GDPR - General Data Protection Regulation
GDPR is the hot topic online and in the news right now. Things are changing around individuals' rights
regarding data and privacy - you'll no doubt have had emails from other companies talking about it, but what is
What is GDPR?
GDPR stands for the General Data Protection Regulation. It's an EU legislation that is the framework for data protection
across Europe. Companies must not only be compliant but demonstrate compliance, or face fines of up to 4% of annual
global turnover or 20 million (much higher than the 500,000 fine imposed under the Data Protection Act 1998).
What does GDPR mean for me?
The GDPR gives individuals 8 key rights regarding data:
The right to be informed,
about what data is being captured, and what it is used for.
The right of access,
to the data a company holds on you. The company must provide this within 30 days of the request.
The right to rectification.
If the data held is incorrect or incomplete, an individual can request rectification (verbally or in writing). Again, a company
has 30 days to respond to this.
The right to erasure.
Also known as the right to be forgotten. A right for individuals to have their personal data erased - within 30 days.
The right to restrict processing.
Individuals can request restriction or suppression - which means that companies are permitted to store the personal data,
but not use it.
The right to data portability.
This allows individuals to obtain and reuse their personal data for their own purposes across different services.
The right to object.
Individuals have the right to object to direct marketing (including profiling) and other forms of data processing (more info
Rights related to automated decision making including profiling.
Individuals have the right to object to automated decision making, including profiling.
These are the rights the GDPR brings to individuals, or you as a user or customer of websites and businesses.
What does it mean for businesses?
There are a number of steps that businesses have to take in preparation for GDPR as outlined by the ICO (the Information
here. Prezzybox have followed and completed all of these steps.
Making key decision makers aware of GDPR and the change in law.
Information they hold.
Document the data that a company holds, where it came from, what it is used for etc.
Businesses must review their current privacy information and communicate it with those affected.
The 8 key rights as listed above - make sure there are procedures and processes in place to respond to any of the requests
individuals have the right to make (for example, deleting personal data).
Lawful basis for processing personal data.
Review how the business seeks, records and manages consent. Refresh any existing consents if they don't meet the new standard.
Have procedures in place to detect, report and investigate a personal data breach.
Obtain parental or guardian consent for any data processing activity regarding children.
Data Protection Officers.
Designate someone to take responsibility for data protection. Some businesses may be required to formally designate.
What has Prezzybox done?
Prezzybox have followed and completed all of the 12 steps outlined by the ICO in a great level of detail. Most of the steps
we have taken are outlined in our
In addition to this, we have:
Conducted an information audit and documented our data processing procedures
We've looked at every piece of information we collect or store and identified our lawful basis for processing this information.
We know exactly what data we collect, why it is stored, and how it is used. More information on this can be
found in our
Trained every member of staff
Every member of staff throughout the entire company is aware of the changes and their responsibilities regarding data and
the GDPR. We've made privacy and security an integral part of our training and work hard to keep every member
of staff informed and up to date.
Published an internal data breach policy
Building on our staff training, we have policies and procedures to ensure we are equipped to deal with a data breach of any
type or scale. Every member of staff is aware of what constitutes a data breach and what to do if one should
Published a resource portal with information on GDPR for staff
We have a portal available to our staff with information about what Prezzybox has done for GDPR, along with documents and
links for policies and further information.
Third party audit
As part of our information audit, we have audited each supplier that handles data on our behalf (as a data processor) in order
to confirm that they are GDPR compliant. Any third parties that work on our behalf now and in the future must
comply. We hold copies of any third parties data breach and privacy policies and will continue to audit our
data processors regularly.
We build our systems, processes and operations with data privacy in mind. We are, and always will be, compliant with regulations
such as the GDPR. We are able to respond thoroughly and effectively to any requests that users make as per
their rights as an individual under the GDPR.
We welcome the GDPR and the changes it brings. Keeping your data secure and operating in a safe, secure and transparent way
is important to us - we ask our staff to treat all data as if it is their own. If you have any questions around
our compliance to the GDPR or data security and privacy in general then get in touch with us via the
contact us page or email:
Disclaimer: Prezzybox published this guide based on information we have gathered about GDPR to help our customers understand the steps we have taken but it is in no way legal advice. For full information and help regarding the new regulations, please visit the Information Commissioner's Office (ICO) website here.