GDPR and Web Data Protection
Comply with data protection regulations without sacrificing user experience
The General Data Protection Regulation (GDPR) is not just a European law — it is the global reference standard for digital privacy. Since it came into effect in 2018, it has inspired similar legislation worldwide (LGPD in Brazil, CCPA in California, LOPDGDD in Spain) and has changed how businesses collect, process and store personal data.
For any website that collects data from European users — even if it operates from another continent — GDPR compliance is not optional. This guide explains the key requirements, from consent management and cookies to privacy policies and impact assessments.
Core GDPR principles
The GDPR is built on six principles that guide every decision about personal data processing. These are not suggestions — they are legal obligations whose breach can result in fines of up to 4% of annual global turnover or 20 million euros.
- Lawfulness, fairness and transparency: process data with a valid legal basis and inform the user clearly
- Purpose limitation: collect data only for specific, explicit and legitimate purposes
- Data minimisation: do not collect more data than strictly necessary
- Accuracy: keep data up to date and allow users to correct it
- Storage limitation: do not store data longer than necessary
- Integrity and confidentiality: protect data with appropriate technical and organisational measures
Consent management
Under GDPR, consent must be freely given, specific, informed and unambiguous. Pre-ticked boxes, consent implied by browsing or cookie banners with only an "Accept" button are illegal. The user must be able to refuse as easily as they accept.
Implement a Consent Management Platform (CMP) that records the date, time and type of consent granted by each user. Tools like Cookiebot, Iubenda or Google Consent Management allow you to meet both technical and documentary requirements.
Cookie policy and tracking
Non-essential cookies (analytics, advertising, social media) require prior explicit consent. Technical cookies necessary for site functionality (session, cart, preferences) do not require consent but do require information.
Classify all cookies on your site by purpose and provider. Google Analytics 4 with consentMode, Matomo as a privacy-first alternative, and server-side tracking are options that allow you to obtain useful data while respecting user privacy.
- Technical cookies: do not require consent but do require information
- Analytics cookies: require prior consent (or use tools that anonymise data)
- Advertising cookies: always require explicit consent
- Third-party cookies: document each provider and their privacy policy
An effective privacy policy
A privacy policy is not a legal document nobody reads — it is your primary transparency tool with the user. It must be accessible, understandable and complete, explaining what data you collect, for what purpose, on what legal basis, for how long and how the user can exercise their rights.
Include information about international data transfers (especially if you use services from US companies), the identity of the data controller, DPO contact details if applicable, and the right to lodge a complaint with the supervisory authority.
User rights
The GDPR grants users a set of rights over their data that your organisation must be prepared to address within a maximum of 30 days.
- Right of access: the user can request a copy of all their personal data
- Right to rectification: correction of inaccurate or incomplete data
- Right to erasure (right to be forgotten): deletion of data when it is no longer necessary
- Right to data portability: delivery of data in a structured, machine-readable format
- Right to object: the user can object to processing based on legitimate interest
Data Protection Impact Assessment (DPIA)
A DPIA is mandatory when processing is likely to result in a high risk to the rights and freedoms of individuals. This includes large-scale processing of sensitive data, automated decision-making with legal effects or systematic monitoring.
The DPIA must describe the processing operations, assess necessity and proportionality, identify risks to data subjects and define measures to mitigate them. It is a living exercise that must be reviewed when the processing circumstances change.
Technical implementation of compliance
GDPR compliance has a technical dimension that goes beyond legal texts. Privacy by Design means integrating data protection from the system architecture, not as an afterthought.
Encrypt personal data at rest and in transit, implement role-based access controls, log access to sensitive data, anonymise or pseudonymise data whenever possible and establish automated processes for deleting data when retention periods expire.
Key Takeaways
- GDPR applies to any site processing data from European users, regardless of where it operates
- Consent must be freely given, specific, informed and unambiguous — pre-ticked boxes are illegal
- Classify all cookies and obtain prior consent for non-essential ones
- Prepare processes to address user rights within a maximum of 30 days
- Privacy by Design: integrate data protection from the architecture, not as a patch
Does your website comply with GDPR?
We audit your website, implement consent management and prepare the legal documentation needed for regulatory compliance.