GDPR website: what must your business control?
GDPR website means the website collects, uses and stores personal data in a lawful, clear and safe way. For Norwegian businesses, this is especially about contact forms, cookies, analytics, CRM, newsletters, privacy policy and who gets access to data.
GDPR is not just a text at the bottom of the footer. It is how the website behaves. If a form collects name, email, phone and message, you process personal data. If analytics tools track visitors, that can also be personal data. If data is sent onward to CRM or email systems, the flow must be understood.
At wevo, I build websites so privacy does not become an afterthought. That means fewer unnecessary fields, clear information, tidy consent where needed and technical choices that make data easier to control.
What does GDPR website mean in practice?
GDPR on a website is about personal data that can be linked to a person. It can be name, email, phone number, IP address, message in contact form, booking data, CV, health information or information from cookies. The Norwegian Data Protection Authority explains that organisations must have a legal basis, provide information and secure the data. Practically, you must know what the website collects, why and where it is sent.
Think of Sara, who runs a clinic in Trondheim. The contact form asks for name, phone, treatment and free text. If the patient writes health information in the message, the data becomes more sensitive. Then it is not enough that the form looks nice. Sara must know who receives the message, where it is stored, and how long it is kept.
Which parts of the website involve GDPR?
| Part of website | Personal data that may be processed | What you should clarify |
|---|---|---|
| Contact form | Name, email, phone, message. | Purpose, recipient, storage and security. |
| Cookies | IDs, behaviour, preferences. | Consent, category and tool. |
| Analytics | Visits, device, IP or user ID. | Whether data is anonymised, shared or consent-based. |
| CRM integration | Lead, status, notes and history. | Who gets access and how long data is kept. |
| Newsletter | Email, consent and preferences. | Documented consent and easy unsubscribe. |
What should a contact form do to be tidy?
A good contact form only asks for what is needed to answer the customer. Many forms ask for too much because it seems practical for the business. GDPR pushes you to think the other way: collect as little as possible, explain why, and handle data safely. That is also better for conversion. A short form often creates more enquiries.
- Ask only for fields you actually need.
- Explain briefly what happens after submission.
- Do not ask for sensitive information if you do not need it.
- Use HTTPS and safe sending.
- Send data to the right recipient, not more people than necessary.
- Avoid form data sitting in unnecessary systems.
- Log errors without exposing personal data.
An accountant may need name, email and what the customer needs help with. He rarely needs a national ID number in the first contact. A dentist should avoid asking the patient to write health history in an open free-text field if it is not set up for it.
The same applies to file upload. If a customer can upload documents, you must know where the files are stored, who gets access, and whether they are deleted when the case is finished. A form is often the start of an entire data flow.
How do GDPR and cookie consent connect?
Cookies and GDPR meet when cookies are used for tracking, analytics or marketing. Then cookies can be linked to personal data or behaviour. That is why cookie consent on website must be assessed together with the privacy policy. The banner says what the user chooses. The privacy policy explains the data flow more thoroughly.
- Necessary cookies should be explained, but do not always require consent.
- Analytics cookies normally require consent before activation.
- Marketing pixels should never start before the user has said yes.
- The privacy policy must explain tools, purposes and rights.
- Consent choices must be changeable later.
What must the privacy policy say?
The privacy policy should be concrete. Do not paste legal text nobody understands. Explain which data you collect, why you do it, which legal basis you use, who data is shared with, how long data is stored, and which rights the customer has. The Norwegian Data Protection Authority has guidance on information to users and controller responsibility.
| Topic | What the text should answer |
|---|---|
| Purpose | Why do you collect the data? |
| Data types | Which data is collected? |
| Sharing | Which suppliers or systems receive data? |
| Storage | How long is the data kept? |
| Rights | How can the customer ask for access or deletion? |
What are common GDPR mistakes on websites?
The most common mistakes are not always dramatic. They are unclear. A form does not say what happens. Analytics runs without consent. The privacy policy does not mention CRM. Old leads stay in inboxes. Several employees receive messages they do not need. These things create risk because nobody has overview.
Another mistake is copying a privacy policy from another website. The text can look professional, but describe the wrong tools, wrong storage and wrong responsibility. Privacy must mirror the actual solution, otherwise the text does not help.
How should GDPR website work be maintained after launch?
GDPR work does not stop at launch. When you add a new form, new chat, new advertising pixel, new CRM connection or new analytics tool, privacy must be assessed again. That is why GDPR connects closely with normal operations and website maintenance.
- Check the privacy policy when new tools are added.
- Remove old recipients of form data.
- Delete or archive old enquiries according to routine.
- Check consent setup after script changes.
- Document where data goes when an integration changes.
- Map all forms, scripts and integrations.
- Remove fields that are not necessary.
- Check that cookie consent blocks correctly.
- Update the privacy policy with actual tools.
- Limit who receives form data.
- Create routines for deletion and follow-up of old enquiries.
- Check business website security together with privacy.
How does wevo build websites with GDPR in mind?
I start by making the data flow visible. Forms, analytics, newsletter, CRM, payment and third-party tools are listed. Then we assess what is necessary, what requires consent, and what can be removed. Often the website becomes both safer and faster when unnecessary scripts are removed.
This is a natural part of websites for businesses, especially when the site has contact forms, CRM connection or analytics. If the website also sends data to internal systems, API integration should be built with clear access and logging.
The goal is not to make the website heavy. The goal is to make it tidy. When the data flow is easy to explain, it is also easier to secure, maintain and improve.
What does GDPR mean for a website?
GDPR for a website means that personal data from forms, cookies, analytics and integrations must be collected, used and stored lawfully, clearly and securely.
Does a contact form need GDPR text?
The form should explain what happens with the data, and the privacy policy should give more detail about purpose, storage, sharing and rights.
Are cookies part of GDPR?
Yes, when cookies or similar technology can be linked to personal data, analytics or tracking, they must be assessed together with GDPR and consent rules.
What is data minimisation?
Data minimisation means collecting as little personal data as possible, only what is necessary for the purpose.
Want help with this? See how we work with websites.
Not sure where your website stands?
Run a free analysis and get an honest picture of speed, structure and things that could be stopping your customers.