Recommended Agency

text controls: text only | A A A

Sorry, our twitter status is currently unavailable, posted 41 minutes ago

RSS feed icon What is RSS?


articles tagged with: gdpr

Displaying all 3 articles

GDPR What does this mean for businesses?

If you’ve read our other posts on the GDPR - Introduction to GDPR and What it means for Individuals - you’re probably well informed about the basics. If you haven’t, here’s a brief overview to start you off.

The General Data Protection Regulation (GDPR) is the replacement for the Data Protection ACT (DPA). It comes into effect on the 25th May 2018 and is regulated by the Information Commissioner's Office (ICO) in the UK. Although the GDPR does share a lot of similarities with the DPA, there are some significant changes that will need thought and preparation in order to adhere to and avoid complaint or fines.

At first glance GDPR may seem like a regulation that will affect only web companies, but really it’s a change for all businesses that hold people’s personal details -  from commerce to banking; from recruiters to universities and hospitals. 

GDPR will mean big changes to how you gather, hold and share contact information but this transition doesn’t need to be painful, there are some steps you can start taking right now that will help the process run smoothly. 

Following the guidelines from the Information Commissioner's Office (ICO) we’ve outlined a twelve step checklist.

Step 1: Awareness

Decision makers and key people in your organisation should be aware that the data protection laws are changing. You could also hold a knowledge share to get the whole staff on board - everyone needs to appreciate the impact this is likely to have and help to identify areas that could cause compliance problems under the GDPR. If you have a risk register, this would be a great place to start.

Many organisations, especially those with larger or more complicated structures may have to take on extra staff in order to adhere to and maintain the GDPR.

Step 2. Information you hold
Do you know what personal data your organisation holds? Do you know where it’s held and who is responsible for sourcing and updating it? Every business will need to know this information to comply with the GDPR’s accountability principle. 

A great starting point is to conduct an information audit across the organisation. The GDPR will require you to keep records of how you process personal data; if you’ve passed incorrect data on you’ll need to make sure whoever’s using it now has the correct information. Getting a handle on what personal data you hold, where it came from and who you share it with now will mean proper data protection principles will be second nature by the time the GDPR comes into force. 

Step 3: Communicating privacy information

If you have a privacy notice, now would be a great time to update it. If you don’t have a privacy notice, you need to find out how your organisation is communicating who you are and what you’re going to do with the personal data you’re collecting. There are many online tools that can help you to write your Privacy Notice.

Under the GDPR you will need to give people more information when you collect personal data, such as your lawful basis for processing the data, how long you intend to hold onto it and that they can complain to the ICO if they think there’s an issue with how you’re handling their data. You need to explain this in concise, easy to understand language and it can’t be buried somewhere at the bottom of the page. The ICO’s Privacy notices code of practice has been updated to comply with the requirements of the GDPR. 

Step 4: Individuals’ rights 

As covered in our post on the individual’s rights under the GDPR, Individuals rights will include

  • the right to be informed
  • the right of access
  • the right to rectification
  • the right to erasure
  • the right to restrict processing
  • the right to data portability
  • the right to object
  • the right not to be subject to automated decision-making including profiling

For the most part, these are similar to the individual’s rights under the Data Protection Act (DPA) but there have been some significant upgrades. If your organisation already accommodates the DPA rights, the transition to the GDPR should be fairly seamless. This is a great opportunity to check that you meet the eight rights above and upgrade your processes if you’re not quite there yet.

One process to check is what you would do if someone contacted you and said they wanted their personal data deleted from your system. Who has the authority to delete that data? Would your system allow it to be located easily? Did you pass the data on to anyone else? If the data needed to be moved to another company, is it in a standard, machine-readable format?

If you have data from years ago collecting dust in ad hoc spreadsheets now would be the time to discuss with your organisation if it’s time to streamline your database. 

Step 5: Subject access requests
People may ask to access their personal data and they have every right to but there are some guidelines on how this will work under the new regulation.

Currently organisations have 40 days to comply with a data request - this will be one month under the GDPR and, in most cases, you will not be able to charge for this. You can refuse requests that are unfounded or excessive but you must explain why. The individual then has a right to complain to the supervisory authority.

If your organisation gets a lot of requests for access, think about if you would be able to meet these within the new timeframe. if not - what systems could you put in place to either speed things up or let individuals easily and securely access their own data online?

Step 6: Lawful basis for processing personal data
You need to know why your organisation collects personal information and what your legal basis for processing it is. 

