Who's responsible for GDPR of a website?


Hi all,
GDPR comes into affect later this month. Ive got clients asking what they need to do about it. Ive done some preliminary reading about GDPR, and other than putting a cookie notice and privacy policy on a website Im very reluctant to give advise becuase Im obviously not a legal bod!
Who is responsible for the GDPR deployment on websites? Is it the company or the web designer?


It's the company because GDPR relates to any personal information they may store or use, not just what a web site uses. As a web designer/developer you can of course implement any web site changes that may be needed.


OK great. Ive suggested to clients they speak to a compliance officer and put them in touch with me direct if they need to know what information (if any) is being stored in the database.
Im sure theres some clients Ive forgotten to contact, but as long as the onus is on them to request GDPR web work from me then thats all good.


I believe that all companies that have 250 or more staff are required to have named person(s) who act as a Data controller and/or Data processor (whichever are needed), it's these people you would need to be talking with. Most companies seem to have either created new roles or assigned responsibilities to existing positions.

Smaller companies still need to assess the requirements for Data controllers/processors and adjust their internal systems to suit.

I've been pointing commercial clients to their own legal people for advice, as designers/developers we're not legal gurus! I have been helping some smaller clients directly getting their sites GDPR compliant, though none of them collect much data at all so it's all been pretty straightforward.


If you're using Google Analytics, some changes are needed (which your clients may not be aware of).


You can refer them to the ICO* if they want information.

*UK only.


Do you have a reference I can point a client to? I don't use it, but I have one client who does.


The only English resources I have are the mails that Google sends users of the analytics service. Basically, you have to log in, accept the new terms and conditions, set a period for data retention and add the details of a contact person for your organization. As IP addresses are considered personal information, you might need to anonymize the last byte of any that are collected. You (or your client) will also need to update their privacy statement to indicate they are using GA, add the correct code for those users that wish to opt out and also add a cookie banner if they don't have one already.


Ok, thanks, @Pullo. If Google has been sending emails, then she'll know and I don't need to feel responsible.

I put a cookie banner on her site when the previous legislation came out, and she insisted I take it off because "it doesn't look very nice". (I offered to change size, colour, shape, location, whatever, but basically she just didn't want it. ) I really don't want to go through all that again, so if I can just remind her it's her responsibility and leave it at that, I'll be happy.


Ive just pulled out the last Email I had from Google regarding this. It says:

We recently sent an email introducing new data retention controls that allow you to manage how long your user and event data are stored by Google Analytics. We would like to remind you that the new data retention settings will soon take effect - on May 25, 2018.
If you haven’t already done so, please review and confirm these settings (Property ➝ Tracking Info ➝ Data Retention) as Google Analytics will begin to delete data according to these settings starting May 25.

So I take that as meaning I dont have to action anything. (Im happy with the default retention setting they have).


Is the web developer either a Data controller or Data processor? (Im not sure what the difference is). The web developer is the one that is storing the data (at the client's request) so perhaps burdens some of the responsibility?


It's a very grey area and probably depends on the level of the developers involvement. If you built the site and handed it over for the client to run lock stock and barrel then it's probably 100% in the hands of the client. On the other hand if you as a developer regularly work on the site then you could be deemed as controlling and/or processing data!

I'd say that unless you actually own the site yourself then it's the clients responsibility, it is their site after all and you've only been contracted to make it work in the way they specified.

From the ICO:

A controller determines the purposes and means of processing personal data.
A processor is responsible for processing personal data on behalf of a controller.



This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.