Close this search box.

How to make your website GDPR compliant

GDPR is an acronym for General Data Protection Regulation which is the new European Internet privacy regulation. On May 25, 2018, GDPR will come into effect, and that brings a dramatic change in how we do business online.

The internet has a significant impact on our day-to-day life. We all surf the web but more importantly we share emails, essential documents, pay bills, buy things online and we disclose our details without giving much thought to it.

Everything we do on the World Wide Web leaves a digital mark. Companies use this digital trace to help improve their services and to provide a better customer experience. But data breaches do happen. Information is lost, stolen or released for profit and used with malicious intent. And this includes addresses, banking info, ID numbers, your IP and other data stored online.

Here is where the issue of privacy becomes essential. The way organizations collect, store and use online data will permanently change by the EU starting May 2018.

The GDPR was designed to protect all EU citizens data privacy and to coordinate data privacy laws across Europe. GDPR ensures EU citizens they have the power over their data, who can use it and for what purpose.

The implications of GDPR for your business

GDPR applies to any company that stores or processes personal information about EU citizens even if it doesn’t have a business presence within the EU.

Any organization that sells goods, offers services or monitors the online behavior of EU residents, must comply with GDPR requirements. And fines for noncompliance are as high as €20 million euros or 4% of a company’s total global revenue, whichever is larger.
This is the maximum fine imposed for the most severe violations, e.g., for not complying with Privacy by Design concepts or for not having sufficient user consent to process data.

In the following paragraphs, we will highlight the necessary changes to make so that your website is GDPR compliant. Please keep in mind that to ensure full compliance, we would advise that you take the time to make more in-depth research on this matter and to seek legal advice.


What are the data protection rights according to GDPR?

The protected data includes web data you are collecting via your website without intent such as location, IP address, cookie data and RFID tags. Online companies will need now to offer the same level of protection for this information as they do for the name, address and Social Security number.

The data you collect for business purposes through contact forms, newsletter sign-ups and e-commerce transactions such as necessary identity information (name, address and ID numbers) will also be secured. GDPR imposes protection on further personal data such as health, genetic, biometric, ethnic or racial info, sexual orientation, and even political opinion.

As a website owner, you need first to acknowledge the way your company gathers personal data. Under GDPR, organizations must also inform customers of their new rights. The interaction between users and your website must be as transparent as possible.

Websites now must show what information they are collecting, offering options for consent. Furthermore, you should enable users to view the information gathered about them and should give them the possibility to remove that information from your systems.


This regulation gives individuals, customers, contractors, and employees more power over their data and less power to the companies that gather and use data for monetary gain.
Under GDPR, website users will have eight new rights: the right to access, the right to be forgotten, the right to data portability, the right to be informed, the right to have information corrected, the right to restrict processing, the right to object and the right to be notified.


1. Rewrite your Privacy Policy

If your company gathers a considerable amount of data, you might consider assigning a Data Protection Officer (DPO) for monitoring this information. The first step in making your website GDPR compliant is to publish a revised privacy policy on your site.

The privacy policy on your website has become now a crucial part of your legal existence. It was important even before, but now you must pay double attention to the following: it must be concise and written, easily accessible and must cover info about how the website collects data, where is the data stored and for how long.

Furthermore, the policy should include instructions on how users can view the information you have stored and about how they can remove their data from your systems. This would comply with the user right to be forgotten.
Our WordPress themes come with a ‘Terms & Conditions’ page template, and we offer demo content that you only have to update it with your privacy terms.


2. Get an SSL certificate

An SSL certificate (an acronym for Single Socket Layer) is a small file that establishes an encrypted connection between your website and a user computer. It is a cryptographic key to an organization’s details ensuring that all data passed between the two remains private and secure.

You don’t get the certificate with the theme, and it is the owner’s sole responsibility to add it to his website. When implemented on of your site, it activates the ‘padlock’ symbol that you see in web browsers, and it provides you with that https:// in your address bar.

