The Applecado blog

GDPR - are you ready?


With the GDPR deadline now less than six months away, we all want to make sure our businesses are ready for any adjustments we'll have to make. The fines are intimidatingly large, and any changes could take time to implement so it's worth ensuring you're ready sooner rather than later and avoiding any nasty surprises.

Disclaimer: This article should not be taken as legal advice, instead we aim to guide you through the basic GDPR principles and to help you understand what you need to do to be GDPR compliant in your business.

The GDPR (General Data Protection Regulation) should technically be in effect already, and will be enforceable on 25th May 2018. It builds on some of the 1995 EU Data Protection Directive and aims to fill in the gaps where digital services have grown. No matter where you're based, if you're holding personal information on any EU citizens, you need to take notice.

From an online company's perspective, this article discusses the changes around:

  • how you collect customer data
  • using or processing personal information
  • who has access to these records
  • deleting records
  • data security.

Obtaining Customer Data


Guidelines around gaining customer consent is about to become much stricter.

As a business, you have to be very clear about what information you're going to take, and what you're going to do with it afterwards. For example, if you obtain customer email addresses from a free e-book download, or some other lead generation technique, you must make it clear that you will be following up with them by email afterwards.

You need to use plain English, no complicated legal speak, and no vagueness such as “untick this box if you don't want to opt-out of this newsletter”.

Opt in or out?

You must not rely on 'implied consent', so that means no “using this site assumes you accept our terms and conditions” any more.

Checkboxes must be defaulted to off, and your users must choose to turn them 'on'. Permission has to be expressly given to be stored or processed.

According to the GDPR, you must keep records of how people opted into your lists.

Take (only) what you need

The GDPR also aims to prevent companies from taking too much information, and as a result a compliant organisation will only take what is really necessary for the activity concerned. For example, if you're asking people to sign up for an online learning course you can request their email address, name, perhaps their address, but you shouldn't need to ask for the number of people in their house, their marital status or the month their car insurance is due for renewal (if you're selling car insurance – they still have to opt in to be marketed to before renewal).

Processing Data

Changes in data use

Even if your customer voluntarily changes how they use your services, you must re-confirm their consent to use their data in a new way. For example, if I buy some stock photography and give consent for my data to be held – then later, sign up to the site's online photography course – I should be asked for my consent to hold and process my data for this new purpose.

Expiry of Consent

The GDPR recommends personal data should be kept for a maximum of 12 months, remember that you have to keep the date your customer was added to your database or mailing list. If you hold their information for more than 12 months, you should be asking for them to re-confirm that they would still like to receive any marketing communication – this is going to be a massive change to most companies marketing strategies.

Individual records & removal

Under the terms of GDPR, you will be obliged to tell customers what records you have for them, and you will need to be able to delete (for good) them from your database.

As part of the consent you obtain, you have to make sure your users know they can ask to be removed at a later date.

There is a big exception to this; if you can prove that there is a legitimate business interest you may keep personal data for longer than 12 months. Examples of keeping personal data for longer than the recommended 12 months is for any financial, accounting, auditing records or legal files.

Hosting and Security

Reasonable measures

All reasonable measures must be made to ensure that the data is kept private. No-one should have access to raw user data unless it is necessary. Organisations with access to this user data must also ensure their databases are kept safe, passwords are not shared or breached, and are encrypted.

Care must be taken to protect any hardware or devices that hold user information.

Web Design & Development Changes

There are many ways in which your website contributes to the personal records your company holds, and how it can be included in your response to the GDPR. Some more common ideas of what you can do:

  • Check your site terms and conditions cover what you use data for
  • Change any difficult terminology for 'plain English'
  • Make sure any collection forms are 'opt-in'
  • Don't use email marketing for anyone who has not given you permission, you can't assume someone using your contact form wants your emails
  • Ensure your records have the method and date of consent
  • Consider limiting the data different teams within your organisation can access, we often build websites and online systems with limited access levels
  • Don't share log-ins and passwords
  • Use password encryption

We hope this helps, if we've missed anything or you have any questions we might be able to help you with, let us know.

Get in touch, see how we can help