GDPR... a layman's summary

You might’ve heard of “GDPR”, the new privacy and data protection laws that have come in across the EU? The General Data Protection Regulation is a law designed to protect individuals rights to privacy, enabling people to find out what a company knows about them, and request changes, corrections or removal from the company's records. GDPR is specific to the EU, protecting European Union citizens specifically…

So your first thought, like mine, might be that it shouldn’t affect you if your businesses is outside the EU right? Well it seems that it certainly does if you store information on *anyone* who's had residencey in a country in the EU… and that probably includes anyone from an EU country browsing your website because if you’re tracking users on your site with a tool such as Google Analytics then your web site will be using cookies to keep track of activity and that falls into the GDPR laws.

What Happens if you Ignore It?

A small business operating outside the EU and not engaged in marketing or selling into the EU may well get away with little or no special treatment. However there’s a very real risk in that approach because any individual can instigate an enquiry, and the consequent fines are hefty (4% of gross revenue) and fines are collected globally.

So What Does It Entail?

GDPR is designed to protect people’s rights regarding how companies store and use information about them.

Here’s my layman’s understanding of some of the key requirements and implications, but don’t take my word on it — I would strongly advise legal advice be sought.

The principles are:

Accountable: You are accountable for what data you collect and how you process it. In practice this means, only capture data that you have a proper demonstrable need for. So, for example, if you don’t need to know someone’s birthday, don’t store it.

Data Protection: You must hold a persons data safely and securely whilst in your care, which in practical terms means it should be encrypted and password protected. Insecure practices such as storing passwords would be a failure. Moreover you must notify authorities and the people affected if there is a data breach.

Right to Know: You have to provide a way for people to request a copy of everything you know about them, in a timely fashion (which I believe is nominally defined as 72 hours)

Right to Erasure: People have a “right to erasure” or to be ‘forgotten’, which means you have to permanently and completely remove the information you have about them. An individual also has the right to request an amendment to correct inaccurate or incomplete data.

Data Portability: There is also a right to transfer data — a person can ask for their data in an easily machine readable format (say a spreadsheet or CSV file), which they can give to another provider.


There seem to have been some crazy reactions across the internet in particular to this law. You might have noticed a couple of things: many websites now insist that you “accept” their cookie policy, and back in May you’d have noticed a sudden influx of emails asking whether you want to stay on various companies mailing lists and/or announcing new terms of use.

We’d advise you seek some solid legal advice on what you need to do to comply. We can help with that process by providing you information to take to your legal counsel on technically what data you’re capturing or tracking with your website or web application.

The actions you’ll need to take might be fairly straightforward, though not always. Typically you might need to:

  • Add a Cookie policy and acceptance mechanism to your website.
  • If you’re storing information and marketing to people, you must ask them to explicitly “Opt In”, and even once they have it must be just as easy to opt out at any time.
  • Ensure you’re protecting data appropriately by encrypting your database, ensuring databases are protected by strong passwords or authentication, and by not storing passwords.
  • Capture nothing more than the data you really need to — do you really need to know the cat’s name?
  • Provide a system for customers to find out everything you know about them.
  • Allow customers to request to be 'forgotten' and have a process that completely deletes them from your systems. You even have to delete the email or record of request asking to be deleted, however before you do, you do need to be certain that the person requesting deletion is in fact the owner of the data! It gets tricky…

And most of all, be aware of it, read up on the subject, and seek legal advice from a qualified lawyer who is up with the play.

Write a response...