This may not have been something you’ve thought about before but you’ll need to know - if you don’t have a strong reasoning, an individual has every right to ask you to delete their personal data (see Step 4) and you must respect their wishes. 

If your CRM, website or company address book is full of contact details that you’re not using, discuss auditing the information now to save your organisation time after the GDPR.

Step 7: Consent

You may currently ask for consent when you acquire personal data but how is this information managed? Could you find a record of the consent if asked? 

Check if your consent process meets the GDPR standard and refresh it if it doesn’t.

Consent must be freely given, specific, informed and unambiguous. Opt-in must be positive and consent cannot be inferred from silence, pre-ticked boxes or inactivity. It must be kept separate from other terms and conditions, and withdrawing consent should be simple.

Step 8: Children
Most organisations will have a very clear idea of whether or not they hold the personal data of children on file so will know whether or not this will affect them. 

However, under the GDPR, you will need to the consent of a parent or guardian to process the data of anyone under the age of 16 (this may be lowered to a minimum of 13 in the UK) so it would be worth finding out how you verify the age of anyone you collect personal data from. If you do collect children’s personal data, you could make sure that your privacy notice is written in language that can be understood by someone under 16. 

Step 9: Data breaches
The ICO takes data breaches very seriously and some organisations are already required to notify them when they suffer a personal data breach. Under the GDPR all organisations will be 
likely to result in a risk to the rights and freedoms of individuals.

If the breach could result in an individual facing discrimination, damage to reputation or financial loss (for example) you will have 72 hours to notify the ICO and you may need to identify the individuals at risk too. Failure to report a breach could lead to a hefty fine as well as a fine for the breach itself. 

For a lot of organisations this is the most concerning aspect of the changes the GDPR will bring with it - whether your company is large or small, it would be a good idea to discuss what you would do in the case of a data breach and think about putting procedures in place for everyone to follow if they suspect one.

Step 10: Data Protection by Design and Data Protection Impact Assessments
Privacy by Design has always been a good idea but under the GDPR it will be a legal requirement. This means that privacy and data protection compliance are considered from the start of a project through to the end. Privacy Impact Assessments (PIAs) are a good way to determine whether you’re working in a way that promotes Privacy by Design. Under the GDPR PIAs will become ‘Data Protection Impact Assessments’ (DPIAs) and will be mandatory under certain circumstances.

A DPIA is required when data processing is likely to put individuals personal data at risk e.g. where a new technology is being deployed, where a profiling operation is likely to significantly affect individuals, or where there is processing on a large scale of special categories of data. If a DPIA shows that the data processing is high risk, and you can’t address those risks, you will have to consult the ICO to seek its opinion on whether the processing operation complies with the GDPR.

The Article 29 Working Party has details on how PIAs can link to other processes such as risk management and project management.

Step 11: Data Protection Officers
Organisations such as public authorities, large businesses or companies that carry out the regular and systematic monitoring of individuals on a large scale should appoint a Data Protection Officer (DPO). 

The DPO will be responsible for data protection compliance and will be an authority on both what the ICO requires for your organisation to meet the GDPR and the data processing procedures within your organisation. This is an important role and appointment should not be taken lightly. The DPO will need to be fully supported by the team to be able to work effectively.

Step 12: International
If all your offices are in the UK and you only conduct business here then you only need to adhere to the information provided by the ICO.

If you conduct business in more than one EU member state, you need to figure out who your lead data protection supervisory authority is. Whichever EU State your main office is in (or wherever your main processing decisions are made) they will be the authority in charge of GDPR for the region.


It could be argued that it doesn’t make sense for UK companies to overhaul their systems to meet EU legislation when the UK plans to leave the EU in the next two years. However, GDPR will come into effect in May 2018, long before Brexit officially happens so UK companies will not be exempt from GDPR legislation.

In October of 2016, Karen Bradley, secretary of state for Culture, Media and Sport was quoted as saying "We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public."

Click here to see our Intro to the GDPR

Click here to find out what the GDPR means for Individuals

If you would like to talk about changes you can make to your company website in relation to GDPR, call us on 0117 9498008 or email

For more details on the GDPR, see the ICO website

Frances Smolinski

Created on Wednesday May 16 2018 04:03 PM

Tags: gdpr

Comments [0]

GDPR - What does this mean for individuals?

The General Data Protection Regulation (GDPR) is coming into force on the May 25th 2018. The GDPR is widely viewed as good news for individuals. It will be easier than ever before for you to take control of your personal information and the privacy of your data.

You’ll be able to decide who you want processing your information and who you don’t - it should be as easy to withdraw consent as to grant it.

