The General Data Protection Regulation (GDPR) is a new EU regulation aimed at helping to strengthen data protection for EU citizens and residents both within the EU and the wider world. Essentially it says to businesses and organisations “If you want to offer your services or products to customers who are EU citizens, you better make sure you look after their personal data or else!”

Anyone who collects and processes personal data (defined by the GDPR as a Data Controller or Processor) will be required to comply with the new regulations . As well as organisations who run websites or apps, this also includes any organisations who use internal databases, CRMs or email.

If you haven’t already please take a look at this short explainer video we produced outlining the GDPR – 12 STEPS TO TAKE NOW

The GDPR comes into effect on 25th May 2018

The full GPDR is a massive document but we have outlined some of the most pertinent points in as straight forward a way as we can below.

One data protection regulation to rule them all

The GDPR is a single set of rules that apply to all EU member states with each member state designating a Supervisory Authority (SA) to oversee and ensure compliance of the legislation. SAs will work closely together by virtue of the cross-border nature of digital data.


A significant part of the GDPR is about transparency and informing data subjects (individuals) about what and how their personal data is being used, by whom and for how long. GDPR requires data controllers to state what data is being processed and for what reasons. Additionally, they are required to inform data subjects about how long the data will be stored for. They must also state who the subject should contact with regards to any part of the data controller’s data processing actions.


Provable consent must be explicitly given to the data processor by the data subject before their data can be processed. Additionally, the data must only be used for the purposes that consent has been given. EG if someone contacts you through your website with an enquiry of some kind, that does not give you permission to add them to your email marketing list. Verifiable consent must be given by a minor’s parent or guardian before their data can be used. Consent must be able to be withdrawn by the data subject at any time.

Pseudonymisation or anonymisation?

The GDPR makes reference to something called pseudonymisation. Put simply, this is a process to transform data in a way that stops it from being attributed to a data subject (an individual) without the use of additional information. An example of this might be using a unique reference ID for someone rather than their name when storing their data in a database. A second table of names and corresponding IDs stored on a separate system would then be used to join the tables together and recreate the data. In this way if a data breach occurred and the personal data was stolen, the data wouldn’t expose actual names just the additional data.

“Pseudonymisation” of data means replacing any identifying characteristics of data with a pseudonym, or, in other words, a value which does not allow the data subject to be directly identified.

“Anonymisation” of data means processing it with the aim of irreversibly preventing the identification of the individual to whom it relates. Data can be considered anonymised when it does not allow identification of the individuals to whom it relates, and it is not possible that any individual could be identified from the data by any further processing of that data or by processing it together with other information which is available or likely to be available.
Although pseudonymisation has many uses, it should be distinguished from anonymisation, as it only provides a limited protection for the identity of data subjects in many cases as it still allows identification using indirect means. Where a pseudonym is used, it is often possible to identify the data subject by analysing the underlying or related data.
Data which has been irreversibly anonymised ceases to be “personal data”, and so it can be retained and used without having to comply with the Data Protection Acts. In principle, this means that organisations could use it for purposes beyond those for which it was originally obtained, and that it could be kept indefinitely.
An often mentioned example of pseudonimisation is encryption whereby data is held in an encrypted fashion and requires a key (stored separately) to decrypt it. Websites that use HTTPS send data over an encrypted connection so you could say that if your website has an SSL certificate you’re on your way to GDPR compliance but the data in the database itself is likely stored unencrypted so if the database was breached the personal data would still be exposed. So going froward it will be essential to ensure personal data  is stored in a truly pseudonimous way, by your website CMS.

Data Breach

The GDPR requires the data controller to have suitable processes defined and in place in case of a data breach. Depending on the severity of the breach, the data controller has a legal obligation to report a data breach (of identifiable or un-pseudonimised data) within 72 hours. Further information on the reporting of a data breach can be found on the Information Commissioner’s Office website.


Any organisation that processes personal data (the data controller) on a significant scale must appoint a Data Protection Officer (DPO) responsible for monitoring internal compliance of the GDPR regulations within the organisation. Even if you don’t feel that your organisation falls in to this category we think that it is a good idea to appoint a DPO for your organisation. This person can keep data protection high on the organisation’s agenda and ensure that GPDR compliance is achieved and then maintained.

Right of deletion

Under the GPDR a data subject has the right to erasure of their data. This means that if an individual asks you to remove their data from your systems you have to comply. All backups, all references to, etc. etc. Lock, stock, the whole lot.

