GDPR for Your Website, Without the Legal Jargon
What the GDPR requires from any site that collects data (a form, an email, statistics), the core principles, people's rights, and a practical checklist to stay compliant.
The GDPR is intimidating, especially for small organisations. Yet the spirit of it is simple: respect people’s data. Here is the essence, translated into concrete actions.
What is it, and who does it concern?
The GDPR (General Data Protection Regulation) is the European law that governs the use of personal data. Any organisation that collects it is concerned — a company, a freelancer, a nonprofit, a local council. The moment a visitor leaves an email through a form, you are processing personal data.
A personal data point = any information relating to an identifiable person: name, email, phone, address, but also an IP address or an identifier.
The core principles
- Purpose: collect for a specific, stated reason (“to answer your request”).
- Minimisation: ask only for what is necessary (a contact: name, email, message — no more).
- Consent: for anything not essential (newsletter, trackers), you need free and clear agreement.
- Transparency: state who collects, what, why, for how long.
- Security: protect the data (HTTPS, limited access, backups).
- Limited duration: do not keep data indefinitely.
People’s rights
Anyone can ask you for:
- access to their data,
- their rectification or their erasure,
- to object to a processing operation (e.g. unsubscribe).
You must be able to respond to these requests within a reasonable timeframe.
A practical checklist for a small site
- A clear privacy page: who, what, why, for how long, and how to exercise one’s rights.
- Minimalist forms: ask only for the essentials.
- Explicit consent for the newsletter and for non-essential cookies (see our article on cookies).
- HTTPS enabled (security of exchanges).
- No reselling of data; providers (emailing, host) that are compliant.
- A point of contact for exercising one’s rights (often the email in the legal notice).
Key takeaways
The GDPR does not require you to be a lawyer: it asks for common sense and transparency. Collect little, say so clearly, secure it, and honour requests. For complex cases (sensitive data, large volumes), get professional support — but for a showcase site, these actions cover the essentials.
⚠️ This article explains the principles; it is not a substitute for legal advice in specific situations.
Test your knowledge
The GDPR applies to…
As soon as a site collects a piece of personal data (a single email via a form is enough), the GDPR applies — even for a nonprofit.
A 'personal data' point is…
Name, email, IP address, phone… any piece of information that makes it possible to identify someone, directly or not.
The principle of 'minimisation' means to…
You only ask for what the purpose strictly requires (a contact form: name, email, message — not the date of birth).
A person has the right to…
Rights of access, rectification, erasure, objection… You must be able to respond to them.