skip to Main Content

What is GDPR: General Data Protection Regulation


The General Data Protection Regulation, or GDPR, is a series of rules that have been put in place with the aim of protecting EU citizens from breaches in data and privacy. Any organisation that is involved in the processing of data, irrespective of Brexit, is required to conform to these guidelines or put themselves at risk of some very high fines.

This guide will set out in 10-steps the keys points of GDPR and just what your company needs to know about it.

Seek Permission

The very first thing that you are required to do, and therefore the most important point, is that you must seek permission to save personal data, and this permission must be volunteered by your customers. This can be done via positive opt-ins, consent must never be assumed so silence and pre-filed boxes do not constitute the giving of permission. Ensure that you have a process in place which is easy to understand and offers customers the option to deny permission, this could be in the form of sending an email to customer support.

The GDPR lists a number of rights for individuals as follows:

  • The right for persons to be informed
  • The right of persons to access
  • The right for them to have erasure
  • The right for them to have rectification
  • The right to put restrictions on processing
  • The right to insist on portability of data
  • The right to raise objections
  • The right to not be subjected to decision making of an automated nature and profiling

GDPR presents a number of changes so it is important that you examine your existing procedures and ensure that you are ready for the changes ahead. Remember any personal data that you do hold is required to be held in a machine-readable and structured form.

Privacy Notices and The Right to Complain

There are some additional things that you will need to appraise people of under GDPR, these include the fact that any individual has the right to make a complaint if they feel that the way in which you are handling their data may be inappropriate. You should also advise people of your data retention periods.

The bottom line is that you should review any privacy notices you have in place and arrange to make any changes necessary.

Be Aware of your Data

Your whole team needs to understand exactly what types of personal data you hold. They should understand where it has come from and, more importantly, who it is shared with. Under GDPR you must keep records of any processing activities relating to this data; if you hold inaccurate data on your system then there may be consequences.

This will ensure that you are in accordance with the accountability principles that govern GDPR. These principles maintain that all organisations should be able to demonstrate how they are in compliance with the rules. This means showing you have policies and procedures in place that are effective.

Data Requests and Access

Your procedures will also need to be updated to show how you are able to deal with requests that take into consideration the new rules:

  • In most instances, you will be unable to charge for dealing with a request
  • Currently, you have 40 days to comply, this will now be a month
  • In the case of any requests that are deemed excessive or are clearly unfounded you have the option to refuse or pass on a charge

When you choose to reject a request, you will be required to inform the individual making the request of your reasons and their right to make a complaint, which should be done within a one-month timeframe.

Breaches in Data

All organisations have a duty of care to report certain forms of the data breach to the ICO under GDPR. They may also be required in some circumstances to report these breaches to the individual as well. The ICO must be advised when there is a likelihood that the breach will present a risk to an individual’s freedom and rights.

This might be for example financial loss, damage to reputation, loss of confidentiality, discrimination or any other disadvantage of a social or economic nature.

In those cases where a breach may result in the individual’s rights and freedoms being placed under high risk, you must contact those people concerned to inform them.

It is necessary to have measures in place that will be effective in detecting, reporting and investigating this. If you fail to advise of a breach at the appropriate time you may be finned, there may also be a fine for the breach too.

Processing Personal Data

You need to give some thought to the lawful basis under which you process personal data – there are many organisations which will not have done this. This does not have many practical repercussions under the current law but under GDPR the rights of some individuals will be modified making this different.

The most noticeable example of this is that individuals have a greater right to request that their data is deleted.

All of this should be explained when you respond to access to the subject request. The lawful basis for GDPR is relatively the same as the provisions for processing in the DPA.

The types of processing activities that you carry out should be reviewable and your lawful basis for doing so should be identifiable.

Data Protection Officer (DPO)

You are required to name a member of your team as the DPO if:

  • You are an organisation carrying out the frequent and orderly monitoring of individuals on a sizeable scale
  • You are a public authority (except in the case of a court acting in a judicial capacity)
  • You are an organisation that undertakes the large-scale handling of special groupings of data i.e./ health records, or information regarding criminal convictions.

If you belong to one of these categories then it is vital for someone within your organisation, or indeed a data protection advisor from an external company, to be made responsible for the compliance of your data protection.

It is important that this individual has the required knowledge, authority and support to do this properly.

Data Protection Supervisory Authority

If your company is active in more than one EU state, then you will need to decide on your data protection supervisory authority. This will be the place where your central EU administration takes place, or where any decisions governing the processing of data take place.

If you do not carry out cross-border processing this is not relevant.

Training and More Training!!

All of your team members will need to understand the new regulations, especially those who are directly involved with customer and client personal data – including Business Developers, Email Marketers etc. Your team must understand the impact that GDPR has on resources.

About WP Design

We’re a London web design and WordPress development agency that creates innovative websites and effective digital marketing campaigns to help London businesses grow. Our address is: WP Design, 20 Jerusalem Passage, Farringdon, London EC1V 4JP.
Call: 020 7193 0938 to request a quotation.

Web Design in London | WordPress Agency in London | E-Commerce Agency in London | Internet Marketing Service

About the Author

Barry Reynolds

Barry Reynolds is a London based web designer and WordPress developer that creates innovative websites and effective digital marketing campaigns to help London businesses grow.

Related Posts

This Post Has 0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Barry Reynolds

Barry Reynolds is a London based web designer and WordPress developer that creates innovative websites and effective digital marketing campaigns to help London businesses grow.

What is GDPR: General Data Protection Regulation

The General Data Protection Regulation, or GDPR, is a series of rules that have been put in place with the…

read more

UI Design: What does a London UI Designer Do?

When it comes to designing your website, the smallest things can make the biggest difference to the overall user experience…

read more

BEST WordPress Map Plugins for London Business Sites

This article looks at the BEST Map plugins for WordPress including: MapPress, WP Google Maps and Advanced Google Maps for…

read more

London UX Design Event: UX London 2020

About UX London 2020 event UK London will return over three days on Wednesday,27 May – Friday, 29 May 2020…

read more

E-commerce Glossary – Dictionary of E-commerce Terms & Definitions

Gain an understanding of common terms used in online-stores from our e-commerce glossary.

read more

UX Design: What does London User UX Designer Do?

User Experience Design, also known as UX design, is the process used to determine the experience your website visitors will…

read more

London WordPress Events: WordPress London Meetup

WordPress London is a group on the website with monthly meetups held on the last Thursday of the month.…

read more

Marketing Glossary – Dictionary of Marketing Terms & Definitions

Gain an understanding of common terms used by marketers from our marketing glossary. A Advertising A/B Testing Analytics B Business-to-Consumer…

read more

London Web Design Events: State of the Browser 2019

About The State of The Browser 2019 event London Web Standards hold a monthly meetup on the 3rd Monday of…

read more

Photography in Web Design: Improve your London based Website

Photographs can have a dramatic impact on your website design and brand identity. They can be used in image galleries…

read more
mobile phone icon
Back To Top