Privacy by design

Another significant part of the GDPR is the idea that digital systems include privacy by design (also referred to as privacy by default). Put simply, a users privacy should be fully considered at the very core of any digital system. By default, privacy settings should be set to their highest level with a user given options to downgrade this if they choose to. As many social media users know, social networks often work in the opposite way to this! Data controllers should also be ensuring that data is only being processed when absolutely necessary.


The GDPR replaces the data protection directive from 1995. It was adopted on 27th April 2016 and comes in to force on 25th May 2018.


Wrong! Firstly, when the GDPR comes in to effect the UK will still be a part of the EU albeit one that is beginning the withdrawal process. Secondly, the UK will adopt all EU legislation immediately after Brexit. During this time, currently being called The Great Repeal Bill, the EU laws will be rewritten inline with Britain’s new position outside of the EU. Thirdly (because you needed another reason right?), unless you are planning on denying access to your services, products etc. to any EU citizens or residents then you will need to comply with the GDPR or face the consequences.


The maximum sanction for non-compliance with the GDPR is 20,000,000 Euros or up to 4% of your annual worldwide turnover (based on figures from the the preceding financial year), whichever is the greater.!!


The GDPR would call these systems third party data processors. They are processing the data controller’s data on their behalf. Most (but certainly not all) of these systems are run by US-based companies who should be going through the process of becoming GDPR-compliant at this very moment if they have not already done so. US companies should also be Privacy Shield compliant. The US Privacy Shield framework has been co-developed by the US Department of Commerce and the European Commission to provide mechanisms to protect the flow of personal data between the EU and the US.


Undertake a personal data audit

A personal data audit will help you to identify all of your data processors. List them all with either a 1 or a 3 to help you track which are first and which are third party data processors.

For each data processor consider the following:

  • What are you using the data for?
  • Where is the data being stored?
  • Do you still need the data?

For each of the third party data processors, check their respective privacy policies and make sure that they are GDPR compliant. US-based data processors should be Privacy Shield compliant. If the third party is not yet compliant with GDPR or Privacy Shield contact them and find out if and when they plan on becoming compliant. In the unlikely situation where a third party data processor is not compliant and has no plans to become compliant by the 25th May 2018 deadline, you should seek to replace them with a similar but compliant provider. In this situation you should also ask the current provider for a copy of the data that they hold for you and then insist that they securely delete your data from all of their digital systems including backups.

Remember, data is a liability to you so, unless you need to keep the data, we recommend deleting it.

Detail the personal data audit on your website’s privacy policy page.

As we’ve already mentioned, a big part of GDPR is communicating to your users about how and why you’re collecting and using their data. So tell them. Be clear and concise and give them a way to request a copy of it or have it deleted if they wish. Take a look at our own privacy policy to see how this looks in action.

Strengthen the weakest links

During your personal data audit any weaker parts of your website should come to light. An example could be the non-compliant third party data processor as described above. Other examples could be insecure (unencrypted) email accounts or website traffic. Another example might be contact form submissions that have been saved to your website’s database. These have likely long since been acted on or replied to so they no longer need to be kept. Whatever the weak links are you should aim to strengthen or remove them.

If you are storing personally identifiable data in your website then you really need to be working towards pseudonymising this data. This is quite a technical undertaking and you may need some advice to ensure this can be achieved with your website CMS.

Employ or designate a Data Protection Officer (DPO)

A DPO is an individual or individuals designated by the Data Controller to be responsible for monitoring internal compliance of the GDPR within the organisation. This could be a specifically trained employee within the data controller’s organisation or a position that is out-sourced. Unless you are carrying out large scale processing of personal data a suitably informed in-house member of staff should be perfectly sufficient for this role.

Final thought

The GDPR might seem intimidating and over the top with a maximum fine heavy enough to give business owners t a sleepless night or two but it’s important to remember where it comes from. At it’s core, the GDPR is about protecting people like you and I from the myriad of unscrupulous internet data stalkers The internet is still a largely unregulated space that needs far greater levels of international legislation; the GDPR is a significant contributor to this. So remember, the GDPR will help the internet to evolve further, as an even better environment for doing business safely, within the increasingly connected world!

The ICO has produced some useful checklists and self assessment tools to help you evaluate your risks and ensure you are compliant.
We hope this information helps you to become compliant and please let us know if we can be of any further assistance.