HeX-plaining General Data Protection Regulations (GDPR)

Our Digital Marketing Executive, Ben, simplifies GDPR and supplies you with everything you need to know about it

Welcome to the first of our HeX-planations series of blogs, where we’ll be explaining everything from user-centric design to accessibility, in ways that are understandable and without any jargon.

Today our Digital Marketing and PR Executive, Ben, describes the new European General Data Protection Regulations.

Why do we need the new GDPR laws?

Currently, the EU and all businesses that operate in the European Union are governed under the Data Protection Directive (DPD). This Directive covers each sector from agriculture to manufacturing to professional services – if data is collected and you’re operating in Europe, this is the law you’ve got to be aware of.

The downside to this directive is that it was written in 1995 and, although amendments have taken place over the years, it still doesn’t take away the fact that when it was written there were significantly less ways of gathering data and transferring data internationally and only 20% of households had a home computer. GDPR has been created to update the laws and bring them into the here and now.

Who will be affected by GDPR?

As I mentioned briefly above, the DPD regulates all businesses that operate or have a server in the EU. However, the brand-new GDPR laws coming into force on 25th May 2018 mean that businesses who do the following will need to follow the regulations set out by the GDPR:

  • Non-EU companies offering services to EU citizens
  • Non-EU companies who monitor EU citizens
  • EVERY EU business
  • Non-EU businesses who have a business property in Europe.

And if you think you don’t need to be concerned about GDPR thanks to Brexit, you’d be mistaken. Even if one EU citizen visits your website in a year, you’ll still need to be GDPR compliant, this is similar if you sell one product to anyone in the EU. Essentially, there are ways around not being compliant once we leave the European Union, but you have to ask yourself if the risk is worth it…and it’s probably not.

Changes made in the GDPR:

  1. It broadens the definition of personal data – beforehand this just covered contact details such as emails addresses, home addresses and phone numbers, but it has now been expanded to include IP Addresses, and other personally identifiable data.For example, if you have ANY data that would allow a person to be singled out by looking at the data – it needs to be protected
  2. Core Privacy Principles – data subjects (people whose data is being collected) need to be made aware of their data being collected, and so businesses need to be transparent about processes, should only be able to hold data for a ‘reasonable’ amount of time (I know, this is very subjective) and businesses cannot collect unnecessary data (over-collecting).
  3. Increased record keeping and accountability – Businesses need to keep a record of where, when and how data was collected and be able to be held responsible for it.
  4. Strengthened data subject rights to privacy – essentially this lays out clearly that people have a right to have 100% of their data removed from a company’s database. Similarly, people are allowed to request ALL data that a company has on them. This includes internal emails if they are mentioned in it.
  5. Larger organisations need to implement Data Protection Impact Assessments – this is essentially manufacturers ensuring that any product they make or design is able to keep people safe digitally.
  6. A Data Protection Officer needs to be appointed – This is the person who is responsible for the company’s collection of data, and who is the main contact for those who wish to discuss anything data related. Don’t panic, if you’re a small business – you can incorporate this into another staff member’s role.

Fines and Sanctions

Many have called the fines and sanctions that are being brought into place as unfair. Currently, the fines for serious date breaches equates to £20 million or 4% of a business’s annual global turnover – whichever is highest!

Similarly, it gives increased power to the Data Protection Authority, meaning they have the power to enter any business and demand to see the way they process data and any supporting information. They can incur severe sanctions should they discover your processes are not living up to the sanction laid out in GDPR. Some of these sanctions could be notices, reprimands or a definitive ban from sending or collecting data at all.

However, if an organisation is ‘making steps towards becoming compliant’ then the Information Commissioner’s Office (the people in charge of the regulation of data in the UK) have said that they ‘will work with the organisation to make further steps to becoming compliant.’ So as long as you are making a conscious effort to getting GDPR compliant, you don’t need to panic.


If you want help towards becoming GDPR compliant, we can work with you to help get you compliant. Just get in touch with us

Claim your free website health check

Worried about your conversions? Think your site is being blocked from Google? We can take a free look for you

Book yours today