For e-commerce websites, this is a good business strategy as it improves your SERP rankings and builds customer trust. People will know that their information is safe with you and they will want to do business with you. (aka better conversion rates)


3. Add distinct website forms

This step means making a few changes in your website design. Any form you use must not include pre-ticked boxes as this is considered implied consent that was not freely given and is passable for a substantial fine.

As pointed above users will soon have the right to be asked for consent for every type of processing. Under GDPR you should create separate options for your website users, for example: to be contacted by email or by telephone with two distinct tick boxes.

The user must permit to pass data to the third party, and you need to add a tick box for it. This is also valid if you are collecting data through your website on behalf of third-parties.
Our real estate site themes meet the new requirements, and we have developed forms that do not include pre-ticked boxes.


4. Add opt-out solutions

Individuals need to know from the start of any communication they have the right to withdraw their consent and can opt-out from any interaction they prior allowed to be used. It should also be a simple process to do so.

GDPR ensures the right to restrict processing meaning the user data can remain in place, but it should not be used. Also, the right to object establishes that users can stop the processing of their data for direct marketing and there are no exemptions to this rule.

For your web users, this means providing an easy way of unsubscribing from your newsletter and notifying them of this possibility with a link included in your website’s privacy policy.
Opt-out options don’t come by default in our WordPress themes, and it is the site owner’s responsibility to create them and notify users.


5. Online Payments

As a real estate business, you are likely to be using an online payment system for financial transactions such as PayPal or Stripe. Before passing onto the payment gateway, your website might collect personal data, and in this case, you will need that SSL certificate to make sure this information is secured.

The GDPR legislation states that all the personal data stored after the payment process must be deleted within some days. The law doesn’t say the exact number of days, but you can consider 90 days a reasonable period. Until then you should be able to provide and to remove the data it if the user asks you to.

You should also adapt your web processes for this new legislation and write it in your privacy policy.

Our real estate themes meet these requirements as we do not store personal data for monetary transactions.


6. Cookies and re-marketing

Since 2011, The Privacy and Electronics Communication Regulation established the rules for the use of cookies that track your activity online. Therefore you should highlight in your privacy policy the use of cookies and what you do with that information.

If you are using the data for re-marketing purposes, you will explicitly need to outline this in your privacy policy. Make your website users aware that cookies are being used in this way and also enable them to opt out of cookie tracking in their browser’s privacy settings.

Even if you are using third-party plugins such as Google Analytics to capture data you still need to let your users know about this.
The only feature in our WordPress themes that uses cookies is the currency exchange feature.


7. IP Tracking

This technology uses a tracking code to embed on the website that will provide you with identifiable details of your visitors and learn about their location.

Under GDPR legislation, IP addresses are classified as personal data so you will need to make sure that you state if you use IP tracking in your privacy policy.

Every interaction between your website and its visitors gives an excellent chance to store their IP address in your database. When they subscribe to your newsletter or leave comments on your site this action tracks their IP address, so it is essential to let them know about this.
You need not worry when using our real estate themes as they do not include any IP detection tool.


8. Data Breaches

The user has the right to know about everything that happens with its personal information. So, if there has been a data breach which compromises an individual’s data, the website owner must inform the individual within 72 hours of first having become aware of the violation.

The GDPR also introduces requirements on all companies to report a high-risk data breach to the Information Commissioner’s Office website (ICO). This is primarily for cases in which the violation could result in risk to the rights and freedoms of individuals. A serious data breach could lead to damage to reputation, financial waste, loss of confidentiality or any other significant problems.

The requirement to inform about an eventual data breach is the site owner’s sole responsibility.



In this new world information is the most valuable asset. The GDPR rules might seem a difficult task for online business, but it also creates new opportunities. What is required now is that companies value their customer data and be transparent about how they use it. Yes, you will be soon asked to implement these secure ways of managing your visitor data, and the great news is this will only build a trusting relationship with your customers.