The GDPR has been in effect since 2018, yet many Irish business websites still aren’t properly compliant. Here’s what you actually need to do.
Disclaimer: This is practical guidance, not legal advice. For complex situations, consult a data protection specialist.
What GDPR Actually Requires for Websites
At its core, GDPR requires you to:
- Only collect personal data you genuinely need
- Tell people what you’re collecting and why
- Get proper consent before collecting it
- Keep that data secure
- Delete it when you no longer need it
- Let people access, correct, or delete their data on request
WordPress-Specific Compliance Checklist
1. Privacy Policy
You must have one. It must explain:
- What data you collect (forms, cookies, analytics, etc.)
- Why you collect it
- How long you keep it
- Who you share it with (including third parties like Google Analytics)
- How people can request their data or ask for deletion
Link to it from your footer, forms, and cookie notice.
2. Cookie Consent
If you use cookies beyond what’s strictly necessary (and you almost certainly do), you need:
- A cookie notice that appears before non-essential cookies load
- Clear accept/reject options (not just “OK”)
- A way for visitors to change their preferences later
Important: “By continuing to browse, you accept cookies” is not valid consent.
Recommended plugins: Complianz or CookieYes (properly configured).
3. Contact Forms
Every form that collects personal data needs:
- Clear information about what you’ll do with the data
- A link to your privacy policy
- A checkbox for consent (pre-ticked boxes are not valid)
Don’t ask for more than you need. If you only need an email, don’t ask for phone number and address.
4. Analytics
Google Analytics collects personal data (IP addresses). You need:
- Cookie consent before GA loads (for non-essential tracking)
- IP anonymisation enabled
- Mention of analytics in your privacy policy
Consider privacy-focused alternatives like Plausible or Fathom that don’t require cookie consent.
5. Email Marketing
If you collect email addresses for marketing:
- Explicit opt-in required (not pre-ticked)
- Clear about what they’re signing up for
- Easy unsubscribe in every email
- Records of consent (when, how, what they agreed to)
6. E-commerce (WooCommerce)
Online shops have additional requirements — see our WooCommerce maintenance checklist for more:
- Clear data retention policies
- Secure handling of payment data
- Customer data export and deletion on request
- Order data retention only as long as legally required
Common Mistakes Irish Websites Make
Implied Consent
“By using this site, you agree to…” is not consent. People must take a clear affirmative action.
Bundled Consent
One checkbox for “I agree to the terms, privacy policy, and marketing emails” is not valid. Separate checkboxes for separate purposes.
No Way to Withdraw
If people can’t easily change their cookie preferences or unsubscribe from emails, you’re not compliant.
Excessive Data Collection
Asking for phone number, address, and company name when someone just wants to send a message? That’s collecting more than you need.
GDPR and Your Hosting
Your hosting provider processes data on your behalf, making them a “data processor.” They should:
- Have a Data Processing Agreement (DPA) available
- Store data in the EU (or have appropriate safeguards for other locations)
- Have proper security measures in place
- Not use your data for their own purposes
At SparkHost, our servers are in Ireland. We have a clear DPA and only process customer data as instructed by our clients.
Action Steps for Today
- Audit your forms — What data do you collect? Do you need all of it?
- Check your cookie notice — Does it actually block cookies until consent is given?
- Review your privacy policy — Does it accurately reflect what you do?
- Test user rights — Can someone actually request their data from your site?
GDPR compliance isn’t a one-time task. Review regularly, especially when adding new plugins or functionality.