GDPR: complete guide to make your website compliant
GDPR applies to all websites that collect personal data. Complete guide with concrete examples, practical checklist and tools to avoid sanctions.
The General Data Protection Regulation (GDPR) is not just another administrative constraint. It's a revolution that redefines the relationship between businesses and their customers' data.
Since May 2018, any company that collects personal data via its website must comply with strict rules. Ignorance is no excuse: sanctions can reach €20 million or 4% of annual global turnover.
What is GDPR and why does it concern you?
GDPR (EU Regulation 2016/679) harmonizes data protection in the European Union. It applies to any organization that:
- Processes personal data of European residents
- Is established in the EU (even if processing data outside the EU)
- Targets European residents (even from abroad)
Personal data: broader than you think
According to Article 4 of GDPR, personal data is "any information relating to an identified or identifiable natural person".
Concrete examples on your website:
•Name, surname, email (contact form)
•Visitors' IP addresses
•Tracking and analytics cookies
•Phone number (online quote)
•Postal address (e-commerce delivery)
•Geolocation data
•Browsing history
GDPR sanctions: examples that make you think
Data protection authorities don't joke around. Here are some significant sanctions:
Recent 2024 sanctions:
•CEGEDIM SANTÉ: €800,000 (September 2024) - processing health data without authorization
•PAP (real estate site): €100,000 (January 2024) - excessive retention and poor security
•TAGADAMEDIA: €75,000 (January 2024) - collection without consent via contests
•Google: €90 million (2021) - cookies deposited without consent
•Facebook: €60 million (2021) - same violation
Why these companies were sanctioned:
•Deceptive forms: "I accept" buttons highlighted vs. discreet "I refuse"
•Weak passwords: unencrypted storage of credentials
•Excessive retention: data kept 10 years instead of 3 years maximum
•No privacy policy: mandatory document missing
•Cookies before consent: tracking installed before acceptance
1. Privacy policy: your legal shield
A mandatory document for any website, it must be easily accessible and written in understandable language.
Minimum required content:
1. Data controller identity
•Name/company name of your business
•Complete address
•Contact email
•Company registration number
2. Processing purposes and legal basis
•Contact request management → Legitimate interest
•Newsletter → Consent
•Analytics → Legitimate interest
•E-commerce → Contract execution
3. Data collected and retention period
•Contact form: name, email, message → 3 years
•Analytics cookies: anonymized data → 25 months
•Customer accounts: profile data → commercial relationship duration + 3 years
•Connection logs: IP, date/time → 12 months
4. Rights of data subjects
You must explain how to exercise:
•Right of access: "View your data"
•Right of rectification: "Correct your information"
•Right to erasure: "Delete your data"
•Right to object: "Refuse processing"
•Right to portability: "Retrieve your data"
2. Cookie management: the technical challenge
Since July 2020, data protection authorities impose strict rules on cookies.
Cookie classification:
Exempt cookies (no consent required):
•E-commerce shopping cart
•Logged-in user session
•Language choice
•Security cookies (CSRF)
Cookies subject to consent:
•Google Analytics (even anonymized)
•Facebook Pixel
•Advertising cookies
•Social sharing buttons
•Third-party chatbots
•Video players (YouTube, Vimeo)
Compliant cookie banner:
✅ Good practice:
"We use cookies to improve your experience and analyze our traffic. You can accept all cookies, customize them or refuse them."
[Accept All] [Refuse All] [Customize]
❌ To avoid:
"By continuing to browse, you accept cookies"
[I accept] (no refuse button)
Cookies already deposited before consent
Recommended cookie solutions:
Free:
•Tarteaucitron.js: open source, very complete
•Cookiebot: 100 free pages
Paid:
•Axeptio: French, customizable design (€5/month)
•OneTrust: enterprise, very complete (quote required)
3. Data security: protect yourself from breaches
Article 32 of GDPR requires "appropriate technical and organizational measures".
Essential technical measures:
SSL/TLS Certificate:
•HTTPS mandatory on the entire site
•Client-server exchange encryption
•Check: green padlock in URL
Secure hosting:
•Choose a certified host (ISO 27001)
•Daily automatic backups
•Data centers in Europe (avoids transfers)
Form protection:
•Captcha against bots
•Server-side data validation
•SQL injection protection
•Submission rate limiting
Access management:
•Strong passwords for admin accounts
•Two-factor authentication (2FA)
•Access logs and monitoring
•Principle of least privilege
4. User rights: how to manage them concretely
Your visitors can exercise 8 rights. You have 1 month to respond.
| Right | Typical request | Required action | Recommended tool |
|---|---|---|---|
| Access | "What data do you have about me?" | Provide copy of all data | Database export |
| Rectification | "Correct my email address" | Modify incorrect data | Admin interface |
| Erasure | "Delete all my data" | Permanently erase | Deletion script |
| Objection | "I don't want newsletters anymore" | Stop processing | Unsubscribe link |
GDPR checklist: your 10-step action plan
Here's your roadmap for effective compliance:
- Data audit: map all your processing
- Privacy policy: write and publish
- Cookie management: install consent solution
- Technical security: HTTPS, secure hosting, backups
- Compliant forms: add consent boxes, information
- Rights procedures: define who handles requests, how
- Processing register: document each data processing
- Team training: educate your collaborators
- Supplier contracts: negotiate GDPR clauses with subprocessors
- Breach plan: prepare procedure in case of security breach
Practical tools for GDPR compliance
Facilitate your compliance with these resources:
Free GDPR tools:
•Processing register template
•GDPR developer guide
•GDPR workshop (free online training)
GDPR compliance costs
Investment required according to your structure size:
| Site type | Initial audit | Implementation | Total first year |
|---|---|---|---|
| Simple showcase site | €500 - 1,500 | €1,000 - 3,000 | €2,000 - 5,500 |
| SME e-commerce site | €1,500 - 3,000 | €3,000 - 8,000 | €6,000 - 14,000 |
| Complex platform | €5,000 - 15,000 | €15,000 - 50,000 | €25,000 - 80,000 |
ROI of GDPR compliance:
Tangible benefits:
•Avoid fines: up to €20M or 4% revenue
•Customer trust: +23% conversion
•Competitive advantage: differentiation
•Operational efficiency: optimized processes
Common mistakes to absolutely avoid
Learn from others' mistakes:
- ❌ Pre-checked box for consent (illegal)
- ❌ Generic policy copied from another site
- ❌ Cookies deposited before consent
- ❌ No "Refuse" button on cookie banner
- ❌ Unlimited retention of customer data
- ❌ No procedure to exercise rights
Conclusion: GDPR = business opportunity
Change perspective: GDPR is not just a constraint, it's a competitive advantage.
The 3 pillars of your GDPR success:
1.Transparency: clearly explain what you do with data
2.Security: protect data like your own secrets
3.Respect: give users control over their information
GDPR-compliant companies report:
•+15% customer trust
•+10% conversion rate
•-30% complaint management time
•0 regulatory fine
Your GDPR compliance becomes a commercial argument: "Your data is protected with us".
Don't postpone any longer. Each day of delay increases your legal risks and makes you lose your customers' trust. Personal data protection is now at the heart of digital customer relationships.