The EU’s General Data Protection Regulation (GDPR) comes into effect on 25th May 2018 and is the result of four years of work by the EU to bring data protection legislation into line with new, previously unforeseen ways that data is now used.

Currently, the UK relies on the Data Protection Act 1998, which was enacted following the 1995 EU Data Protection Directive, but this will be superseded by the new legislation. It introduces tougher fines for non-compliance and breaches, and gives people more say over what companies can do with their data. It also makes data protection rules more or less identical throughout the EU.

Simply put, any company that operates within the EU which handles and stores personal information will need to adhere to the new rules. GDPR does not discriminate between business giants and small businesses. Furthermore, the penalties for not complying to GDPR will be very severe. Violation of the terms of GDPR can result in a penalty of 4% of your company’s annual turnover or a fine of 20 million euros (depending on whichever’s highest).

Read The 12 Steps To Preparing For The GDPR By The ICO

Your Website Should Have A Privacy & Cookie Policy, Opt-In and Opt-Out Procedure

Explicit consent of any user is requested before data collection takes place: consent needs to be freely given, specific, informed and non-ambiguous. There must be positive opt-in consent given; consent cannot be inferred from pre-ticked boxes or inactivity 

Provide a clear and accessible privacy policy: The privacy policy will need to inform users how the data you’re collecting will be stored and what it will be used for.

Have a means for users to request to view their data: This needs to be possible for your users, and requests for data must be granted.

“Right to be Forgotten”: Provide your users with a way to withdraw consent and purge the personal data you have collected about them.

Online Payments & GDPR

If you sell online then your will be collecting and storing personal data in the form of customers details.

So you will need to  modify your web processes to remove any personal information after a reasonable period, for example, 60 days. The GDPR legislation is not explicit about the number of days, it is your own judgement as to what can be defended as reasonable and necessary.

Google Analytics & GDPR

Many websites are configured to use Google Analytics to track user behaviour. Google Analytics has always been an anonymous tracking system. There is no “personal data” being collected, so this will not be affected by GDPR.

Find out more at