Skip to main content

GDPR: Is your website ready?


If you haven’t heard, the new EU* GDPR (General Data Protection Regulation) comes into force on 25th May. It will affect the way all businesses and organisations collect, use and store data on individuals. 

GDPR states data belongs to the individual and not to the business using it. This puts responsibility on to businesses to look after that data and use it sparingly. The individual will have the choice and control over how their data is used. Businesses that don’t take responsibility will lose customers, goodwill, brand loyalty and shareholder value. Businesses that can demonstrate good data governance and compliance will find customers share more data, which might lead to increased revenue. 

There will likely be scaremongering about massive fines, but the GDPR is not a huge change from the existing regulations, the Data Protection Act 1998. Yes, the fine limits have gone up, but its about shifting the focus to the rights of the consumer, not imposing fines. The Information Commisioners Office (ICO), who will be enforcing the regulation, claim to prefer a carrot approach, with advice and guidance for compliance, rather than the big stick approach of mega-fines. They feel that an organisation’s non-compliance will have such a large impact on brand and consumer trust, that they wont really need to use the the big stick.

Rights of the Individual

The main point of the regulation is to reinforce the rights of the individual and their right to control data held about them. This means:

  • Clear Consent is required (opt-in) to process data
  • More and clearer information about processing must be prepared
  • Easier Access to personnel data
  • Right to rectify and Remove data
  • Limits on automated decisions
  • Notifications if data compromised
  • Right to move data between services
  • Stricter safeguards for transfer outside EU

For businesses this means a bit of work to make sure they meet the regulations and maintain those standards in the future. It will obviously be more work for large organisations who work with a lot of customer data.

Rules for Data Processing

Organisations must ensure data is:

  • Transparently & lawfully processed
  • Processed for Specific purposes
  • Relevant and not excessive for the processing  - kept to a minimum.
  • Accurate
  • Not kept longer than required
  • Secure

What to do next

If you have only just started thinking about GDPR compliance, the first steps taken by most organisations involve:

  • Reviewing consent mechanisms - are they completely clear and unambiguous? Uncheck those checkboxes on your contact forms!
  • Reviewing privacy policies including lawful basis for processing. Update the privacy page on your website.
  • Reviewing current data inventory to assess compliance.

Document all your reviews and changes, and keep these records to show compliance.

Before 25th May 2018 you must inform people upfront about your lawful basis for processing their personal data and ensure that you include it in all future privacy notices.

Where to look for help

The best place to start is the ICO website, which has loads of information including self assessment checklists, FAQs, myths busted, and a 12 step guide for how to prepare for GDPR. The ICO have also made a small business advice page to help guide small businesses through the regulations and it details tools and resources available to you.

Contact Us, to see how we can make your website ready for GDPR.


In summary, the new regulations are an extension, an update to what was there before, brought on by huge advances in how individuals communicate and interact with organisations. They champion the rights of the individual to control their data, and put the onus on the organisations to use it fairly, transparently and safely.

*Post brexit, the UK wont be subject to EU GDPR rules, but we need to be compliant now and then will maintain equivalent regulations to ensure data flow between UK and EU.

Like / Dislike:


Maintaining responsibility and integrity as a company is key to establishing the bonds of trust with your customers which means they will happily provide their data; if you are ruthless data sharks, you'll find there's no prey in the water to keep you alive. The impact of GDPR is as yet unknown for both companies and the general public - will they revoke access to data en-masse, or will it go over their heads?

Add new comment

What our clients say...

  • Our widely acclaimed website is now fully usable on mobile devices. We now have the web presence of a larger architect’s practice than our staff nos, allowing us to access really interesting new work, thanks to the team at Open Imagination.
    Studio B Architects
  • Open Imagination has been a reliable, effective and flexible partner in helping us set up our website. We are very satisfied with the end result and would not hesitate to recommend Open Imagination to other organisations in the charity and non-profit sector.
    Oxfam SRAF Guidelines
  • After only 3 days of on-site consultancy, we have been able to move forward rapidly and the site is nearing production. Matt has proved himself to be a skilled developer, with a passion for what he does, a keen eye for detail and a “can do” attitude; he is also a gifted & patient tutor and I would not hesitate to engage him again in future, or indeed to recommend Open Imagination to any University department, college or unit requiring timely, cost-effective and professional help with a Drupal-based project.
    Oxford University MSD IT Services
  • Open Imagination took on our ailing website just over a year ago and gave it a full revamp. We found Open Imagination's general approach to fit well with our business, he is always on the look out for ways to keep the site current and to make sure its working for us. All in all he offers a great, comprehensive, quality package for web services for any business.
    Green Room Studios
  • Matt really listened to what we needed for our website and helped with photographs and gave us lots of advice of ways to improve our SEO.