GDPR and what it means for your website

07 February 2018

Share this post:

Posted by

On the 25th of May 2018, new European Data Protection Legislation, GDPR will become law. This new legislation will likely have a significant impact on the way you communicate with your customers and prospects.

The General Data Protection Regulations (GDPR) is European law that puts the emphasis on organisations to protect the data of their Data Subjects (employees, prospects, customers) that your organisation holds personal data on. On almost every website we build, there will be contact forms in place collecting user data. The information gathered is generally emailed but also stored in the site database, this means it will be subject to the new GDPR regulation.

GDPR and what it means for your website


In a nutshell, GDPR is all about consent and looking after individual customer data appropriately. The obligations you will have as a website owner will be :

  • Tell the user who you are, why you collect the data, for how long, and who receives it.
  • Get clear consent before collecting any user data for every purpose that you intend to use it for (i.e.someone agreeing to send an enquiry does not automatically mean they will want to be added to your marketing list).
  • Let users access their data and take it with them if they choose.
  • Let users delete their data if they wish.
  • Let the affected users and the Information Commissioners Office (ICO) know if data breaches occur.

The consequences of failing to comply with the new GDPR legislation can lead to fines of up to €20m or 4% of global annual turnover. Crucially, this data applies to all data records, including historical data collected on the website prior to the new regulations coming into force in May 2018.


BML’s role in GDPR is that of a Data Processor acting on behalf of you. As Data Processors, we have access to that data and can help you to manage it in line with your instructions. However, the responsibility of ensuring GDPR compliance lies with our clients, so it is ultimately your responsibility to ensure you have all legal obligations/measures in place to protect your organisation. Our primary role in relation to GDPR is to comply with your instructions in relation to the handling of data you control.

Our suppliers

The actual servers your websites are hosted on are managed by an end hosting provider that we contract. All data is physically stored in the UK. In terms of GDPR, our end hosting provider provide services to us and are technically able to access the end user data too (but in reality, this would only ever be under our instruction). Any sub-contractors BML use (such as freelance web developers we may utilise in very busy periods, or for holiday cover) may also have access to user data, although this is rare. Their role in relation to GDPR is to comply with any instructions we pass on to them, in relation to the handling of data.

Action Points

To help ensure your websites are GDPR compliant, our advice is that you take the following steps:

  • Make sure any contact forms have an explicit opt-in checkbox stating exactly how the data is going to be used (the exact wording will need to be provided by you), linking to your privacy policy for more information.
  • Update your privacy policy (or create a new one if it doesn’t already exist) to say how personal data is being used and explain how people can request access to the data you have and request removal if they wish (i.e. by emailing someone). You should be able to do this do this yourself via the admin area of your website.
  • Keep your website updated regularly to minimise the chance of getting hacked. Many of our clients have maintenance packages in place to ensure their websites are kept up-to-date.
  • Have a plan of action in case someone requests their information to be deleted or if a data breach occurs.
  • We would also recommend you purchase and install an SSL certificate on your website to give greater visitor reassurance on your website.

Where is user data stored and how can it be removed?

In circumstances where BML provide your website hosting, data for your live website is stored in the site database. This is located on a physical server based in a UK data centre.

In terms of accessing user data to delete, you can generally delete stored contact form entries using the normal admin area of the site. This means you can easily remove data for anyone who requests it. You may be advised to delete this data regularly, as it will have been emailed to you anyway. If you don’t have explicit consent from currently stored contacts then it makes sense to remove them well ahead of the deadline.

Copies of user data may also be held on local development and staging servers as part of our normal development process. If a data removal is requested, we will also remove any relevant data that may be held on those machines, along with data held on the machines of any relevant suppliers we have contracted.

We also backup the web server daily, keeping a 30-day history of all information on a separate secure server. If a user requests that their data should be removed, then we will also need to remove the relevant backups where their data may also appear. You will need to instruct us to do this as part of your removal request process.

Third party services

Whilst this is not our responsibility, it will also be important that you take into account any tools you are using on your website that may collect individual user data and information (i.e. tools such as Google Analytics, Lead Forensics, Hubspot etc.). This should be accounted for in your privacy policy and your deletion and information access processes. Cookie notification warnings should be implemented to cover this. Please email our quotes team if you do not currently have cookie notifications in place on your site and need to add them.


To sum up, we will work with you to:

  • Support any Personal Information Audits you need to conduct on behalf of your business
  • Change any data capture forms you may have on our website
  • Add or update your Privacy Policy on your website
  • Improve the security of your data inline with your approach to compliance with the new legislation
  • Work with you to assess and implement removal of Data Subject/s

We will work with you as best we can to ensure your website keeps you on the right side of the new GDPR regulations.

Useful Resources

BML Data Processor Compliance Policy How we support our clients in relation to GDPR compliance. BML Data Processor Compliance Policy BML GDPR Policy Our own policy in relation to the data BML collects and process for our own purposes. BML GDPR Policy Useful resources including guides to move through the GDPR compliance process. Information Commissioners Office Guide to the General Data Protection Regulation (GDPR) Site designed to educate about GDPR.

Join the discussion

Leave a Reply

Your email address will not be published. Required fields are marked *