GDPR Requires a Secure Website: What You Need to Know

Every website that collects personal data falls under the GDPR. And the GDPR doesn't just care about cookie banners and privacy policies. It also requires you to protect that data with proper security measures.

Article 32 of the GDPR says it plainly: you must implement "appropriate technical and organisational measures" to protect personal data. If your website gets hacked because you skipped basic security, you're not just dealing with a breach. You're dealing with a potential fine.

What Article 32 actually says

The full text of Article 32 talks about encryption, pseudonymisation, confidentiality and resilience. It sounds like it was written for banks and hospitals. But the key word is "appropriate." The GDPR doesn't expect a five-person bakery to run the same security operation as a multinational. It expects measures that match the risk.

For a small business website, "appropriate" means getting the basics right. No one is going to fine you for not having a dedicated security operations centre. But they will fine you for running an outdated WordPress installation with a default admin password while your contact form collects customer data in plain text.

The standard is proportional. A website that processes names and email addresses through a contact form needs different security than one that stores medical records. But both need something.

Your website processes personal data (yes, even that contact form)

You might think your website is too simple to worry about GDPR security. But take a closer look at what it actually does.

Contact forms collect names, email addresses, phone numbers and whatever people type into the message field. That's personal data.

Newsletter signups store email addresses and sometimes names. You're processing personal data.

Booking systems can collect names, phone numbers, dates of birth, even health information for medical practices or dentists.

Analytics tools can track IP addresses and browsing behaviour. Server logs do the same.

If your website has any of these, the GDPR security requirements apply to you. There's no minimum size threshold. Even a one-page site with a contact form falls under this obligation. Read more about form and signup requirements for the full picture.

Minimum security measures for GDPR compliance

Here's what "appropriate technical measures" looks like for a small business website.

HTTPS everywhere

Every page must load over HTTPS with a valid SSL certificate. No exceptions. This encrypts data in transit between your visitor's browser and your server. If your site still shows "Not Secure" in the browser bar, fix that first. Our guide on fixing the Not Secure warning walks you through it step by step.

Software updates

Your CMS, plugins, themes and server software need to be up to date. Outdated software is the number one way small business websites get compromised. WordPress sites running old plugins are especially vulnerable. Check our list of vulnerable WordPress plugins to see if you're running any known risks.

Access controls

Admin accounts need strong passwords and two-factor authentication where possible. Default usernames like "admin" should be changed. Limit who has access to your website backend and your hosting panel.

Backups

Regular backups stored separately from your web server. If your site is compromised, you need to be able to restore it. A breach is bad enough without also losing all your data permanently.

Security headers

HTTP security headers protect your visitors from common attacks like clickjacking and cross-site scripting. Most hosting setups ship with weak defaults. You can check your site's headers for free at securityheaders.com.

Email authentication

If your domain sends email (and it probably does through contact form notifications), set up SPF, DKIM and DMARC records. These stop attackers from spoofing your domain to send phishing emails to your customers. Our SPF, DKIM and DMARC guide explains what each one does and how to set them up.

For the full list, check our website security checklist.

What happens when security fails: breach notification

Article 33 of the GDPR requires you to report data breaches to the data protection authority within 72 hours. If the breach poses a high risk to people's rights, you also have to notify the individuals affected under Article 34.

This is where poor website security turns into a real headache. When your website gets hacked because of an outdated plugin or a weak password, here's what follows:

1. You discover the breach (sometimes weeks or months later).
2. You figure out what data was accessed.
3. You report it to the data protection authority within 72 hours of discovery.
4. The authority investigates. They ask what security measures you had in place.
5. If those measures were inadequate, you're looking at a fine on top of the breach itself.

The breach notification requirement is what connects bad security to actual fines. It's not just about preventing attacks. It's about what happens during the investigation afterwards.

Real enforcement: fines for bad security

Data protection authorities have issued fines specifically for inadequate website security. These aren't just theoretical risks.

In 2022, the Belgian data protection authority fined a company 15,000 euros after a data breach revealed insufficient security measures. The investigation found outdated software and missing access controls.

The Greek authority fined a real estate website 20,000 euros for failing to protect user data, including weak password policies and lack of encryption.

Closer to home for Dutch businesses, the Autoriteit Persoonsgegevens has made it clear that security is a core GDPR obligation. Small business fines typically range from 1,000 to 10,000 euros, but they can go higher when the authority finds willful neglect of basic security. Read more about GDPR fines for small businesses to understand the actual risk.

The pattern in these cases is consistent: authorities don't fine businesses for being hacked. They fine them for not having reasonable protection in place before the hack happened.

The gap between what you think and what's actually there

Most business owners assume their web designer or hosting provider handled security. Sometimes they did. Often they didn't.

Your hosting provider gives you a server. They might include a firewall and basic DDoS protection. But they don't update your WordPress plugins. They don't set up security headers. They don't configure your email authentication records.

Your web designer built the site. They may have installed an SSL certificate and set up an admin account. But did they enable automatic updates? Did they remove the default admin username? Did they set up security headers? In most cases, no.

This gap is where the risk lives. The GDPR puts the responsibility on you as the data controller. You can't point to your hosting provider and say "I thought they handled it."

What to do right now

Don't try to fix everything at once. Start with the biggest risks.

Today: Check if your site runs on HTTPS. If it shows "Not Secure" anywhere, fix that first.

This week: Log into your CMS and update everything. Core software, plugins, themes. Enable automatic updates if your platform supports it.

This month: Change all passwords to strong unique ones. Set up two-factor authentication. Check your email authentication records. Review who has admin access and remove accounts that don't need it.

Run a scan: Our free website scan checks your site for security issues, GDPR compliance gaps, and other problems. You get a risk score and a list of what needs attention.

For the full compliance picture beyond security, check our GDPR compliance checklist.

Frequently asked questions

Does GDPR apply to my website if I don't sell anything online?

Yes. The GDPR applies whenever you process personal data of people in the EU. A contact form that collects names and email addresses is processing personal data. A newsletter signup is processing personal data. Even server logs that record IP addresses count. Whether you sell online or not doesn't matter.

Can my hosting provider be held responsible for a breach?

Your hosting provider is a data processor under the GDPR. They have their own obligations. But you are the data controller and you bear primary responsibility. If a breach happens because you didn't update your WordPress plugins, the hosting provider is not to blame. You need a data processing agreement with your hosting provider, but that doesn't transfer your own security obligations.

What counts as a data breach I have to report?

A data breach under the GDPR includes any accidental or unlawful destruction, loss, alteration or unauthorised disclosure of personal data. A hacked contact form where customer messages were exposed counts. A database leak counts. Even accidentally emailing a customer list to the wrong person counts. You must assess whether the breach poses a risk. If it does, report it to the authority within 72 hours.

Is an SSL certificate enough to be GDPR compliant?

No. An SSL certificate encrypts data in transit, which is one requirement. But GDPR Article 32 covers much more: access controls, software updates, backups, the ability to restore data after an incident. HTTPS is the bare minimum, not the finish line.

How do I prove I have "appropriate" security measures?

Document what you've done. Keep records of when you last updated your software, what security measures are in place, who has access to what and what backup procedures you follow. If a data protection authority ever investigates, they want to see that you thought about security and took reasonable steps. They're not looking for perfection. They're looking for evidence that you took it seriously.