The short answer is yes, most websites need an SSL certificate to be GDPR compliant, but it depends on what information your website collects.
If your site collects and stores any information from your users then it is a safe bet to have an SSL certificate on your site to protect the user information.
This is because, although the GDPR does not specifically say that every site needs an SSL certificate in order to be GDPR compliant, if your site collects or processes user data then under the GDPR, you have a responsibility as a data controller or a data processor, to keep this information secure and protected, which by having an SSL on your site you are helping to achieve this.
This information could be collected from users via sign-up or contact forms, and could be as simple as a name, email address, or a phone number.
However, this user information still needs to be secured. By not having an SSL you are only increasing the risk of a data breach. If your site is an eCommerce site which takes user payment information such as bank details then having an SSL is a necessity.
Even if your site is a static HTML page that does not sell any services and does not have any contact or sign-up forms to collect any information from your users, it is still a good idea to have an SSL certificate, however, an SSL certificate is not necessary for GDPR compliance in this scenario.
The reason we recommend for you to have an SSL is because in July 2018 the Google Chrome 68 update will display a “NOT SECURE” warning in the URL of HTTP sites (sites without an SSL certificate).
This is an issue as Google Chrome already owns 56% of the global browser market share so that is a lot of traffic that could browse away from your site after seeing a “NOT SECURE” warning, thinking your website is not safe.