The European Union’s General Data Protection Regulation (GDPR) caused the internet to descend into chaos. Companies, like Facebook or Google, were hit with severe GDPR complaints the next day the law kicked in. While Tronc and Lee Enterprises blocked their content to Europe.

Meanwhile, users were dissatisfied with the number of emails they received. Of course, their digital fury evolved into memes.

GDPR fines are real

Institutions, responsible for the governance of the GDPR, have already applied hefty fines.

Optical Center, a French company selling eye and hearing aids, was fined 250 000 euros by the French data protection authority for the failure to secure their clients’ data; Yahoo also paid 250 000 pounds for a data breach which occurred in 2014.

UK’s Dixons Carpone, a multinational electrical and telecommunications retailer and services, announced a breach of their customers’ data which included payment details of 5.9 million customers. If regulatory authorities decide to bring the full weight of the GDPR, it may lead to a 423 million pound fine.

GDPR applies to old data breaches

Yahoo’s case opened another debate on the GDPR which somehow didn’t get all the attention it deserved.

The new regulations will apply to ‘old’ data breaches. As a European Commission official confirmed in April, breaches that happened before GDPR took effect, will also be liable to fines.

‘Even if it started a long time ago and continues – and is discovered after the GDPR comes into play, then it’s relevant,’ source said.

How to comply with your website with the GDPR?

If you own a website and don’t protect your visitors’ data, you will be fined despite the size of your business.

Read the GDPR

To comply with the new law, you should, first of all, read it yourself. I know, it’s a hell of a long read – 261 pages – but it’s worth understanding your rights and obligations.

It’s also critical to know what data is protected under the GDPR – because not all data is equal. GDPR only applies to personal data as ‘any information relating to an identified or identifiable natural person’. If your users or their behavior can be identified by the data you collect, it’s personal (ptss, check Article 4).

This was particularly easy for us. Surfshark is based in the British Virgin Islands, a country which doesn’t require to log internet users’ personal data, and this allows us to guarantee a strict no logs policy.

Transparent privacy notice

UK’s Information Commissioner’s Office (ICO) prepared a sample of a privacy notice. ?

HERE you can find more document samples and guidelines which can help you comply with the GDPR.

If you decide to craft your privacy notice, make sure there aren’t confusing terminology, double negatives or other language tricks used to fool people into giving their consent.

In general, be transparent, but because the term is very broad, your notice should answer the following questions:

  • What information do you collect?
  • Who is collecting it?
  • Why do you collect it?
  • Do you share the information with third-parties? What are those?
  • How will you use the information

Active opt-in

Under the GDPR, customers’ opt-in consent can’t be a condition of service. Also, the boxes can’t be pre-checked. It means newsletter, contact or similar preference by default must be left blank or checked as a ‘no.’

Moreover, the consent you’re asking for must be explicit: ideally, separate out accepting terms and conditions and permission to use private data.

Simple opt-out

Nobody wants their users to cancel subscriptions, so websites make opt-outs as complicated as possible. Therefore, make your users feel in control of their data.

To create a better user experience, allow selective withdrawing of consent (e. g. withdraw from all or separate sections), choose the frequency of communications (e. g. how often individuals want to receive your newsletters).

Names of third-party players

If you share your users’ data with third-party players, you must explicitly name them. Instead of defining categories, actually, list the brands.

The use of Google Analytics

Many websites use Google Analytics to monitor and analyze the traffic. Google has already stated their GDPR compliance HERE. The tech giant, claims to have made it easier for the businesses to follow with data protection laws.

With that said, Google Analytics is an anonymous tracking system, meaning, users’ data is secure. As of now, there are no specific articles that could somehow affect the use of Google Analytics.


If cookies contain sensitive information, they fall under the GDPR’s scope of personal data. If there’s a legitimate reason to use cookies, warn your users.

Review your plugins

Plugins also must comply with the GDPR as many of them use cookies. Under the GDPR, the owner of the website is responsible for plugins.

Before allowing a plugin, review which plugins use visitors’ data. List this in your privacy notice and ask for users’ consent.

Have an aching GDPR related question? Ask us in the comments, and we will help to find the answer.

Get Surfshark for $1.99/mo

30-day money-back guarantee with every plan