The General Data Protection Regulation and Your Website

The General Data Protection Regulation and Your Website

You’ve probably heard about the General Data Protection Regulation (GDPR), and you might be wondering how it impacts you and your business.

The GDPR will become law 25th May 2018 across all 28 EU member states and will replace the inconsistent laws the EU member states implemented to comply with the 1995 directive.

Many business who work online and send regular emails to their customers such as a newsletter have already begun sending out emails asking their customers to Opt In and give consent for them to continue to do so, in order to get ready to comply with this new law.

If you work with online marketing, email newsletters, send out regular emails to customers, and hold any data on them for such purposes in future, this is something you need to be thinking about NOW!

Please contact me by replying to this email or on +447803807013 and I will be happy to help setup and manage a campaign for your business and website to ensure that your business complies with these news laws.

Email opt-in forms

Many brands use a pre-checked ticked box to gain consent for the simple reason that it captures permission from more customers than using a box that must be proactively ticked.

These will not cut the mustard coming May 2018. Silent or soft opt-in is not acceptable for GDPR consent. To continue using soft opt-in for customers and email addresses provided during negotiation of a sale means considering use of legitimate interest rather than consent as the legal GDPR basis.

Here’s just a few form examples.

Virgin Giving making a charity donation

ASDA account creation form

Lancome checkout opt-in form

I have included an email below I recently received asking me to Opt-In to continue being sent emails from a company as an example of the type of email you should be sending your clients to start getting your website and data ready to comply with the new laws below.

As you can see it is important to get consent to continue contacting and emailing your customers in future.

This regulation is a European Regulation, but also affects business and individuals elsewhere, because if you regularly have dealings with EU citizens, you’ll need to make sure you comply with the regulation too. The GDPR applies to all companies worldwide who work with personal data of EU citizens.

There are two European Union regulations that are relevant here, the GDPR (General Data Protection Regulation) and the PECR (Privacy and Electronic Communications Regulations).

This will impact every entity that holds or uses European personal data both inside and outside of Europe,”

For this reason, it would be a huge mistake to ignore the GDPR .

The purpose of the new law is to provide a set of standardised data protection laws across all the member countries – to protect the rights and freedoms of individuals to decide what happens with their data, and to give them a choice.

Data you collect as a business through your website can be for example, names and email addresses, for newsletter list building; address details when registering for an online community or buying something in a shop; cookies when people browse your website; google analytics data; data collected through a facebook pixel, etc.

An important concept is the concept of consent. Companies have to clearly communicate what they intend to use any collected personal data for, and they need to receive clear consent, asking for it in clear and plain language. And it must be as easy to withdraw consent as it is to give it.

The digital economy is at the core of what the GDPR is all about, A key element of the GDPR is that it not only gives rise to increased compliance requirements, but these are backed by heavy financial penalties.

The GDPR provides the following rights for individuals:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling.

The new regulation says that anyone collecting personal data must have a lawful basis for processing personal data and they need to include information about the lawful basis (or bases) and their intended purposes for processing the personal data in their privacy notice.

One of the most relevant lawful bases for most small business owners is consent. At lot has been written on this. The regulation says:

Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.

The ICO have published further guidance on consent:

Consent must be freely given; this means giving people genuine ongoing choice and control over how you use their data.


Consent should be obvious and require a positive action to opt in.


Consent requests must be prominent, unbundled from other terms and conditions, concise and easy to understand, and user-friendly.


Consent must specifically cover the controller’s name, the purposes of the processing and the types of processing activity.

You must ask people to actively opt in. Don’t use pre-ticked boxes, opt-out boxes or other default settings. Wherever possible, give separate (‘granular’) options to consent to different purposes and different types of processing.

The fines apply to infringement’s of the basic principles for processing, including conditions for consent, data subjects’ rights, the conditions for lawful international data transfers, specific obligations under national laws permitted by the GDPR, and orders by data protection authorities including suspension of data flows.

Organisations that have failed to heed advice not to wait until the publication of the final text of the GDPR before taking action will face the challenge of having only two years to implement all the necessary changes to their systems and operations to meet the new compliance requirements.

GDPR is a paradigm change in the way that data collection and use is regulated. We have moved from an era of relatively laissez-faire regulation of data in Europe to having the most stringent data laws in the world,”

The GDPR is loaded with requirements to make businesses more accountable for their data practices. “This is the area where the heavy weight of the GDPR will be most felt in practice. New responsibilities such as data protection by design, data protection by default, record keeping obligations, data protection impact assessments and prior consultation with data protection authorities in high-risk cases will require managerial effort and investment,”

Key changes to EU data protection introduced by the GDPR

  • More rigorous requirements for obtaining consent for collecting personal data.
  • Raising the age of consent for collecting an individual’s data from 13 to 16 years old.
  • Requiring a company to delete data if it is no longer used for the purpose it was collected.
  • Requiring a company to delete data if the individual revokes consent for the company to hold the data.
  • Requiring companies to notify the EU government of data breaches in 72 hours of learning about the breach.
  • Establishing a single national office for monitoring and handling complaints brought under the GDPR.
  • Firms handling significant amounts of sensitive data or monitoring the behviour of many consumers will be required to appoint a data protection officer.
  • Fines up to €20m or 4% of a company’s global revenue for its non-compliance.

Further Reading