Reading Time: 3 minutes

The General Data Protection Regulation (GDPR)

As you surely know by now new EU information privacy regulation is coming into force on the 25th of May 2018 in the form of The General Data Protection Regulation (GDPR) which…

is a regulation in EU law on data protection and privacy for all individuals within the European Union. It [also] addresses the export of personal data outside the EU.”
(General Data Protection Regulation. In Wikipedia. Retrieved March 23rd, 2018, from https://en.wikipedia.org/wiki/General_Data_Protection_Regulation.

Non-compliance with GDPR regulations can result in fines of “Up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher“.

In a nutshell, these are serious regulations that UK businesses must comply with or possibly face very serious penalties.

For details on the GDPR and what it means for you and your business go read our recent blog posts GDPR and Your Website: What You Need to Know & GDPR for business owners and senior executives along with their associated PDFs (downloadable via the posts).

Pragmatic’s GDPR Compliance

We’ve been working towards GDPR compliance for about a year now. Initially we were busy nailing down information security requirements by applying for and attaining ISO 27001 accreditation. With that in place we moved onto the meat of the privacy regulations themselves.

It’s important, at this point, to understand the difference between two important subsets of personal data Pragmatic come into contact with.

Pragmatic are the controller and processor of subject data collected by us in pursuit of providing our services to our clients. This data we call “Pragmatic’s Subject Data” (PSD). It includes personal information about Pragmatic’s clients, potential clients (leads), employees, potential employees (applicants), suppliers etc.

Additionally Pragmatic are a processor of the subject data collected by our clients and subsequently either: stored in the databases of the websites we develop, support and host; or given by clients to Pragmatic for any other purpose reasonably deemed to represent processing. This data we call “Client’s Subject Data” (CSD). This data might include personal information about our client’s clients, potential clients (leads), employees, potential employees (applicants), suppliers etc.

Pragmatic as the Controller and Processor of PSD

In terms of Pragmatic’s GDPR compliance as the controller and processor of PSD, this is very well in hand and we expect to have a well formed statement of compliance, privacy policy and privacy notices in place by the May 25th deadline. Anything that isn’t completed by May 25th will be scheduled for implementation soon after, the schedule itself being part of our GDPR compliance statement.

Pragmatic as a Processor of CSD

Alongside our responsibilities relative to PSD we are, as previously mentioned, also a processor of CSD. Our responsibilities in relation to this data are detailed in our immanent statement of compliance, new service contracts and data protection agreements. Considering CSD alone we have quite far reaching responsibilities under the GDPR (See GDPR Article 28) and, with that in mind, we make clear commitments to uphold these in the new contracts and data protection agreements we’re presently finalising.

However, notwithstanding everything above, Pragmatic have no regulatory responsibility to make our client’s website(s) or the way they collect, control and/or process the data within them GDPR compliant. Nor, as a web agency, can we help our clients with their statements of compliance or the wording of their privacy notices etc., and under no circumstances can we become a controller of our client’s subject data by “determining the purposes or means of the processing” they engage in.

GDPR Article 28 makes it clear that we have a duty to try to assist our clients in numerous ways, largely in terms of data subject requests like right of access, right of erasure etc. These duties we fully intend to fulfil “insofar as this is possible, taking into account the nature of the processing“. That assistance will be given like any other web support work Pragmatic offer – client’s need to request the assistance and can draw payment for the time spent from SLA time allocations or, alternatively, can buy ad-hoc support hours. We will then schedule the work in as timely a fashion as we can, given available resources.

How can we help?

If you’re one of our clients and you have any questions about Pragmatic’s GDPR compliance then give our Information Security Manager Michael Bailey a shout. We’re certain he’ll be able to answer any questions or allay any concerns you might have.

If you’re one of our clients and you have technical support requests in relation to implementing your own GDPR compliance then contact our friendly and capable support department for assistance.

Legal and regulatory compliance advice, however, is well beyond the remit of a web agency, for that you’ll need to find and retain the services of a law firm, data protection consultant or other adviser.

Photo by Nick Hillier on Unsplash