Web design projects often look simple on the surface, but web design data privacy issues can arise more often than many people expect. A new website, a redesign, or a migration to a new platform might seem like a purely technical job.
But many website projects involve something else entirely: personal data.
If a site collects enquiries, stores customer details, connects to email marketing systems, or uses analytics tools, personal data is often involved somewhere in the process. That means web designers and developers can find themselves working with systems that fall under data protection law.
Understanding where personal data appears in a website project can help avoid confusion, scope creep, and responsibility disputes between you and your client.
When does a website involve personal data?
Many web designers assume web design data privacy only becomes relevant if they are collecting personal data themselves. In reality, personal data often appears in website projects in ways that are easy to overlook.
For example, a website may involve personal data if it includes:
- contact or enquiry forms
- booking systems
- ecommerce checkouts
- email newsletter sign-ups
- customer accounts or membership areas
- analytics tools that track visitors
Even when the website owner collects the information, the systems used to build or maintain the site may still contain personal data.
That means web designers can easily find themselves working in environments where personal data exists — even if the project originally looked like a purely technical job.
A new website is very different from taking over an existing one
One area that often gets overlooked in web design data privacy discussions is the difference between building a brand-new website and working on an existing one.
If a designer is creating a new website from scratch, the project may initially involve only test data or placeholder content. At that stage there may be little or no real personal data involved.
But the situation changes completely when a designer takes over an existing website.
Existing sites often contain large amounts of personal data already — for example:
- enquiry form submissions
- customer accounts
- order histories
- mailing list integrations
- analytics records
- database backups
Even if the designer’s task is only to update the design, migrate the site, or troubleshoot a technical problem, access to those systems can mean personal data is visible during the work.
This is why it’s important to clarify what type of project is being carried out before the work begins.
A brand-new site and an existing site raise very different questions about access, responsibility and security.
“I only look at the data” – does that still count?
A common response from web designers is that they don’t process personal data, because they only look at it while working on a site.
Others say that the data may exist in the system but they don’t actually use it, so they assume data protection rules don’t really apply to their work.
In practice, the situation is not quite that simple.
Under UK GDPR, the definition of processing personal data is very broad. It includes activities such as accessing, retrieving or consulting personal data, not just collecting or storing it.
That means if a designer logs into a system containing customer information while testing a site, migrating a database or checking how a form works, personal data may still be visible as part of the process.
In other words, the question is rarely whether personal data exists somewhere in the system. The real question is who is responsible for it and how access to that data is handled during the project.
Clear agreements between the website owner and the designer help avoid confusion about who is responsible for what.
Who is responsible for data protection in a website project?
In most cases, the business that owns the website remains the data controller. This means they decide what personal data is collected, why it is collected, and how it will be used.
However, web designers often need access to the systems that hold that data while they are building, fixing or maintaining the site.
For example, designers may be given access to:
- the website dashboard or CMS
- hosting accounts
- databases
- email marketing integrations
- analytics tools
- ecommerce systems
Even if the designer is not responsible for the business’s overall data protection compliance, access to these systems can still expose personal data during the project.
In some situations, the web designer may also be acting as a data processor for the website owner. This can happen if the designer is given access to systems that contain personal data while building, migrating or maintaining the site.
For example, a designer might temporarily access customer records while testing a contact form, migrating a database, or connecting a website to email marketing software. In these cases the website owner normally remains the data controller, but the designer may still be handling personal data as part of the work.
Where that happens, it can help if the agreement recognises that the designer may act as a data processor for limited technical purposes during the project or longer if maintenance and hosting are the next step.
Clear agreements between the website owner and the designer help avoid confusion about what systems will be accessed and who remains responsible for protecting personal data.
How AI tools affect web design data privacy
Many modern website platforms now include AI tools that can generate copy, images or other content during the design process. Some hosting platforms, CMS systems and website builders even offer AI assistants built directly into the dashboard.
While these tools can be useful, they also raise new questions about web design data privacy and responsibility.
For example:
- what information the AI tool can access
- whether website content or customer data is being analysed by the tool
- where that data is processed or stored
- who remains responsible for confidentiality and security
In some cases AI tools are simply generating text or images from prompts. In others they may analyse existing website content or connected systems.
This means both website owners and designers increasingly need to think about when AI tools are used during a website project and what information those tools can access.
Clear agreements help ensure everyone understands what tools may be used and what safeguards apply when AI is involved.
Why clear agreements matter in website projects
Many of the problems that arise in website projects are not technical problems at all. They are expectation problems.
Clients may assume the designer will handle certain aspects of the website, while designers may believe those responsibilities sit with the client or another service provider. This can become particularly complicated when personal data, system access or third-party tools are involved.
Clear agreements at the start of a project help define:
- what work the designer will carry out
- what systems the designer may access
- whether personal data may be visible during the work
- who remains responsible for compliance and security
These issues are particularly important when a designer is taking over an existing website that already contains personal data, rather than creating a brand-new site from scratch.
If you are trying to decide whether you need a web designer or a web developer, you may find this guide helpful:
And if you are working as a web designer — or hiring one — it is worth making sure your agreement properly reflects how modern website projects actually work, including access to systems, integrations, AI tools and personal data.
You can find more information about the Web Designer Terms and supporting documents here
