GDPR & Website Security: What UK Businesses Need to Know

The Legal Obligation

The UK General Data Protection Regulation (UK GDPR), retained after Brexit under the Data Protection Act 2018, requires organisations to implement "appropriate technical and organisational measures" to protect personal data. Article 32 specifically calls out:

• Encryption of personal data
• Ongoing confidentiality, integrity, and availability of systems
• Regular testing and evaluation of security measures

Failure to comply can result in fines of up to £17.5 million or 4% of global annual turnover (whichever is higher), issued by the Information Commissioner's Office (ICO).

What "Appropriate Technical Measures" Means for Your Website

The ICO does not prescribe a specific checklist, but the following are widely considered baseline requirements for any website handling personal data (contact forms, user accounts, e-commerce):

1. Encryption in Transit

All data transmitted between your visitors and your server must be encrypted. This means:

• Valid SSL/TLS certificate (not self-signed, not expired)
• TLS 1.2 or 1.3 only (TLS 1.0 and 1.1 are deprecated)
• HTTPS enforced with a permanent redirect from HTTP
• HSTS header to prevent downgrade attacks

2. Secure Cookie Handling

If your site uses cookies to manage sessions or store personal data:

• Secure flag: cookies only sent over HTTPS
• HttpOnly flag: prevents JavaScript access (XSS protection)
• SameSite=Strict or Lax: prevents cross-site request forgery

3. No Sensitive Data Exposure

Common GDPR violations discovered by security scanners include:

• .env files accessible via the web (containing database passwords, API keys)
• .git directories exposed (revealing source code and commit history)
• Backup files (database.sql.bak, backup.zip) left in the web root
• Verbose error messages revealing stack traces with personal data

4. Email Security (SPF, DMARC, DKIM)

If your domain sends emails (newsletters, order confirmations, password resets), you need:

• SPF record: authorises which servers can send email from your domain
• DKIM signature: cryptographically signs outgoing emails
• DMARC policy: tells receiving servers what to do with unauthenticated emails

Without these, your domain can be spoofed to send phishing emails to your customers — a serious GDPR breach.

The ICO's Expectations

The ICO has issued fines to organisations specifically for:

• Failing to use HTTPS (Doorstep Dispensaree, £275,000)
• Storing passwords in plain text
• Not patching known vulnerabilities in a timely manner

How WebGuard Helps

WebGuard's GDPR compliance mode maps every security check to the relevant GDPR article and ICO guidance. You can generate a GDPR compliance PDF report showing your current status against each requirement — useful for Data Protection Impact Assessments (DPIAs) and supplier due diligence questionnaires.

Run a free GDPR compliance scan at WebGuard [blocked] — no account required.