Website SSL certificates and the GDPR

Do I need an SSL certificate on my website to be GDPR compliant?

An "SSL certificate" encrypts the information on a website as it moves across the internet so that only your customer and your website can read the information. Someone trying to snoop on or capture this information in-between will be left with unintelligible garbage. This is known as "encryption" and is one of the technologies encouraged by the GDPR.

However, as no-one (except Governments!) routinely captures information as it moves across the internet there is only a small risk.

SSL certificates are installed on your web server (the computer which your website lives on) by your hosting company or web designer and need renewing to stay effective.

The GDPR states:

"if you are storing personal data, or transmitting it over the internet, we recommend that you use encryption and have a suitable policy in place, taking account of the residual risks involved."

To me, the key point is "taking account of the residual risks" - internet snooping is rare and reasonably hard to achieve at scale. I believe that in the absence of case-law for this matter, if you are not collecting high-risk information or holding information on huge quantities of individuals, that the risk to your customers' privacy caused by not using an SSL certificate is extremely small. So small that it cannot be stated that a certificate is required to be GDPR compliant.

In summary: SSL certificates are cheaper than they used to be and a good idea. However, for most small businesses (that don't collect high-risk personal information and don't hold information on hundreds of thousands of individuals) I believe that the risks to customer privacy are so small that a certificate is not required.

Check with your web designer or web host - if they can provide an SSL certificate for free using "Let's Encrypt" then have one installed, otherwise consider it based on the costs involved.