How to make your website GDPR proof

Something tells us you don't want to be fined for violating privacy laws. Sleep on your two ears and take these steps to make your website or webshop GDPR compliant.

Word of explanation about General Data Protection Regulation

You probably already know what GDPR is, but for completeness we repeat it once more. That way you won't discover any surprises. 😉

Also read

Generally speaking, the global term GDPR stands as an abbreviation for the General Data Protection Regulation. Specifically, it is a European privacy law that has been in effect since May 25, 2018. The main purpose of the GDPR is to protect the privacy and personal data of individuals within the European Union. It used to be referred to (including in the Netherlands) as the Personal Data Protection Act.

This specifically introduced legislation has specific requirements that websites must comply with, such as obtaining consent to collect personal data and taking appropriate security measures.

GDPR/AVG protects privacy-sensitive data.

The same as AVG

GDPR is a well-known term, but actually there is also a Dutch-language term to refer to that same law! Namely AVG. Those three capital letters stand for Algemene Verordening Gegevensbescherming. So GDPR and AVG mean exactly the same thing. There is no difference. Are you with me? 😀

Importance of making your site GDPR proof

Why you should put a GDPR proof website online? If only all questions were as simple as this one! Being GDPR proof is actually logic itself. After all, it's required by the GDPR AND you'll face hefty fines if you don't.


Besides, you owe it to your visitors and customers. They need to be one hundred percent sure that you as a business owner are handling their personal data safely and according to GDPR rules.

Making your website GDPR proof by setting up a privacy policy and cookie banner online is a crucial part of ensuring the privacy of your users while protecting your organization's reputation. Because by being transparent, you create more trust with your visitors.


You obviously want to know what rules and laws you need to comply with to be in order. So read our blog where we go into more detail about the content of a privacy policy. We also tell you what cookies are and what a good cookie banner should comply with.

Test your website's privacy settings

Almost every website processes personal data. So probably yours does too! How GDPR proof is your website right now? Do the free iubenda compliance scan and find out which parts you urgently need to address. Maybe it's not that bad and you can save some work! 😃

The iubenda logo on the left, a website in the middle and a magnifying glass to its right. The iubenda scan checks whether your website complies with the law.

Use these steps to make your website GDPR proof

As a matter of fact, it's a very good idea to use a roadmap to get your site legally ready. Because making your website GDPR (AVG) proof can be quite complex. That's because it's quite a tangle, figuring out which GDPR requirements your website must or must not meet.

A good roadmap is essential to becoming GDPR-proof and helps you to proceed systematically when implementing the AVG rules on your website. It provides guidance, structure and clarity, so you won't overlook important steps.

By including all required actions in your roadmap, you work more efficiently and save time and worry. So you can comply with data protection requirements as quickly as possible. Sounds good, right? 😀

Een stappenplan om GDPR proof te worden is een handig hulpmiddel voor website eigenaren.

5 steps to make your website GDPR (AVG) compliant

You can always count on Combell! So, also for making your online business GDPR proof! We will help you with this step-by-step plan and with reliable compliance software from iubenda! As a result, you will immediately take very big steps. 😉

Step 1: Inventory what personal data you process

Make an inventory of the types of personal data you collect from your visitors and customers. Taking inventory is an essential part of making your website GDPR proof.

Because you need to get a view of the extent of data processing on your site. So keep accurate records of what info you collect, how you use personal data and what you may be sharing with other parties. Don't fail to communicate transparently about this, because you are obligated to do so.

If you map all this out, you can take appropriate security measures to ensure the privacy of your users (extra firewalls, for example). It will also help you in the next steps, namely creating your privacy policy and collecting consents.

If you process personal data that is "likely to present a high risk to the rights and freedoms of natural persons," chances are you will need to conduct a Data Protection Impact Assessment (DPIA). This is the job of a Data Protection Officer.

Step 2: create a privacy policy and publish it on your website

A privacy policy is an important document that informs visitors to your website or online store about how you handle their privacy.

A clear privacy policy contains information (in understandable language) about how personal data are stored (e.g. via cookies), secured and shared. You must also indicate how long you will keep certain data.

Or what you as a company will do in case of data loss, a leak, hacking, among other things. In this article, we go over the most important elements that should be in a standard privacy policy.

