What Is GDPR and Why Is It Important?

In 2016, the European Union passed the General Data Protection Regulation (GDPR) after deliberating over it for four years. The regulation gave two years for companies to get in compliance, which is typically more than enough time. The reality though is that companies and even regulators are still struggling to update to new standards.

Read on to learn what the GDPR is, why it’s important, and how you can develop a plan of action.

The General Data Protection Regulation (GDPR) is a set of rules. These rules span from requirements like notifying regulators about data breaches to transparency for users about what data is being collected. They even cover why it needs to be collected. It is a new data protection law in the EU, which came into force Friday, May 25th, 2018.

The goal of GDPR is to give EU citizens control over their personal data and change the data privacy approach of organizations across the world.

The GDPR provides much stronger rules than existing laws and is much more restrictive than the “EU cookie law.”

The law states that users must confirm their data can be collected, a clear privacy policy must be displayed showing what data is going to be stored, how it will be used, and provide users the right to withdraw the consent, to the use of personal data (consequently deleting the data), if required.

The GDPR applies to data collected on EU citizens from anywhere in the world. As such, any website with EU visitors or customers must comply with the GDPR, which means all businesses that want to sell products or services to the European market need to comply.

Unfortunately, everything is not always black or white when it comes to laws like this, but GDPR generally has the following applications:

Applies to any personal data that relates to or can be used to identify someone (Art. 4).
Applies to any sensitive personal data such as race, ethnic origin, sexual orientation, and health status. (Recital 51,Art. 9)
Requires that consent is given or there is a good reason to process or store personal information.
Allows a person to request that their personal information about them is completely erased (unless there is a valid reason, such as a bank loan). Also referred to as the right to be forgotten (Art. 17).
Gives a person the right to know what information is being stored about them.
Privacy by design and default: Makes sure that personal information is properly protected. New systems must have protection designed into them and access to the data is strictly controlled and only given when required (Art. 25).
If data is lost, stolen or is accessed without permission, the authorities must be notified within 72 hours (Art. 33) along with the people whose data was accessed (Art. 34).
Data can only be used for the reason given at the time of collection and is securely deleted after it’s no longer needed.
Right to access and data portability: A person can request their information is an downloadable format at any time, as well as use or transfer the data to another service. (Art. 20)
Allows national authorities to impose fines on companies breaching the regulation.
Parental consent will be required to process the personal data of children under the age of 16 for online services; can vary per member state, but it will not be below the age of 13 (Art. 8).

Site and Store Owners have until May 25, 2018, to comply with the regulations set by the GDPR. There are hefty penalties for non-compliance. If you are found non-compliant, you are looking at a fine up to € 20 million, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. High penalty fines have been proposed to try an increase compliance.

However, you may wonder what steps for supervision of websites are in place. Supervisory Authorities (SA) of different member states are going to be set up, with the full support of the law. Each member state may have multiple SAs, depending on the constitutional, administrative and organizational structures. There are various powers that SAs will have:

carry out audits on websites,
issue warnings for non-compliance,
issue corrective measures to be followed with deadlines.

SAs have both investigative and corrective powers to check compliance with the law and suggest changes to be GDPR compliant.

It is too early to speculate how SAs of various member states would interlink and work together, but one aspect is clear; SAs would enjoy considerable power to enforce the GDPR guidelines.

Consult a lawyer.

Disclaimer: I’m not a lawyer. Please first seek the advice of a lawyer that can help you sort out what you need to do.

WordPress and WooCommerce have pushed out releases with many features for getting compliant with GDPR.

Upgrading WordPress (and WooCommerce, if you use it) are some of the first steps you can take, after talking to a lawyer.

Did we mention reaching out to get legal advice?

If you are hosting with Liquid Web, you can check out our article on GDPR that answers questions related to our compliance.

Under the GDPR (General Data Protection Regulation), personal data is any information that can identify a person, either directly or indirectly.

Personal data includes obvious identifiers such as:

Full name
Email address
Phone number
Home address
Passport or driver’s license number

It also includes digital identifiers, such as:

IP addresses
Cookie identifiers
Device IDs
Location data
Usernames or account IDs

In general, if a piece of information can be used to recognize someone, track them online, or link them to a specific identity, it likely counts as personal data under GDPR.

GDPR also includes a special category of sensitive personal data (sometimes called “special category data”), such as health information, biometric data, political opinions, religious beliefs, and genetic data, which requires stricter handling.

Your business may need to follow GDPR if you collect, store, or process personal data from individuals located in the European Union (EU) or European Economic Area (EEA), even if your business is not based in Europe.

In most cases, GDPR applies if your business:

Has customers or website visitors in the EU or EEA
Collects personal data through forms, email signups, or ecommerce checkout
Uses analytics tools or marketing cookies that track EU visitors
Offers goods or services to people in the EU (even online)

GDPR is not limited to European companies. It applies based on who you serve and whose personal data you process.

If your website accepts EU traffic, runs ads, uses tracking cookies, or sells products internationally, it is usually safest to assume GDPR applies.

The cost of a GDPR audit varies depending on your business size, industry, website complexity, and the amount of personal data you collect.

Typical GDPR audit costs include:

Small business website audit: $1,000 to $5,000
Medium-sized business audit: $5,000 to $20,000
Large business or enterprise audit: $20,000+

Some legal firms and compliance consultants charge hourly rates, while others offer fixed packages. Costs may also increase if your business needs additional services such as policy drafting, consent management setup, or data protection officer (DPO) guidance.

For many small businesses, the biggest cost is not the audit itself, but the technical and legal work required to fix compliance gaps afterward.

To make a small business website GDPR compliant, you need to focus on transparency, consent, and secure handling of personal data. GDPR compliance is mostly about collecting only the data you need and clearly explaining what you do with it.

Common GDPR compliance steps include:

Publish a clear privacy policy explaining what data you collect, why you collect it, and how it is used.
Add a cookie consent banner that allows users to accept or reject non-essential cookies.
Limit tracking tools like advertising pixels unless users give consent.
Secure your website using HTTPS/SSL encryption.
Collect only necessary form data and avoid asking for extra personal details.
Use GDPR-compliant plugins and services for email marketing, analytics, and ecommerce.
Offer users access and deletion options so they can request their data or ask you to remove it.
Protect stored customer data with strong passwords, updates, and access control.

GDPR compliance is not a one-time checklist. It is an ongoing process that requires regular updates, security improvements, and clear documentation of how your website handles personal information.

If you waited to figure out what you needed to do about GDPR, we recommend getting legal advice. Our sense is that every site is unique and has to get its own counsel, but that GDPR will affect about everyone online.