Understanding the UK’s General Data Protection Regulations (GDPR)

Photo by Markus Spiske on Unsplash

(This article is the opinion of the author, and is not intended to constitute legal advice.)

— — — — — — — — — — —

Do you remember 1998?

That was the year US president Bill Clinton and Monica Lewinsky were in the news, the dot-com bubble was getting bigger, the DVD format was released onto the UK market for the first time and the highest grossing movie of that year was Titanic starring Leonardo DiCaprio and Kate Winslet.

Most importantly, it was also the year that the Data Protection Act 1998 became law in the UK, regulating the storage of personal data stored on computers or in paper filing systems.

You remember paper filing systems, right?

Data protection for the 21st century

In 2018, 20 years after the 1998 Act became law, the UK along with its EU partners will be updating the regulations around the management of personal data. The new regulations are called the General Data Protection Regulations (GDPR) and they will become law on 25th May 2018 (regardless of the country’s Brexit negotiations!).

There are a variety of reasons for this important and far-reaching update.

Clearly, the ways we process and manage personal data have changed considerably over the last 20 years. However, legislation did not always keep pace with these changes.

We are seeing a trend for more and more private, personal data being held and shared within and between companies. That trend is only going to continue for the foreseeable future. Furthermore, personal data is an increasingly valuable commodity and is of great value to criminals and to marketing companies, for example. In recent years we have also seen numerous serious data breaches which exposed weaknesses in the existing legislation. So, it is hardly surprising that many experts came to the conclusion that a review of the ’98 Act was long overdue.

GDPR — What you need to know

This is a relatively brief introduction and is designed simply to update managers in organisations preparing for the introduction of the GDPR. For managers responsible for leading those preparations it is recommended that they visit the UK Information Commissioner’s Office website which provides comprehensive guidelines on the GDPR and the preparations that organizations must make to comply with the regulations involved.

The legislation is complex and will impact on different companies in different ways. Importantly, it will impact on any company wherever they are in the world, that processes the personal data belonging to EU nationals.

So, any company in this position needs to be prepared for the introduction of the regulations in May 2018 and the earlier companies start preparing, the better.

With this in mind here are 7 key things that people working in organizations that handle the personal data of EU nationals need to be aware of.

1. Expect the General Data Protection Regulations (GDPR) to be impactful.

Businesses that process the personal data of EU citizens, regardless of where they are in the world, have until May 2018 to fully comply with GDPR. Companies found to be in breach of the Regulation after that date could find themselves facing substantial fines and the reputational damage they may suffer as a consequence should not be underestimated.

The implications of the legislation will be felt far beyond a company’s legal or IT departments. It will have implications across the organization including marketing, finance, human resources, and because breaches of GDPR may result in non-complying companies being fined, it will be felt in the boardroom too.

2. Company size

The amount of work each company will need to undertake in order to ensure that they comply with GDPR will depend on:

Number of employees — Companies with 250 or more employees will find that the legislation could involve a greater administrative burden than businesses with less than 250 employees.

Existing data protection processes — Businesses that are compliant with existing data protection legislation will find that there is far less work involved than companies will little or nothing in place. So, for example, new business startups will need to ensure that they are collecting personal data in a manner that is compliant with this legislation.

The UK’s Information Commissioner’s Office has produced a 12 step guide for companies to help them prepare for the introduction of the new legislation.

3. Handling of personal data

“Personal data” is defined as “any information relating to an identified or identifiable natural person” and that person is called the data subject.

A personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

Under the GDPR, non-complying organizations can face severe fines. This has the potential to be one of the most impactful areas of the Regulations. There are provisions in the legislation, for non-compliant businesses to receive penalties depending on the violation, of 2% or 4% of an organization’s total worldwide annual turnover during the preceding financial year.

4. Consent

The GDPR aims to give people genuine ongoing choice and control over how their personal data is used.

Organizations must be able to demonstrate that consent to store personal data was “freely given, specific, informed and unambiguous”.

Where an organization processes data belonging to children under 16 years in the UK (although the age may be as low as 13 in some EU states), then they must obtain parental consent.

The legislation establishes the following rights for EU citizens:

Right to be informed
Right of access 
Right to rectification
Right to erasure
Right to restrict processing
Right to data portability
Right to object
Rights related to automated decision making including profiling

Importantly, in addition to the express consent required from the data subject under GDPR, before their information can be processed, data subjects will have the right to withdraw their consent at any time

5. Privacy Impact Assessments (PIAs)

The Information Commissioner’s Office encourages a ‘privacy by design’ approach to data privacy.

This means that privacy should be a key consideration in the early stages of any project and for the duration of that project. Privacy Impact Assessments (PIAs) will:

i.) help identify the privacy risks involved in company projects

ii.) give companies the information required to respond appropriately where a PIA reveals that there is a potentially high risk of a privacy breach.

6. Appointing a Data Protection Officer

The GDPR outlines those situations where organizations must appoint a Data Protection Officer (DPO). These are where an organization carries out large scale:

i. systematic monitoring of individuals (for example, online behavior tracking); or
ii. processing of special categories of data, or data relating to criminal convictions and offenses

The requirement also applies to public authorities (except for courts acting in their judicial capacity);

7. Identifying the roles of data controllers and data processors

The GDPR recognizes that different businesses involved in the processing of personal data have different degrees of responsibility for, and involvement in processing of, personal data.

