GDPR and Privacy Basics for Site Owners

GDPR (the EU General Data Protection Regulation) applies to anyone collecting data from people in the EU — which in practice means almost every website. The good news: for small sites with basic functionality, compliance is mostly about a clear privacy policy, cookie consent, and a few reasonable data-handling practices. This guide cuts through the legal jargon and explains what you actually need to do. Not legal advice — for high-stakes situations, talk to a lawyer.

Who has to comply

GDPR applies if:

• Your site is accessible from the EU (almost always yes), AND
• You collect, store, or process personal data of EU residents (visitor IPs, email addresses, names, etc.).

“Personal data” is defined broadly — IP addresses count, cookies that track users count, account info obviously counts. If you have Google Analytics, contact forms, or a login system, you’re handling personal data.

Other regions have similar laws (California’s CCPA, UK GDPR, Brazil’s LGPD). The practical guidance below mostly satisfies all of them.

The core principles

• Lawful basis — you must have a reason to process data (consent, contract, legitimate interest).
• Purpose limitation — only collect what you need for the stated purpose.
• Data minimization — keep no more than required.
• Storage limitation — delete data when no longer needed.
• Transparency — tell users what you do with their data.
• Security — protect data with reasonable measures.
• User rights — let users access, correct, or delete their data on request.

For a small site with a contact form and Google Analytics, complying with these is mostly common sense plus a privacy policy.

Step 1: Write a privacy policy

Required content:

• Who you are (business name, contact info, country).
• What data you collect (visitor IPs, form submissions, account data, cookies, analytics).
• Why you collect it (provide the service, marketing, legal compliance).
• Who you share it with (Google Analytics, hosting provider, payment processor, etc.).
• How long you keep it.
• User rights (access, correction, deletion).
• How to contact you with privacy questions.
• Cookie information (or link to separate cookie policy).

Don’t copy a privacy policy from another site — it’ll list third parties you don’t use and miss ones you do, which is worse than nothing.

Tools that help generate a policy specific to your site:

• WordPress built-in privacy policy generator — Settings → Privacy. Generates a draft based on your installed plugins.
• iubenda (paid) — comprehensive, lawyer-reviewed templates customized to your stack.
• Termly (free tier) — generator, good for small sites.
• Termageddon (paid) — auto-updates as laws change.

Whatever you use, READ the generated policy, correct what doesn’t match reality, link it from your footer.

Step 2: Cookie consent banner

If your site sets cookies that aren’t strictly necessary (analytics, ads, social media embeds), you need explicit consent before loading them.

“Strictly necessary” cookies (session, cart, login) don’t need consent — they’re needed for the site to work. Analytics and tracking do.

Doing it right (vs. doing it wrong)

• ✓ Explicit accept / reject choice with equal prominence.
• ✓ No tracking before consent.
• ✓ Easy way to change choice later.
• ✗ “Pre-ticked” accept boxes — invalid consent under GDPR.
• ✗ Cookie walls forcing accept — generally not allowed.
• ✗ “By using this site you agree” notices — not consent, doesn’t comply.

WordPress plugins for cookie consent

• CookieYes / GDPR Cookie Consent — free, popular, easy.
• Complianz — free, more comprehensive, auto-scans your site for cookies.
• WP Cookie Notice for GDPR — simple, lightweight.

Install, configure to block analytics/tracking until consent, customize text to match your site’s tone.

Step 3: Forms with consent

Contact and signup forms collecting personal data need:

• A checkbox like “I agree to my data being processed per the privacy policy” (linking to your policy).
• Or a clear statement on the form explaining what happens with the data.
• Only collect what you actually need (don’t ask for phone number on a newsletter signup).

For newsletter signups specifically, “soft opt-in” (you can email people who bought from you about similar products) is allowed in many cases; “double opt-in” (confirmation email) is best practice and required in some jurisdictions.

Step 4: Data security

• HTTPS on all pages. AutoSSL on iWebVault handles this.
• Strong passwords + 2FA on admin accounts. Password guide.
• Regular backups stored securely. JetBackup handles primary; verify backups occasionally.
• Updates current — outdated software is most common breach vector.
• Limit data exposure — don’t show full customer names/emails publicly, don’t email passwords in plain text.

“Reasonable security measures” is the GDPR standard. The list above easily meets that for small sites.

Step 5: Handle user requests

Users have rights to:

• Access — see what data you hold on them.
• Correction — fix inaccurate data.
• Deletion (right to be forgotten) — request you delete their data.
• Data portability — get a machine-readable copy of their data.
• Object to processing — opt out of marketing, analytics, etc.

You must respond to requests within 30 days. For a small site, this is rare — when it happens:

1. Verify identity (don’t just delete on email request — confirm it’s actually them).
2. Fulfill the request (export data, delete account, etc.).
3. Confirm action to user.

WordPress has built-in tools: Tools → Erase Personal Data and Tools → Export Personal Data.

Common GDPR misconceptions

“I’m not in the EU, GDPR doesn’t apply.” If EU residents can access your site, you’re processing their data when they visit. GDPR applies regardless of your location.

“I’ll get fined immediately for any non-compliance.” Major fines target serious breaches at large companies. Small sites with minor compliance gaps are very rarely fined — the priority is forcing improvement, not punishing.

“GDPR means I can’t use Google Analytics.” Complicated. Google Analytics 4 is more compliant than legacy UA. With proper consent and anonymized IPs, it’s generally acceptable. Alternatives like Plausible and Fathom are designed cookieless and GDPR-friendly out of the box.

“My hosting provider has to handle compliance for me.” No — we handle our own compliance (we’re a data processor), but YOU control what data your site collects from your users. Your compliance is your responsibility. iWebVault provides infrastructure that supports compliance (HTTPS, secure backups, etc.); you build on top.

Tools that simplify the whole thing

• Complianz (WordPress). Scans your site for cookies, generates policy, manages consent banner — comprehensive solution.
• iubenda. Subscription-based, full legal documents for non-WordPress sites.
• Plausible Analytics. Cookie-free, GDPR-by-design analytics alternative.
• WordPress core privacy tools. Built-in policy generator, data export, data erase.

When to talk to a lawyer

• You process sensitive data (health, biometrics, payment, children’s data).
• You have large user volumes (tens of thousands+).
• You sell to EU customers and want to be certain of compliance.
• You received a complaint or regulator inquiry.
• You’re handling a data breach with potential disclosure obligations.

For a basic small business site: privacy policy + cookie consent + sensible data handling covers you. For complex setups, professional advice is worth the cost.

What’s next

• SSL coverage for HTTPS: SSL guide.
• Site backups (part of “reasonable security”): JetBackup.
• Account security: Password managers.

For most small sites GDPR compliance is: have a real privacy policy, get cookie consent, only collect what you need, secure what you have, respond to user requests. That’s most of it. The complexity scales with the data you handle — basic sites need basic measures.