Preparing your Business for GDPR

14 min read

Looking for a Webflow expert? Get an instant estimate today.

Instant Estimate
Table of contents
Laura Cooper

It’s happening – the UK’s 20-year strong data protection laws are undergoing a renovation to bring them up to speed with a rapidly evolving digital landscape.

With this massive overhaul comes a sense of nervousness amongst many brands and professionals. And the important date to mark with a massive red circle in your diary is May 25th, 2018  which will be when the new General Data Protection Regulation is rolled out across Europe.

The impetus behind the changes is the fact that digital infrastructure has transformed so much since the 1990s when current data protection laws were written – in theory; the GDPR creates regulations that are fit for modern-use.

With GDRP looming over all industries, there will be a series of new obligations that put the onus on you and your company to enforce.

While a lot of data protection principles will remain largely the same – we’ll look at what’s changing, take you through what to look out for, how to educate yourself and make your business GDPR-ready.

As well as our guide, we recommend reading through the full text of GDPR to familiarise yourself with the 99 articles, setting out the responsibilities of companies and new consumer protections.

It’s a pretty long read but this will give you full detail and comprehensive info – we’ll take you through some of the bigger changes below:

What on earth is GDPR?

GDPR is basically a massive exercise in compliance and adherence. Elizabeth Denham, the UK’s Information Commissioner calls the new law an ‘evolution’ instead of a revolution – running with the idea that this is an extension and update of data protection regulation, created in 1995 by the EU and adopted by member states.

Each EU country also has its own national laws – in the UK this is the Data Protection Act, rolled out in 1998.

The way that companies and marketers collect data, store data and use data has changed immeasurably, so the new EU-wide directive is looking to give individuals and users more rights when it comes to their data privacy and create a more transparent framework.

Photo by Thomas Kvistholt
Look at all that data!

Pretty much every type of industry and company that handles personal information (schools, charities, brands) will be affected by GDPR, which is why there’s been such a large-scale reaction and sense of anxiety around the changes.

You can take a look at what qualifies as ‘personal data’ here, under GDPR it’s info that can readily be used to identify someone.

Any company that controls or processes data will be affected by GDPR.

And GDPR has been a long time coming, after almost 4 years of negotiations between EU bodies, GDPR was announced in May 2016, which has given a 2 year preparation period for companies to update their processes in time for the rollout in May 2018.

In the UK, GDPR will be regulated and enforced by The Information Commissioner’s Office, who will have a new fining system at their disposal that they can use to ensure companies are adhering to rules and individuals’ rights are protected.

Brexit has obviously changed things a *little* bit, so GDPR will come under a new act created by the British government, called the Data Protection Bill.

It’s largely the same as the EU’s GDPR model, but with small differences. The bill needs to pass through the House of Commons and the House of Lords though before it’s enshrined in law.

Takeaway: You can take a look at what qualifies as ‘personal data’ here, under GDPR it’s info that can readily be used to identify someone.

What’s different about GDPR compared to current data protection laws?

As we mentioned earlier, Elizabeth Denham, the UK’s Information Commissioner insists that GDPR isn’t in place to trip companies up, but it’s an extension of current laws and regulations.

GDPR aims to catch up regulations with rapid digital change.

Let’s take a quick look at some of the key new aspects included in GDPR that you need to look out for:

Key new aspects

  • Consumers will have better access to the data that companies hold about them, leading to more transparency for individuals. Users will be able to request data info free-of-charge.
  • Right now, current data protection laws largely have the same definitions for personal data and sensitive personal data that GDPR will. Personal data is basically info that can identify a person like a name or address. Sensitive data is political views, sexuality etc.
  • BUT pseudonymization is a massive theme in GDPR and the regulations basically encourage companies to transform data in a pseudonymized way that makes it difficult to attribute pieces of data to a user without further identifying info i.e a unique ref ID.
  • There are far more repercussions under GDPR for when companies breach laws – there will be a robust fining system that will punish companies that do not provide correct data when called upon/are not storing data in the right way/and are generally uncooperative.
  • GDPR urges much more clarity from companies about what they’re using data before and their process for seeking permissions and consent from customers.
  • The responsibility is firmly in the court of companies to report data breaches and contact their country’s data protection regulator. Companies must report breaches within 72 hours and inform customers it affects.
  • Customers in some specific circumstances and a case by case nature may be able to request that their data is discarded by a company if the company cannot prove what purposes they are using it for and if it is no longer in use or applicable to keep it.  *This could have massive implications for companies, so this will be an interesting development to keep an eye on.*

What your Company can do

GDPR raises the game for companies when it comes to accountability and transparency.

When you look at the amount and frequency of large-scale data breaches in the last few years, it’s pretty alarming and clear there needs to be changes.

Especially if companies are concealing breaches – for example, in 2016 Uber was hacked and millions of customer and employee details were compromised.

However, they hid this from customers and employees and it was only revealed a year later.

What your Company can do

Under GDPR, there are much clearer guidelines for companies when their data is breached and more stringent repercussions if they fail to comply.

GDPR arguably brings back more power to the people. Whereas at the moment people and public bodies can submit a Subject Access Request, which charges £10 to access their data, under GDPR this fee is scrapped.

Even if your company isn’t huge, get clued up on your data processing and how your company does this.

Make sure you have the correct documentation that can be shown to authorities if you need to.