The Information Commissioner's Office (ICO) has laid out clear rights that the GDPR will give everyone. Under this new regulation you now have the following rights -

• the right to be informed -
If a business wants your data, you have a right to know why, if they’re already using it you have the right to know where they got it from. The GDPR aims to take the power over your personal information from the hands of businesses and put it back into yours. 

• the right of access -

Provided you’re asking for a valid reason and your requests aren’t repetitive to the point of nuisance, you have the right to access the information an organisation has on you, free of charge.

• the right to rectification -
If you discover that a business holds your personal data and it’s incorrect or incomplete, you can request that they change it and they must rectify the error within 1 month of that request.

• the right to erasure -
A.K.A ’the right to be forgotten’ - if an organisation has no significant reason to keep your data they must delete it if you ask. The hope is that this will go some way to stopping nuisance calls and spam emails in their tracks.

• the right to restrict processing -
If an organisation has to keep your data (e.g. for legal reason or reference) you can still block it from being processed any further. If the company does use that data or pass it on, you will be able to report them to the relevant supervisory authority (the ICO in the UK)

• the right to data portability -
Changing service providers can be a surprisingly difficult and overwhelming errand at the best of times but, under the GDPR, If you want to move bank, insurer or even social media site all your personal data must be provided in a common, easy to access format, for free, within a month.

• the right to object -
Under the GDPR, you have the right to object to your data being held, processed, or being used to profile you for direct marketing. Just one more way in which the GDPR aims to give individuals back control of their information. 

• the right not to be subject to automated decision-making including profiling -
Often companies will use data to make assumptions about a customer or even a potential customer. These assumptions can be harmless but they can also become annoying or even upsetting. Under the GDPR, a company may not use your data to predict personal details such as health, personal preferences or location.

Moving Forward

As an individual, you don’t have to do anything to prepare for the GDPR but it is important to know your rights once it comes into force and to speak up if your data’s being mishandled.

A lot of businesses are getting ready right now, so you will start to see or have already seen sign up pages with more information than before, you may also have seen emails asking you to confirm if you still want to be on mailing lists. It’s going to be a big change but it should be a positive one.

Click here to see our Intro to the GDPR

Click here to find out what the GDPR means for Businesses

If you would like to talk about changes you can make to your company website in relation to GDPR, call us on 0117 9498008 or email

For more details on the GDPR, see the ICO website

Frances Smolinski

Created on Tuesday May 08 2018 03:51 PM

Tags: gdpr

Comments [0]

GDPR - what does it all mean?

The Data Protection act is changing. From the 25th of May 2018 the EU is giving people more control over who holds their information and what they can use it for. This change is due to the General Data Protection Regulation (GDPR) which, in the UK, will be managed by the Information Commissioner's Office (ICO).

After the GDPR is in place websites will no longer be able to hold someone's details without their consent and will have to delete these details if asked. This is to give the public more control over their personal information as well as a say in the quality and quantity of the information they receive and who is able to contact them personally.

This new regulation also hopes to improve privacy, eliminate data profiling and protect children - parents/carers would need to give permission to process data of anyone under 16 years of age.

Unlike previous versions of the Data Protection Act (DPA) the GDPR will be strongly reinforced in order to promote accountability and governance.  Businesses will have to adhere to a 72 hours deadline for reporting data breaches as well as paying hefty fines if found to be in violation of the GDPR - fines of up to 4% of Global Annual Revenue or €20 million, whichever is greater.  Businesses that hold a large amount of data will have to appoint a Data Protection Officer (DPO) although it will be considered best practice for all businesses to appoint one.


As the United Kingdom will still be part of the EU when the GDPR takes effect in May 2018, UK businesses will also need to be ready. As any business worldwide who does business within the EU will have to follow these regulations, it's likely that the UK will pass a similar regulation post Brexit to encourage continued trade with the EU.

Put Simply

You'll be able to have your data stored by who you want, where you want, when you want. No company will be able to stop you from asking them to 'forget' your name, phone number, email address, physical address or any sensitive information about you. If you want to move service such as bank account or doctor, it will be made easy for you, the format of the information will be universal and the switch must happen within one month.

Click here to see what the GDPR means for Businesses

Click here to find out what the GDPR means for Individuals

If you would like to talk about changes you can make to your company website in relation to GDPR, call us on 0117 9498008 or email

For more details on the GDPR, see the ICO website.

Frances Smolinski

Created on Tuesday May 01 2018 03:43 PM

Tags: gdpr

Comments [0]