Understanding The General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is a new EU regulation that strengthens the rights of individuals regarding their personal data and unifies a single set of rules for this purpose across all EU states. Each state will have a Supervisory Authority (SA) to ensure that compliance is being met. The GDPR will come into effect on the 25th May 2018.

The regulation looks to ensure that users (termed as Data Subjects) have as much information available to them about how their personal data is being used and who is using that data. This obviously encompasses data processed through websites and online systems (eg contact forms, checkouts, sign up forms, membership accounts, CRM, booking systems to name a few) and those systems that process user data for the purposes of marketing (eg Mailchimp) and website user tracking to name a couple.

What constitutes ‘personal data’?

Personal data can be as trivial as a computer’s IP address to more obvious data such as name, email address and postal address.

Who’s who in GDPR

Essentially the user/customer that is handing over their personal data is termed as the Data Subject. Those who control the services in which this data is being collected and processed are termed as the Data Controllers. If you own a website then you are the Data Controller. The service that processes the data (eg website, Mailchimp) is termed the Data Processor.  Ultimately it is the responsibility of the Data Controller to ensure that compliance with GDPR is met.

“It is the responsibility and liability of the Data Controller to implement effective measures and be able to demonstrate the compliance of processing activities even if the processing is carried out by a data processor on behalf of the controller.” [3]

Does Brexit have any impact?

The UK’s decision to leave the EU will have no effect in the short to medium term regarding GDPR. The government has confirmed that the decision to come out of the EU will not affect the commencement of GDPR. [1] Obviously the start date of the General Data Protection Regulation is before the proposed date of the UK leaving the EU. Subsequently, once the UK has left the EU, the government has already noted that EU laws will become UK laws to smooth the transition of the country leaving the EU [2] so any immediate alteration to GDPR in the coming years is highly unlikely.

UPDATE: The UK government have now confirmed that The General Data Protection Regulation will be ratified in a bill to transfer to UK law. [8]

What do I have to do to be compliant?

Ensuring user data is secure

A big part of GDPR is ensuring any data you process about a Data Subject is secure. Ensuring that the data processed from the website to server and back again is encrypted means that this data cannot be easily intercepted. If your website is not fully served over HTTPS currently, then this would be an obvious step. There are other reasons why your website needs to be HTTPS compliant and if your website isn’t then it really should be. You can read more about why your website should be HTTPS here.

It goes without saying that any data stored with reference to an individual that is accessible through an online interface is secured behind an appropriate restriction.

Active, positive consent to opt in

The General Data Protection Regulation wants Data Subjects to have full transparency regarding their data that is being processed. A key part of this is to ensure that users know what their data will be used for. To ensure that this is done correctly then a user will have to pro-actively give consent to anything that processes data and, if applicable, then stores that data. [4]

We can infer from this that even if your website has just a simple contact form then steps should be taken to not only process this data securely but actively seek a user’s consent before the form data is processed.

“Valid consent must be explicit for data collected and the purposes data is used for (Article 7; defined in Article 4).” [3]

It will no longer be possible to allow ambiguous types of consent such as “inferred from silence, pre-ticked boxes or inactivity”. [4] Positive opt-in has to be sought through a user actively ticking a check box. The information pertaining to how the data is processed should no longer be just part of a website’s general Terms and Conditions or Privacy policy pages. It should be individual to the consent being sought.

If we take the contact form example then if it has a dual purpose of emailing the Data Controller the form data as well as adding the individual’s data to a Mailchimp subscribers list then there should be two separate consents that the user should actively agree to. The first one being that they consent to submitting the form and what will happen to that data and the second that they will be added to a Mailchimp subscribers list.

What about existing user data?

It is up to Data Controllers to make sure that existing user data is compliant with the GDPR standard.  This means that consent should be “specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn”.

The same intent should be given to existing third party software records. For example, if you have a current Mailchimp subscribers list, then within the framework of the regulation a Data Controller should seek active re-consent of that subscribers list to make a new list of all fresh opt-in records. All other records should then be removed.

An audit of any historical data records that may not necessarily be actively used should be undertaken and fresh consent sought. If not then the data should be removed.

Giving users access to their data

Under the General Data Protection Regulation users have the right to obtain all information that is being held about them and how that information is being used. This can be handed over to the user from the Data Controller or should be accessed directly by the Data Subject. Information must be handed over promptly, “within one month of receipt” [5] if the data is not immediately accessible to the user.

‘The right to erasure’

A Data Subject has the right to have all data pertaining to themselves deleted within specific circumstances outlined in GDPR. Key circumstances are outlined below:

  • The personal data collected is no longer related to it’s initial intention
  • When the individual withdraws consent
  • When the Data Subject objects to their data being used
  • When the personal data was processed unlawfully (not GDPR compliant) [6]

Data Portability

An individual has the right to move their personal data elsewhere and can request a file such as a CSV to then reuse their data.

How can I demonstrate compliance

Data Controllers should have the following accessible information:

  • Information accessible on the website about each data process and it’s purpose that an individual can reference and access.
  • Data Protection Officer: A Data Controller should appoint a Data Protection Officer within the company that is accessible to any individual or Supervisory Authority requesting information on their data or the data policy of the company. This contact information should be accessible to individuals on the website.
  • Information about security measures the company adopts.
  • Active ‘opt-in’ consent mechanisms on each data process.
  • To hand, all evidence of individual data processes and evidence of consent for each.

Data breaches

If there are any identifiable breaches of data then the Data Controller must be informed who then must inform the supervisory authority within 72 hours of the Data Controller being made aware of the breach. Failure to notify of breaches can result in a fine of up to 10 million EUR or 2 per cent of global turnover [7].

Non compliance

If compliance is not met regarding the General Data Protection Regulation then there are a number of sanctions that can be enforced.  These are as follows:

  • A written warning in the case of first and non-intentional non compliance.
  • Periodic data protection audits.
  • A fine up to 10 million EUR or up to 2% of the annual worldwide turnover, whichever is greater
  • A fine up to 20 million EUR or up to 4% of the annual worldwide turnover, whichever is greater

If there was no other reason than to become GDPR compliant then the last two bullet points should make your decision fairly easy.

For more reading around the subject of GDPR we would suggest looking at the following resources.




  1. https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/
  2. http://www.bbc.co.uk/news/uk-politics-39439554
  3. https://en.wikipedia.org/wiki/General_Data_Protection_Regulation
  4. https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/key-areas-to-consider/
  5. https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/individuals-rights/the-right-of-access/
  6. https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/individuals-rights/the-right-to-erasure/
  7. https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/breach-notification/
  8. http://www.bbc.co.uk/news/technology-40826062