We Help Get Your Website GDPR Compliant So You Can Avoid Serious Fines!

To increase trust in your brand, have appropriate security measures in place to protect the personal data you hold.

co-creating positive impact

GDPR Compliance

A Digital Marketing Agency, Committed To Building A Sustainable World

What is GDPR?

The General Data Protection Regulation (GDPR) is Europe’s new framework for data protection laws. GDPR replaces the previous 1995 data protection directive, which current UK law is based upon.

It introduces tougher fines for non-compliance and breaches and gives us all more say over what companies can do with our data. On top of this, it also makes data protection rules more or less identical throughout the EU.

Why Was GDPR Put In Place?

The GDPR law has two aims. First, the EU wants to give people more control over how their personal data is used. This is down to the practices of companies like Facebook and Google, who often swap access to their services for users’ data. The current Data Protection Act was enacted before the internet, making it easy to exploit data using new technology. GDPR seeks to address this. By strengthening data protection legislation and introducing tougher enforcement measures, the EU hopes to improve trust in the digital economy. Second, the EU wants to give businesses a clearer legal environment to operate in. It’s estimated that making data protection law identical throughout the single market will save businesses a collective €2.3 billion a year.

european, gdpr, legislation-3233707.jpg

The penalties for failing to comply with GDPR obligations can be very serious. Consumers have a reasonable expectation that businesses take care of the personal information they collect and that the information is processed only for the purposes it was collected for. The law now better reflects this expectation and businesses risk severe penalties if they fail to comply.

What are the Consequences of none compliance?

For smaller breaches, you can be fined up to the greater of 10 million Euros; or 2% of the company’s global turnover.  More serious offences can incur fines up to the greater of 20 million Euros; or 4% of the company's global turnover. Unsurprisingly, these fines have attracted controversy because of the impact they could have on SMEs. It may be reassuring to bear in mind that these fines are worst-case scenarios and the ICO will consider mitigating factors such as the severity of the breach and a company’s efforts to comply with the GDPR. The Information Commissioner, Elizabeth Denham, has also published a blog post reminding businesses that the GDPR gives it a suite of sanctions to help organisations comply, including warnings, reprimands and corrective orders, and that issuing fines will remain the last resort. Financial penalties should not be the only concern businesses have, however, and non-compliance comes with a risk of severe reputational damage as businesses who do not take steps to protect personal data may quickly lose the trust of their customers.

What are the Basic principles of the GDPR?

The GDPR establishes basic principles which must be adhered to by businesses operating in EU member states or engaging with customers based there. The basic principles are:


  • Lawfulness, fairness and transparency – You must have valid grounds for collecting and using personal data and must use it fairly. You must also be transparent about your processing activities. It is good practice to have data protection policies in place so you can provide clear information about your processing activities and privacy safeguards to customers, suppliers and employees whose data you collect.
  • Purpose limitation – You must be clear about why you’re collecting the data from the start and you should tell the individuals whose information you collect about those purposes. You should never process information for purposes that are not in line with the original purposes that you collected data for. If you plan to use the information for additional purposes, you should always check that the new purpose is compatible with the original purposes and if it is not, you must obtain specific consent from the individuals before you process their information for a new purpose.
  • Data minimisation – You should only collect data which is adequate to properly fulfil your stated purpose, relevant to the purpose and limited to what is necessary for the stated purpose. You should not hold more information than you need for the purposes you collected the information for.
  • Accuracy – You should take all reasonable steps to ensure the personal data you hold is not incorrect or misleading as to any matter of fact. You may need to keep personal data updated although this depends on what purposes you need it for. If you discover that personal data is incorrect or misleading, you must take reasonable steps to correct or erase it as soon as possible.
  • Storage limitation – You should only keep data for as long as you need it for your stated purposes. You need to think about – and be able to justify – how long you keep personal data. This will depend on your purposes for holding the data. You should periodically review the data you hold, and either erase or anonymise it when you do not need it for the purposes you collected it for. It is good practice to have a data protection policy in place setting out information about retention periods. You must also tell individuals of their right to request erasure of their information at any time.
  • Integrity and confidentiality – You must ensure that you have appropriate security measures in place to protect the personal data you hold – this makes sense as the ‘integrity and confidentiality’ principle is also known as the security principle.
  • Accountability – The GDPR requires you to take responsibility for the data you hold, what you do with it and what steps you take to ensure you comply with the other principles.

Who ... does is apply to?

According to the EU, ‘controllers’ and ‘processors’ of data need to follow GDPR rules. 

A data controller is the party responsible for how and why data is processed. This is usually your business itself. A processor is the party responsible for the actual handling of the data.

Using a third-party contractor for processing your payroll is a great example of this. Your business tells the payroll company when wages should be paid, how much each employee should receive, and if anyone leaves or joins. The payroll company provides the IT system and stores your employees’ data. In this situation, your business is the controller and the payroll provider the processor.

Even if controllers and processors are based outside the EU GDPR still applies, so long as they’re dealing with data belonging to EU residents.

It’s your responsibility as a controller to ensure the processor follows the rules. Meanwhile, processors must keep records of their processing activities.   

How can we help you...

We Have The Expertise ~ Experience, Tools & Team ...

Add content here

Ready to Get Started & Join Us to Create More Positive Impact?

Our SEO Service helps you to rank your website higher on Google organically and helps promote your products/services to your target market with ease. 

Scroll to Top