General Data Protection Regulation


What is it?

This is the long needed update to the 1995 Data Protection Act and this new regulation aims to protect individuals from having their private information used without consent or in a manner that they were not privy to. It also aims to make companies more accountable for sensitive personal data and its protection.

Generally speaking this new legal regulation is good news for us as individuals. Technology has grown very rapidly whilst regulation has been lagging well behind. I find it strange to find myself telling you that this is good news because regulation isn’t traditionally thought of as a positive thing when it comes to innovation and creativity but progress cannot be at the cost of an individual’s privacy and well being.


Breaches of the regulation can incur a fine of up to 4% of annual global turnover or €30 million (whichever is greater) so it’s worth taking some time to consider if you should be making any adjustments to your business.

Your first question must be does this affect me?

You need to take action if you store information on individuals e.g. their name, email address, date of birth, computer IP address, bank details, etc. This is normally termed as personal data. This applies to both the entity who determines what this data is used for and the entity that does the processing. When I say processing, this could also include storage. Therefore if you ask for personal data from your customers or you process your client’s data (which happens to include personal data) then you need to take action.

This is nothing new, but how it is applied has changed. It now applies to the processing of personal data by companies in the EU regardless of where that takes place. It also covers the processing or storage of data relating to an individual who resides in the EU.

So if your company is in the EU, you are responsible for any personal data that you use regardless of where the processing takes place. If your company is outside of the EU but you provide services for persons within the EU then this regulation also applies to you.

What do I need to do?

Make sure that all the personal data that you collect is pertinent to your business, i.e. don’t collect data that is not needed. Minimise what information you need to store.

  • Ask your customers for their consent in plain English, not in long legalese in small print mixed up with other matters. Make it simple for those who give their consent to withdraw it. Parental consent is needed for children under the age of 16.
  • Ensure that your system has privacy built in by design and not as a patch to an existing system. i.e. Use a system that is proven to be secure and make sure that you keep it up to date with all security patches as soon as they are released.
  • Your customer’s data needs to be easily transferable from your system. If your customer would like to move their data to another provider then this is their right. If they wish you to delete their data from all areas of your system then you need to be able to do so.

Notably, this regulation applies to cloud service providers as well as those who use these services so make sure that you know that the data you use is compliant wherever it is processed. If you use a provider outside of the EU, you need to make sure that they are aware of these new regulations and be sure that they will adhere to regulations too.

Do I need to employ a Data Protection Officer?

You only need a Data Protection Officer if your core activity is the processing and/or monitoring of personal data on a large scale or of that relating to criminal activities.

What happens if my business gets targeted by hackers and data is stolen?

Well it doesn’t have to be a hacker that can compromise your business. Data theft can also be undertaken by employees too so you need to make sure that your systems and policies take all of this into account.

If this nasty event does occur then you are best owning up as soon as possible. The regulations stipulate that notification of a breach must be done within 72 hours of you first becoming aware. When you think about the length of time Talk Talk or Yahoo took to notify their customers of their data breach, you can understand why.


But we’re leaving the EU so is this really relevant to me? Well, we aren’t leaving until 2019 at the earliest and it is very likely that the UK will implement a regulation largely similar to that of the GDPR. So I would say, yes, this is still relevant to your business.

Climbing Turn logo

Clear understandable advice from Climbing Turn

Give us a call on +44 (0)1438 791010

Let's talk

Other blog items

AI UK opening address at the Conversation Stage

AI UK 2024

The AI UK Conference held on the 19th and 20th of March 2024

IT Business owner has just had a great idea

Should you be selling something else?

Victorian Cash Register

Engage your website visitors

What is your number one service or product?

The terminator from the film of the same name

Teaching Ethics to AI

I will be back!

The blockchain visualised as a metaverse of objects

Blockchain Consensus for change

It's More than Just Crypto Currency

AI image created from text: Black stallion creates thunderbolt of business innovation

How AI Benefits Business

5 Business Benefits of AI

Storage at London Drum Company

London Drum Company New Site Launch

Online Drum and Percussion Hire

Cartoon image of a spy

How much do you share?

Privacy at a bus stop

Example of a Google Analytics page

Google Analytics

MAMP setup

How to use MAMP (Mac Apache MySql php)

How to run multiple projects simultaneously with MAMP

Image of Desktop and mobile views of site

Introducing BTR International

International move management services

DragonVet Branding

DragonVet: a Hand-crafted Digital Presence

Make your message clear

Images from the How and Why website

How and Why has Launched

A website made to stand out from the crowd

Merlin Logo

Merlin Engine API builder

Get Ready… It’s Almost Here!

Criminal stealing you data

How to prevent Phishing

Phishing is associated with a particular type of nasty fraud.

Lasting Impressions for Expression Engine v4

Lasting Impressions for ExpressionEngine

Lasting Impressions is ExpressionEngine 4 ready!

Skull and crossbones

Cyber Security

Five tips on how to keep your business safe

Key Performance Indicators

Is Your Website Rubbish?

How to measure its success online

Make your customers happy

Top tips to woo customers

Things that customers love

Customer Satisfaction

Top mistakes that lose you customers

Top 5 mistakes to avoid when publishing on the internet.

EU and British Flags

Is your Web Site Ready for Brexit?

Leaving the EU will bring both threats and opportunities

Whack a Witch

Primary School Children Code HTML

Climbing Turn blog image

Curse of the Brochure Site

Missing the opportunity

Climbing Turn blog image

A Web “Page”

It’s NOT a page!

Climbing Turn blog image

Expression Engine MSM and CartThrob

Using the same channel to sell items on different sites

Climbing Turn blog image

Exceptionally Dull Weirdos

This is a response to Willard Foxton's recent article on the Daily Telegraph blog

Climbing Turn blog image

The Website Machine

What is a website?