So, it makes the distinction between the roles and responsibilities of a data controller and of a data processor:

Data Controller — determines the purposes and means of processing personal data. The GDPR obligates controllers to ensure contracts with processors comply with the GDPR and to notify the Supervisory Authority, no later than 72 hours after having become aware of a data breach that is likely to result in a risk to the rights and freedoms of the person involved. In the UK the Supervisory Authority will be Information Commissioner’s Office (ICO).

Data Processor — processes personal data on behalf of a controller. The GDPR places specific legal obligations on processors including legal liability if they are found to be responsible for a breach. Where a data processor is responsible for a personal data breach, they must notify their Data Controller.

The Data Processor and the Data Controller can be a person, business or public authority. A Data Processor is under fewer obligations than a Data Controller and companies can be both Data Controllers and Processors.


The world has moved on a lot since the 1998 Data Protection Act became law in the UK. However, despite changes in technology it is important to recognize that GDPR is not an attempt to rewrite existing data protection legislation, it is simply intended to update and strengthen it.

This is good news for those companies that are complying with the 1998 Data Protection Act before GDPR becomes law. They will have robust foundations upon which to build and the road to compliance may well be relatively short.

However, it is those companies who have made little or no progress towards compliance by May 2018, due to negligence, ignorance, or the fact that they are newer companies, that may find complying with GDPR more difficult to achieve and have the most work to do.

Twitter 101 — How To Start Marketing Your Business Using Twitter

con-karampelas-1178811-unsplash (1)Twitter has millions of loyal users and, as any entrepreneur will tell you, where there are people, there are potential customers and clients.

To get the best from Twitter you will have to learn to communicate using a limited number of characters (Twitter plans to increase the number of characters in a Tweet from 140 to 280, shortly). Fortunately, with only a little inventiveness, you can communicate your message, despite these restrictions.

This makes Twitter a deceptively powerful tool and there is a ‘pot of gold’ hidden out there for entrepreneurs who are willing to put in the time and effort to master this platform.

If you are new to Twitter, or you have an account but just never ‘got’ what it was all about, I want to share my top tips for anyone wanting to get more out of Twitter.

1. Choose a good Twitter username

Choosing the right username matters, as this is how you will be recognized on Twitter. Usernames always start with ‘@’ and although the maximum length of a username is 15 characters, the shorter your username, the easier it will be for people to remember. Wherever possible, choose your name, your business name or a meaningful variation of either as your username. Avoid adult, political, or other usernames that might give people an impression of you that is incompatible with your business.

2. Customize your profile

It is highly recommended that you customize your Twitter Profile. This will become your ‘homepage’ on Twitter and the page people see first when they search for you using your Username or follow your link back to Twitter.

There are 4 steps to customizing your Profile:

i. Choose a background color for your Profile.
ii. Complete the free text boxes. This is an opportunity to tell others a little more about you and what you do. The Bio field offers up to 160 characters to sell yourself and you can also share your ‘Twitter name’ (this can be different from your Twitter Username), location, birthday and link to your website, using the fields provided.
iii. Choose an appropriate header photo (1500 x 500 pixels). This is usually something pertinent to you or your business.
iv. Profile photo (400 x 400 pixels). For business purposes this should be your head-shot rather than your business’s logo.

3. Learn the language

Twitter has its own language and if you really want to get the best out of using it, you really need to learn the lingo. Here are some of the most common Twitter terms you need to know:-

Tweet — A Tweet consists of text (up to a maximum of 140 characters).

Follow / Un-Follow — When you ‘follow’ another Twitter account their Tweets are listed on your home page. Un-following stops their Tweets appearing on your homepage.

RT or R/T — Short for Re-Tweet, this is the act of taking a Tweet from someone you are following and ‘broadcasting’ it to everyone who follows you. Re-Tweeting is usually seen as a form of endorsement of the information in the shared tweet.

HT or H/T — Hat Tip or Heard Through, use this to acknowledge that someone else made you aware of the content you are sharing. For example: “This article explains how it all began ….H/T @JohnSmith”.

DM — Twitter has a direct messaging function where you can send private messages to someone who is following you.

@ — the ‘@’ symbol the identifies every Twitter username as in @raykay.

# — The ‘#’ or hashtag symbol is a way of categorizing tweets. The great thing about using hashtags is that when you click on a word preceded by a hashtag any other Tweets with the same hashtags are also listed. Well known Tweets include #Election2016, #SuperBowl and #IceBucketChallenge.

Blocking — Blocking is a function that you can use to stop someone from seeing or responding to your Tweets and gives you control of your interactions with other Twitter users.

4. Follow the experts in your industry

Follow the experts in your industry, niche or profession. Twitter suggests who you might want to follow, and although they do not always get it right all the time, it is still a useful feature. Additionally, you will be able to see what others are tweeting about. Furthermore, you can respond directly to those tweets, join a conversation or even re-tweet their tweets to your followers. With a bit of luck, they might even follow you back.

5. Interact with potential customers

Interact with potential customers but be careful not to pitch your services, too early. In the beginning, just make them aware of your presence, for example by sharing information with them, offering advice or re-tweeting their tweets to your followers.

6. Grow your list of followers by tweeting often

The more active you are on Twitter, the larger your following is likely to be, up to a point. If some of your followers find that you are tweeting excessively they may decide to un-follow you. So, spend no more than 15 to 20 minutes each day on this task and space your tweets out over the course of the day.

Of course, Twitter is a relatively simple platform, especially when compared to Facebook. However, it is precisely its simplicity, and ease of use, that makes Twitter one of the most popular social media platforms in the world today.

Credit: Photo by Con Karampelas on Unsplash