skip to Main Content

What is GDPR: General Data Protection Regulation


The General Data Protection Regulation, or GDPR, is a series of rules that have been put in place with the aim of protecting EU citizens from breaches in data and privacy. Any organisation that is involved in the processing of data, irrespective of Brexit, is required to conform to these guidelines or put themselves at risk of some very high fines.

This guide will set out in 10-steps the keys points of GDPR and just what your company needs to know about it.

Seek Permission

The very first thing that you are required to do, and therefore the most important point, is that you must seek permission to save personal data, and this permission must be volunteered by your customers. This can be done via positive opt-ins, consent must never be assumed so silence and pre-filed boxes do not constitute the giving of permission. Ensure that you have a process in place which is easy to understand and offers customers the option to deny permission, this could be in the form of sending an email to customer support.

The GDPR lists a number of rights for individuals as follows:

  • The right for persons to be informed
  • The right of persons to access
  • The right for them to have erasure
  • The right for them to have rectification
  • The right to put restrictions on processing
  • The right to insist on portability of data
  • The right to raise objections
  • The right to not be subjected to decision making of an automated nature and profiling

GDPR presents a number of changes so it is important that you examine your existing procedures and ensure that you are ready for the changes ahead. Remember any personal data that you do hold is required to be held in a machine-readable and structured form.

Privacy Notices and The Right to Complain

There are some additional things that you will need to appraise people of under GDPR, these include the fact that any individual has the right to make a complaint if they feel that the way in which you are handling their data may be inappropriate. You should also advise people of your data retention periods.

The bottom line is that you should review any privacy notices you have in place and arrange to make any changes necessary.

Be Aware of your Data

You whole team needs to understand exactly what types of personal data you hold. They should understand where it has come from and, more importantly, who it is shared with. Under GDPR you must keep records of any processing activities relating to this data; if you hold inaccurate data on your system then there may be consequences.

This will ensure that you are in accordance with the accountability principles that govern GDPR. These principles maintain that all organisations should be able to demonstrate how they are in compliance with the rules. This means showing you have policies and procedures in place that are effective.

Data Requests and Access

Your procedures will also need to be updated to show how you are able to deal with requests that take into consideration the new rules:

  • In most instances, you will be unable to charge for dealing with a request
  • Currently, you have 40 days to comply, this will now be a month
  • In the case of any requests that are deemed excessive or are clearly unfounded you have the option to refuse or pass on a charge

When you choose to reject a request, you will be required to inform the individual making the request of your reasons and their right to make a complaint, which should be done within a one-month timeframe.

Breaches in Data

All organisations have a duty of care to report certain forms of the data breach to the ICO under GDPR. They may also be required in some circumstances to report these breaches to the individual as well. The ICO must be advised when there is a likelihood that the breach will present a risk to an individual’s freedom and rights.

This might be for example financial loss, damage to reputation, loss of confidentiality, discrimination or any other disadvantage of a social or economic nature.

In those cases where a breach may result in the individual’s rights and freedoms being placed under high risk, you must contact those people concerned to inform them.

It is necessary to have measures in place that will be effective in detecting, reporting and investigating this. If you fail to advise of a breach at the appropriate time you may be finned, there may also be a fine for the breach too.

Processing Personal Data

You need to give some thought to the lawful basis under which you process personal data – there are many organisations which will not have done this. This does not have many practical repercussions under the current law but under GDPR the rights of some individuals will be modified making this different.

The most noticeable example of this is that individuals have a greater right to request that their data is deleted.

All of this should be explained when you respond to access to the subject request. The lawful basis for GDPR is relatively the same as the provisions for processing in the DPA.

The types of processing activities that you carry out should be reviewable and your lawful basis for doing so should be identifiable.

Data Protection Officer (DPO)

You are required to name a member of your team as the DPO if:

  • You are an organisation carrying out the frequent and orderly monitoring of individuals on a sizeable scale
  • You are a public authority (except in the case of a court acting in a judicial capacity)
  • You are an organisation that undertakes the large-scale handling of special groupings of data i.e./ health records, or information regarding criminal convictions.

If you belong to one of these categories then it is vital for someone within your organisation, or indeed a data protection advisor from an external company, to be made responsible for the compliance of your data protection.

It is important that this individual has the required knowledge, authority and support to do this properly.

Data Protection Supervisory Authority

If your company is active in more than one EU state, then you will need to decide on your data protection supervisory authority. This will be the place where your central EU administration takes place, or where any decisions governing the processing of data take place.

If you do not carry out cross-border processing this is not relevant.

Training and More Training!!

All of your team members will need to understand the new regulations, especially those who are directly involved with customer and client personal data – including Business Developers, Email Marketers etc. Your team must understand the impact that GDPR has on resources.

Barry Reynolds

Barry Reynolds is a director at WP Design with many years of experience in web design, WordPress development and digital marketing.

Related Posts

About the Author

This Post Has 0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Barry Reynolds

Barry Reynolds is a director at WP Design with many years of experience in web design, WordPress development and digital marketing.

BEST Anti Spam Plugins for WordPress

This article looks at the BEST Anti Spam Plugins for WordPress including: Elementor / WP Bakery / Divi Builder /…

read more

Responsive Web Design: Essential for London Websites

Why is Responsive Web Design Needed? Mobile phone use has seen a dramatic increase over the past five years. This…

read more

BEST Page Builder WordPress Plugins for London Startups

This article looks at the BEST Page Builder plugins for WordPress including - WPBakery / Elementor / Beaver Builder. We…

read more

WordPress Security Plugins for London Corporate Websites

This article looks at the BEST WordPress Security Plugins for including: Sucuri / Anti-Malware Security / iThemes Security. We will…

read more

London Blogging Event: How to turn your blog into a brand

About the Event - How To Turn Your Blog into a Brand Learn how to turn your blogging into a…

read more

BEST Image Compression Plugins for WordPress

Uncompressed and oversized images can have a major impact on your website speed. Image optimizer plugins for WordPress can help…

read more

SEO Copywriting: Write for People to Increase Google Ranking

If you run a small online business and want to stand a good chance at ranking well in searches, you…

read more

UX Design: What do User Experience Designers Do?

User Experience Design, also known as UX design, is the process used to determine the experience your website visitors will…

read more

Increase WordPress Performance for Your London Website Users

Do you get a lot of traffic to your WordPress website but find that your bounce rate is high and…

read more

What is GDPR: General Data Protection Regulation

The General Data Protection Regulation, or GDPR, is a series of rules that have been put in place with the…

read more