The Nine Series, No. 2. General Data Protection Regulation.

Sarah Doney Sarah Doney


Businesses and organisations cannot survive without data. Whether that data concerns employees, customers or third parties, it is crucial to your continued success, growth and everyday activities.

The General Data Protection Regulation (GDPR) is the new EU regulation that is being enforced to better protect our personal data. The GDPR is a document of some size… 

...however, below are 'nine' GDPR basics with your website’s data collection in mind:


1. Who does the GDPR effect and when does it come into force?

Anybody who collects, stores and/or processes an EU citizen’s personal data. So regarding your website, this may be personal information collected through e-commerce or ticketing processes or a simple newsletter sign-up.

The GDPR will come into effect on the 25th May 2018.

2. Does the GDPR still apply to UK companies since it is leaving the EU?

Yes. The UK is most likely to still be an EU Member State at the end of May 2018 and it is suspected that the UK will either implement GDPR, or very similar legislation, to ensure that it can continue to receive EU personal data.

3. How do we start considering the effects of the GDPR on our website?

Look at your website and consider all the ways that personal data is collected and used. Make a list of these considering both 1st and 3rd party data processors… 

  • 1st party processors - you/your website and the data it is collecting and you are storing.
  • 3rd party processors  - this is data that is processed on your behalf. Examples might include payment gateways, website analytics or email distribution services.

4. Make it clear what the data is being used for.

Much of the GDPR is about being transparent when it comes to the collection of data, ensuring that we are all clear on how the information collected will be used and for what purposes.

For each data processor from above, you’ll need to be clear on:

  • Who is using the data and what is it being used for?
  • Where is the data being stored and how long will it be stored for?

Create a Privacy Policy page on your website that oulines all of the above.

5. Ensure you have gained the correct permissions for data usage.

Data can only be used for the purposes that you state. For example, information provided via a generic enquiry form cannot be added to your marketing lists.

It’s advisable to inlcude a check box that has to be ticked by the website visitor, agreeing that they understand what their information is being used for before they submit it via various forms.

If relevant, your privacy policy should be written in a way that children understand and relevant systems in place to obtain parent or guardian consent.

6. Make it easy for data retrieval and removal requests.

Under the GDPR people have the right to: 

  • ask for their personal data to be removed if there is no reason for it to be processed any longer
  • ask for a copy of their personal data held

The above requests should be easy for the ‘data subject’ to action, so you could provide relevant contact details on your Privacy Policy page and/or opt-out links on newsletters etc.

7. Protecting the data transmitted and stored.

Install an SSL Certificate on your website. This will provide an encrypted connection to better protect the transfer of information.

The GDPR also introduces pseudonymisation. The GDPR explains pseudonymisation as “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information. As long as such additional information is kept separately and subject to technical and organisational measures to ensure non-attribution to an identified or identifiable person”.

8. Designating a Data Protection Officer (DPO) and Data Breaches

A company or organisation that processes personal data of significant scale is required to appoint a DPO. This individual should be responsible for making sure you are in compliance with the GDPR.

Should there be a data breach, the Data Controller has a legal obligation to report it within 72hrs to the relevant authorities.

9. Privacy by design

The GDPR outlines that privacy should be fully considered when developing any digital system… from the outset and not an after thought! And privacy settings should be set at their highest with the option provided for these to be downgraded by the user.


For more information…  Information Commissioner’s Office website.

Recent Posts

The Nine Series, No. 1. Our Ways.


At N9, we have 9 (natch) rules we endeavour to abide by. It's not a check-list or mission statement, just a list of points we can refer to as a group. It means we all know what N9 stands for and how… Read more