Is your policy ready to go? Make it a web page and give it a place on your website. That way you are transparent about all the data that is collected, the reasons for collecting it and how the data is used.


If you want to create your own privacy policy in a snap, we recommend iubenda. With iubenda you generate all the necessary documents and tools you need to be GDPR proof. The fact that your privacy policy will always be updated in case of GDPR updates or other legislative changes is an added bonus!


Step 3: Use a cookie banner to ask permission to process personal data

After your privacy policy, it's time to put both your cookie policy and cookie banner online. By the way, your cookie policy can be a perfect part of your privacy policy.

Cookies allow you to track the surfing behavior of visitors. For example, through IP addresses. You can only do that if you have permission to do so. In fact, the GDPR states that anyone who puts cookies on an application must be transparent about it. You do that by communicating about the use, the reason why and the retention period of your cookies.

If you process privacy-sensitive information, you must actively seek consent.

In addition to being well informed, your customers should be able to give their explicit consent for non-essential cookies to be placed on their device. These are non-strictly necessary cookies such as targeting or advertising cookies. Explicit consent is not required when it comes to essential cookies (first-party cookies).

Nevertheless, users must always be given the chance to refuse cookies and/or manage their cookie settings. This is an essential part of European privacy law.

If you flout these rules, you risk high fines or other severe penalties. To give you an idea: GDPR fines in Belgium average up to 25,000 euros per company. They all have to do with GDPR violations.

To avoid penalties, read our article on cookies and choose iubenda for your convenience. With iubenda you get a fully customizable cookie banner.

In addition, you can create your own cookie policy in no time. Including updates on legislative changes. This way you can always be sure that your website complies with all privacy and cookie requirements.

Step 4: Ensure secure storage and processing of personal data

In step 4 of our roadmap for GDPR readiness of your website, it is important to ensure the secure storage and processing of personal data.

That means taking appropriate technical measures to ensure that the personal data you collect and process is very secure against data loss or hacking!

One way of making your IT environment a fortified fortress is by installing firewalls, backups and protection against DDoS attacks. Do this thoroughly, because cybersecurity is one of the main requirements of the GDPR rules.

By the way, Combell puts a lot of effort into cybersecurity. Therefore, your hosting provider has a great responsibility in terms of security.

In order to optimally protect your data, we try to block as many attacks as possible beforehand. This way, your application remains completely unaffected.

Step 5: Create a data breach reporting protocol

Having a data breach reporting protocol is required by the GDPR (AVG) for all websites that process personal data.

Legally, a data breach means that there has been "unauthorized access to personal data or it has been accidentally destroyed, altered or lost."

Establish a clear and structured reporting protocol that allows you to respond quickly and carefully in the event of a data breach.

The protocol should include the steps you take as a company when discovering a leak (such as immediately stopping further data loss), determining the extent and impact of the leak, notifying relevant authorities and communicating with data subjects.

By the way, did you know that you also have reporting obligations? If you notice a data breach then you must report it to the relevant supervisory authority within 72 hours. Unless the data leak does not pose any risk to the rights and freedoms of data subjects.

Making your business GDPR (AVG) proof: additional tips!

Secure your website with an SSL certificate. Thanks to this encrypted connection, your visitors will always surf to a secure website.
Limit the collection of personal data to what is necessary. An important rule of the GDPR is that you may only process data that is strictly necessary for the intended purpose. Therefore, check your web forms to avoid asking for unnecessary information.
Use Privacy by Default as a best practice to ensure the privacy of your users. That is, set your default settings to provide maximum protection of personal data. This way, you give your users privacy protection from the start without them having to take any action themselves.
Check WordPress plugins. Chances are your website runs on WordPress. Check each plug-in for personal data collected and GDPR compliance. Because plugins also collect data. If necessary, choose an alternative, especially with social media plugins that may collect (beyond your control) more data than allowed without permission.
Check accounts of your employees. According to the GDPR, only authorized employees should have access to personal data, including the back-end of your website. Therefore, check which users have access and remove colleagues who do not need this access for their work. This way, you ensure that only authorized individuals have access to personal data and comply with the GDPR.
Enter into processor agreements with third parties who, like you, process personal data according to GDPR rules. This is very important when personal data collected through your website is transferred to them. If you have a webshop, this applies, for example, to the payment provider you've chosen.