Please ensure Javascript is enabled for purposes of website accessibility
Search Market Mentors

What is a GDPR policy? Does Your Website Need One?

cybersecurity image for a blog about what is a GDPR policy


On May 25, 2018, the European Union (EU) updated its current data protection directive (circa 1995) and replaced it with a policy called the General Data Protection Regulation (GDPR). This new policy was created to hold companies across the globe more accountable for how they collect, store and share the personal data and information of users. But exactly what is a GDPR policy and how does it affect a US-based company and company website? Most importantly, what does it mean for yours?

In this blog, we will skim the surface (here’s the full policy documentation) on the intricacies of GDPR. This overview can help you and your company ensures compliance, avoiding any fines or other legal trouble.

What is the Purpose of the General Data Protection Regulation?

The purpose of the General Data Protection Regulation is to protect Europeans and their personal data. Basically, the EU wants to make sure that their citizens’ information stays private. To date, GDPR is the firmest and most enforced privacy and security laws that have ever been enacted; if you break them, your company could incur harsh fines up to €20 million or 4% of your global revenue (whichever amount is higher).

The EU defines personal, identifiable data as: “any information that relates to an individual who can be directly or indirectly identified.” Examples include:

  • Name
  • Email address
  • Location information
  • Ethnicity
  • Gender
  • Biometric data
  • Religious beliefs
  • Political affiliation
  • Web cookies

Do I Need a GDPR Policy on My Website?

If your organization processes the personal data of people in the EU, the short answer is yes. You don’t have to be connected to the EU per se to be subject to this requirement. If you collect, store, transmit, analyze or otherwise handle personal data from people in the EU, you must be in compliance or risk substantial fines.

Of course, there are exceptions. For example, small businesses with fewer than 250 employees may be exempt from record-keeping obligations. You may also be exempt if you don’t conduct any business with people in the EU; however, if they visit your site and you track cookies or IP addresses, you might fall under the scope of the GDPR.

What Does My Website Need to Be GDPR Compliant?

Several components must be in place to ensure compliance with the GDPR in the U.S., and chief among them are communication and consent. Through a clear and transparent privacy policy, you must inform site visitors how and why you are collecting their data, as well as how they can opt out.

Your GDPR policy should include all these elements:

  • What data you collect
  • How you collect, use and store the data
  • Marketing options
  • Users’ data protection rights
  • A definition of cookies
  • How you use cookies
  • What types of cookies you use
  • How users can manage their cookies
  • Privacy policies of other websites linked to yours
  • Where to find changes to your privacy policy
  • How to contact you and the appropriate authorities with a complaint

More to Come

The GDPR is just the beginning of efforts to protect consumer privacy. More regulations are likely, from other countries as well as from our own. In fact, California implemented the California Consumer Privacy Act in 2018, which went into effect in January 2020.

Even if your business is exempt from existing policies now, it’s unlikely to remain so. We use the WordPress platform, which is GDPR compliant, for a majority of our website development clients. To err on the side of caution and ensure you are prepared for future regulations, we recommend you incorporate a GDPR-compliant privacy policy on your website, which we can help you develop and integrate.

If you have any questions or concerns about your site’s GDPR policy, give us a call. Our experts will be happy to walk you through the requirements and make recommendations, helping you keep your company’s online operations safe and going strong.