What GDPR asks of a website
GDPR sets out how you must handle personal data, meaning anything that can identify a person, from a name and email to an IP address. If your site has a contact form, runs analytics, or sends email, it processes personal data and the rules apply.
The core ideas are simple to state. Collect only what you need, be clear about why, keep it secure, and respect people's rights to see or delete their data. The detail is where care is required, but the spirit is fairness and transparency.
Practical points for sites
Lawful basis matters. For marketing email you generally need consent, gathered honestly rather than buried in pre ticked boxes. Forms should explain what happens to the data and link to a privacy notice. Any email automation must honour unsubscribe requests promptly.
Analytics and cookies need thought too. Tools that track individuals usually require consent before they run, which is why a consent step often sits ahead of Google Analytics. Privacy focused analytics can reduce this burden.
Security and trust
Protecting data in transit with HTTPS is a baseline expectation, and so is storing it sensibly. Where customers manage their own information through a customer portal, clear handling builds confidence.
This glossary is general guidance, not legal advice. We build sites that follow GDPR good practice by default, and we recommend a solicitor for anything specific to your situation.