New data protection regulation is coming in May 2018 — are you ready?

by | Maratopia News, e-Commerce News

GDPR protection

Under the EU General Data Protection Regulation (GDPR), your organisation’s legal data protection responsibilities are about to change significantly.

The new legislation enforces new rules about the way data is collected, used, stored and shared, and it applies to SMEs as well as large multinationals and public sector entities.

GDPR succeeds the current Data Protection Act 1998 (DPA) and it will be enforced regardless of Brexit.

The aim of GDPR is to give citizens more control over their personal data and to simplify the regulatory regime for business in a tech-driven era where massive volumes of data are processed daily.

By May 2018 the EU and Information Commissioner’s Office (ICO) expect your firm to be fully compliant, and possible fines for breaches can run into millions of Euros.

So taking a few firm steps towards GDPR compliance should keep you safe and sound.

Does it affect me?


Whether you’re a sole trader or large corporation, compliance is mandatory.

It applies to all of the personal data about individual people collected and processed in its territorial scope, whether this data is stored electronically or on paper.

These principles apply under the current regime and will still apply under GDPR.

Key Terms

The ICO’s glossary of key data protection definitions will get you up to speed with the status quo. All these terms are still used in the same manner under GDPR.

What’s changing under GDPR?

The current data protection principles require that personal data:

  • is processed fairly and lawfully
  • is kept accurate and up-to-date and processed in a way that’s relevant
  • is used only for the manner in which it was intended for
  • is not excessive
  • is processed in consideration of an individual’s rights
  • is protected by appropriate security measures
  • is not transferred to territories outside the EU that don’t apply adequate data protection measures.

These principles still apply under GDPR, with some important tweaks.

GDPR extends the definition of personal data to include genetic data like DNA, biometric data, location data and online identifiers like information gathered from an online service that could identify the person, for example social media logins, check-ins, purchase histories and analytics records.

Pseudonymous data is a new definition covering data where the personal identifying data is removed and stored separately.

GDPR requires stricter privacy policies, more efficient reporting of data breaches, more stringent awareness of processing children’s data and more awareness of consent.

Subject Access Requests (SARs) currently allow individuals to request that organisations confirm if their personal data is being processed, the purposes and categories of any data being processed and the recipients of the data and the logic behind any automatic processing decisions made using the data.

Requesters are also entitled to a copy of their data held in any form, although it’s likely that personal information of third parties will be redacted.

The same right applies under GDPR but organisations can typically no longer charge a fee. The lead time for completion is now a month instead of 40 days and additional information including retention periods should be included.

In simple terms, this means that your data protection lead or information governance officer might become significantly busier with SAR duties.

How do I prepare for these changes?

Privacy by design ensures that data protection considerations are built into every process, project and procedure a business undertakes, so protection of personal info is always prioritised.

This concept was best practice under DPA but wasn’t mandatory.

But under GDPR, privacy by design is enforced by law.

The ICO’s 12 step guide to GDPR preparedness is a must-read, but you can get started right now by taking these three crucial steps:

Designate a Data Protection Officer

Depending on the size of your organisation and the nature of your operations, you might need to employ a suitably qualified Data Protection Officer (DPO).

If you’re not sure whether you need to designate a DPO, the best advice is to presume you do.

Some firms won’t need to employ a DPO, but it’s still crucial that an internal member of staff adopts the role of information governance/data protection lead and is trained formally and appropriately.

Firms who don’t need a full-time DPO are still regulated by the same rules and to the same standards. Fines for non-compliance can be 20 million Euros or four per cent of global turnover.

Whatever sector you operate in, it’s worth at least investing in training a current staff member so they can develop expertise in this area and ensuring they’ve enough support and time to oversee, implement and enforce your data protection policy.

Complete a data protection audit

You might not know what information your organisation currently holds, where it’s held, why you have it and how long you should hold it for.

Performing an audit using the GDPR definitions, ICO advice and your own data protection policy as guidance allows you to check whether you’re compliant right now.

If you find shortcomings after your audit, you’ll recognise the areas of improvement that can be remedied immediately.

After all, it’s preferable for you to ensure you’re running a tight ship rather than hearing about failings following an ICO investigation.

Inform customers, clients and stakeholders about consent and legal basis

In almost all cases, an individual’s consent is required if you’re going to collect and process their data.

If consent isn’t required then your use of their data must be justifiable by law.

In either case, you should make your GDPR compliance, consent and/or the legal basis for collecting any data crystal clear to any data subject at any point it’s collected.

If you already have consent systems in place under DPA, these should be replaced and updated with the relevant GDPR information.

If you haven’t considered GDPR preparedness, these three steps will set you on the right footing and ensure peace of mind before May 2018.

Author: Stephen Harvey-Franklin Steve Harvey-Franklin

More From Us

How Does A Remarketing Campaign Benefit My Business?

How Does A Remarketing Campaign Benefit My Business?

Whether you're a small business, or a well established corporate chain, remarketing campaigns can benefit every business model from the ground up. Your remarketing efforts can greatly impact your customer reach positively, and help to target potential customers who...

Top Tips for Working From Home: The Maratopia Edition

Top Tips for Working From Home: The Maratopia Edition

The popularity of remote working has grown massively over the last few years, with the Covid-19 pandemic playing a huge part in encouraging us to turn our dining tables into makeshift office space. However, in the years since we have been coaxed back into a normal...

How Is the Cost of Living Crisis Affecting Businesses?

How Is the Cost of Living Crisis Affecting Businesses?

There's no denying that the impact of the cost of living crisis on businesses is a scary concept, whether you're a high-flying high street brand, or a smaller local company trying to build your brand and keep your business afloat amongst rising energy bills and other...

5 Tips to Increase Your Website Conversions

5 Tips to Increase Your Website Conversions

Increasing your conversion rate is one of the most important things you can do as a business; conversion is the process of converting visitors to your website into customers. Conversions aren’t just when your customers buy a product from you either. Your conversion...

5 Times Brands Had Us Fooled On April 1st

5 Times Brands Had Us Fooled On April 1st

April Fools’ Day is an annual celebration of all things comedic. And like any annual occasion that comes but once a year, it’s a great opportunity for brands to have fun with their audiences. Not to mention, it’s a prime time for viral marketing stunts, and brands...