This includes:

Correct Documentation

  • Why people’s data is being kept – intent
  • Descriptions of info being held
  • How long data is held for
  • Descriptions of security measures to protect data

If you’re not really sure where to start then commission impact assessments or enlist the help of an experience data protection contractor.

We recommend assigning a Data Protection Officer. This doesn’t have to be from outside your company, you can give someone on your team this role.

Make sure that they have the skills and correct training to carry this out though.

They must be familiar with data processes and what happens if there’s a breach – your data protection officer will be responsible for reporting breaches and handling requests from customers.

They must have the correct documentation at all times, create a system that tracks and records your data usage and collection so they won’t come unstuck.

Start putting data protection policies in place. If you don’t already take data protection seriously enough – start using best practices.

This is your chance to professionalise your approach to data protection.

Change your business mindset in terms of data – be more transparent and open to giving users more knowledge and control over their data. So, you can create positive opt-ins and clearly ask for user’s consent before using data.

Be prepared for customers that may request the information your business has collected about them.

Your business will need to provide information within a month. Ensure you have processes in place to protect individual rights, so create documents giving detail about how you’d go about deleting data or providing data to users i.e the format.

It’s happening – the UK’s 20-year strong data protection laws are undergoing a renovation to bring them up to speed with a rapidly evolving digital landscape.

Make your Website GDPR-ready

Before you do anything, ask your data protection officer or contractor to carry out a data audit.

This is where you can identify gaps in your knowledge and processes and replace third-party apps that aren’t preparing to be compliant with GDPR.

A data protection officer will also scrutinize the links and ways that your website has collected data in the past. They’ll look at who has access to your data, who you share it with, where your data comes from and how you manage it.

Make sure there is info on your website about HOW and WHY you collect user data and you must ask for consent to add users to your mailing lists etc. when you get a query through your website.

Make your Website GDPR-ready

Think of this as building a ‘consent experience’ for your users.

Update your privacy policies on your website and explain why your company has a lawful basis for collecting data.

  • We can’t emphasise enough how much you need to focus and concentrate on making your policies as trustworthy and explicit as possible. If you don’t, you can risk losing data.

With GDPR, users will have the right for erasure of their data

  • Ensure you do this when asked and be aware that people can withdraw their consent at any time too – even if they’ve agreed to hand over data before. A good rule of thumb is if it doesn’t make sense to continue using a user’s data then delete it.

GDPR focuses on the idea of Pseudonymized data and believes that “Pseudonymization is a central feature of “data protection by design.”

This basically means creating secondary processes whereby ID from one data set needs to be matched with data from a second set to make sense. So it separates data from identifiers that make it possible to link data to an individual.

This means that if one data set is breached then hackers can’t find out who users are without both data sets.

One data set is effectively useless without the other.

Work on transforming your data in ways that make it more difficult to access and improve data anonymization.

In fact, GDPR incentivises data controllers if they transform data in this way – GDPR relaxes requirements on companies that use this technique i.e “Controllers do not need to provide data subjects with access, rectification, erasure or data portability if they can no longer identify a data subject.”

Third Party Data Processing

  • If you use lots of third-party data processing apps like MailChimp etc then they should be putting GDPR processes in place and preparing for it too. This is especially relevant for apps and companies you use that are based outside the EU. In an ideal world, they should all be more than aware of GDPR compliance and will have been making preparations, but it’s still worth checking and contacting apps that you’re not sure about. Most of the bigger companies will be on top of this process.

The maximum non-compliance fines for GDPR are  20,000,000 euros  or up to 4% of annual turnover, so in theory, companies outside the EU will be very keen to get it right!

Questions that remain…

There are lots of insightful, educational resources to take a look at and get to grips with GDPR.

The Information Commissioner’s Office has come up with their own guide and aspects of GDPR you should be aware of. We really recommend reading it through thoroughly.

A few issues that are still a little unclear are:

Still unclear…

  • Who and what qualifies as having ‘legitimate business interests’ to access data? This definition can affect customer consent – when do advertisers need consent to process data and when can they use ‘legitimate business interests’ to avoid asking permissions? Hopefully, more clarity will be provided. Steve Wood from ICO sets out some ideas in an ICO blog post.
  • The debate over ‘legitimate interests’ and what this means makes it’s more difficult to create watertight data protection processes. There should be some more updates coming from ICO to cover more patchy details.
  • There will also be certain exemptions for special circumstances. There will be added GDPR protections for journalists, researchers and anti-doping agencies so far.
  • Think about your data collection policies when it comes to children too. Is it relevant for your company to verify individuals’ ages before the collection of data and seek parent or guardians’ consent too?

But overall – if you’re a company that’s complying with existing data protection laws already, GDPR shouldn’t be too disorientating for most industries.

It’s a wake-up call for everyone to examine their data collection/usage processes and update their policies.

In short, GDPR will give more protection to consumers and give more rights to individuals over their data.

This means that your company needs to reframe how it thinks about data and transparency.

data and transparency

Reframe how you think about data and transparency.

Be prepared to rigorously assess your company in terms of compliance and adherence.

In the long-term, this will be a really good thing for brand safety, the content experience and hopefully improve trust between consumer and company.

Stay transparent, trustworthy and in a more volatile digital space, make sure you have the processes and preparation in place to protect customer data and respond to breaches.

Make sure everyone in your company, from top to bottom, is on board with GDPR.

If you’re looking for more advice, ICO is creating a phone service for small businesses – giving answers and clarity.

And as we’ve included in this article, we recommend reading through the full GDPR regulation and the ICO guide.