GDPR basics for businesses
What the EU's General Data Protection Regulation means for your website, even if your business is based outside Europe.
The General Data Protection Regulation — usually called GDPR — is a European privacy law that came into force in 2018. It sets rules about how businesses collect, store, and use personal data.
If your website collects any information about people who live in the European Union, GDPR can apply to you — even if your business is based in the United States.
This is not legal advice
Chykalophia is a design and web agency, not a law firm. This article explains GDPR concepts and describes best practices we follow when building and maintaining websites. It is not a substitute for advice from a qualified attorney. Laws change, and your specific situation may have requirements not covered here. Please consult a lawyer for binding compliance decisions.
Quick summary
GDPR is an EU privacy law that protects how personal data is collected and used. It can apply to any website visited by EU residents, regardless of where the business is based. Key requirements include: telling people what data you collect, getting consent before using tracking cookies, honoring data deletion requests, and keeping personal data secure. We build GDPR-aligned practices into every site we deliver.
What GDPR actually is
GDPR stands for General Data Protection Regulation. It is a law passed by the European Union that protects the privacy rights of EU residents.
"Personal data" means any information that can identify a person. This includes names, email addresses, IP addresses, and even cookie identifiers.
The law gives EU residents specific rights. They can ask what data you hold about them. They can ask you to delete it. They can object to how you use it.
Does GDPR apply to my business?
GDPR applies based on where your website visitors are, not where your business is registered.
| Your situation | Does GDPR likely apply? |
|---|---|
| You serve customers only in the US, with no EU marketing | Probably not |
| You sell products or services to people in EU countries | Yes |
| You run paid ads targeting EU audiences | Yes |
| You have a contact form that EU residents might use | Likely, to some degree |
| You use Google Analytics or Meta Pixel on your site | Yes — these tools collect data from EU visitors |
When in doubt, treating your site as GDPR-aware is the safer path — and it tends to be good practice for all visitors, not just EU ones.
What GDPR requires in plain English
GDPR has many provisions, but for most small and mid-size business websites, the practical requirements come down to these:
Be transparent about data collection
You must have a privacy policy that clearly explains:
- What personal data you collect (e.g., name, email, IP address)
- Why you collect it (contact forms, analytics, marketing)
- Who you share it with (email platforms, analytics services, hosting providers)
- How long you keep it
- How people can request access or deletion
Get consent for non-essential cookies and tracking
If your site uses tracking tools — such as Google Analytics, Meta Pixel, or advertising trackers — you must ask visitors for consent before those tools activate for EU users.
This is where a cookie consent banner comes in. See our guide on cookie consent law for how this works in practice.
Honor data subject rights
If someone asks you to:
- See what data you hold about them
- Correct inaccurate information
- Delete their data ("the right to be forgotten")
You are expected to respond within 30 days. Most small business websites receive very few such requests, but you should know the process.
Keep data secure
You must take reasonable steps to protect personal data from unauthorized access, loss, or breach. This includes things like keeping your website software updated, using SSL (the padlock in the browser), and not storing sensitive data unnecessarily.
Report data breaches
If personal data is compromised — for example, through a site hack — GDPR requires notifying the relevant supervisory authority within 72 hours in serious cases, and notifying affected individuals without undue delay.
Who is responsible for what
GDPR uses two key terms:
- Data controller — the organization that decides why and how personal data is processed. As the business owner, this is usually you.
- Data processor — a third party that processes data on your behalf (your email platform, analytics provider, hosting company, etc.).
You are responsible for ensuring your data processors also meet GDPR standards. Reputable services like Google, Mailchimp, and major hosting providers publish their own GDPR compliance documentation.
What we do to help
When we build or maintain your website, we follow these practices to support GDPR alignment:
- We configure cookie consent tools to block tracking scripts until the visitor gives consent
- We help you publish a clear, accurate privacy policy
- We implement SSL on every site we manage
- We keep software updated to close security vulnerabilities
- We can advise on which third-party tools collect data and how to disclose them
We help, but you are the data controller
Even when we build and maintain your site, you — the business owner — remain responsible as the data controller under GDPR. Our technical work supports compliance, but the legal obligations are yours. Work with a lawyer to confirm your obligations and document your processes.
Common pitfalls
- Using pre-ticked cookie consent boxes. GDPR requires active, unambiguous consent. Pre-ticked boxes do not count.
- Ignoring analytics tools. Google Analytics and Meta Pixel collect personal data. They need to be behind a consent gate for EU visitors.
- An out-of-date privacy policy. If you add a new tool (say, a CRM or live chat), update your privacy policy to reflect it.
- No process for deletion requests. Even if you never receive one, you should know how you would handle it.
- Thinking GDPR doesn't apply because you're in the US. The law is based on where your visitors are, not where your business is.
Common questions
Related guides
- Cookie consent law: when & how
- CCPA & CPRA basics for businesses serving California
- Analytics & tracking: cookies and privacy
- Cookie consent & banners explained
- Data privacy basics for your business
- SSL & HTTPS, explained
Need a hand?
Learn more
Compliance
Plain-English guides to the web-related laws and standards that affect your business — from privacy and accessibility to payment security.
CCPA & CPRA basics for businesses serving California
What California's privacy laws mean for your website, who they apply to, and the practical steps we take to help you align with them.