated that these changes will reduce Tribunal claims by more than 3,000 claims per year.

New Regulations in force 1st October

Posted in: Business News - 03 Oct 2011

 Agency Workers' Regulations
Anyone employed through an agency will be entitled to the same terms and conditions of employment as if they had been recruited directly with the employer provided they have completed a 12 week qualifying period in the same job with that employer. Prior periods of employment do not count. For those currently engaged as agency workers the qualifying period starts from 1st October 2011. The agency worker is entitled to access to the same facilities and job vacancies information from Day 1 of their assignment. There is no requirement for a qualifying period for this. For more information go to

 Minimum Wage

The new minimum wage rates increase from the 1st October 2011 to:

  • £3.86 for those aged between 16 - 17 years but under 18 years
  • £2.60 for apprentices aged under 19 years or in the first year of apprenticeship if over 19 years
  • £4.98 for those aged between 18 - 20 years
  • £6.08 for anyone aged over 21 years.

Unfair Contract Terms

Posted in: Business News - 23 Sep 2011

The High Court has ordered a gym management company to change its terms and conditions as it found these to be unfair and unenforceable. In particular, the company was ordered to reduce the minimum term in standard contracts and to notify all customers of this change - The Office of Fair Trading v Ashbourne Management Services Limited & Ors. 12 Aug 2011. To avoid these issues in your business our advice is to always ensure that your terms and conditions are properly drafted by a professional. Contact us for a quote -

Distance Selling Resource Launched

Posted in: Business News - 08 Aug 2011

On the 1st August the OFT launched a new online resource to help traders understand the Distance Selling Regulations. The resource can be found at