GDPR: what we did and how

The General Data Protection Regulation (GDPR) comes into effect on 25 May 2018. That’s very soon and a lot of people are feeling understandably nervous about it…

Here’s what we’re doing at Scroll to prepare for GDPR – and why you should care about it.

What is GDPR?

GDPR is a piece of legislation that updates data protection law so it deals with the new ways we use data – like cookies and large-scale data collection. (The legislation GDPR is replacing came into effect in 1995: a lot has changed since then.)

GDPR makes data protection rules more or less the same throughout the EU. It gives data subjects – the people whose data is being held – a lot more rights over their data.

And, slightly terrifyingly, it means companies can be fined 4% of their annual turnover or 20 million Euros, whichever is greater, if they don’t comply.

Why should you care about GDPR?

Most people creating and editing content for an organisation will come across personal data (data that can directly or indirectly be used to identify someone) at some point.

As a professional, it’s important to understand a few of the issues and requirements around dealing with personal data, or you could unwittingly put your client and your reputation at risk. As you’ll see when you read further, not handling data properly can have serious consequences…

It’s also handy to have some kind of grasp of GDPR so if a client asks, you can look vaguely knowledgeable!

Some key bits of GDPR and what Scroll has done

GDPR is long and complex, so I can only give you a flavour of it here. Your best bet for comprehensive GDPR information is the Information Commissioner’s Office (ICO) website.

With that disclaimer out of the way, here are some key parts of GDPR and a bit about what we did to prepare.

Holding data lawfully

The GDPR says you have to have a legal basis for keeping or using data. There are a number of legal bases but the ones we use at Scroll are:

  • explicit, opt-in consent – gone are the tick boxes saying ‘tick here if you don’t want to hear from us’: people have to opt in to stuff now
  • to comply with a legal obligation – we keep data to show that a Scrollie has the right to work in the UK
  • to perform a contract or to take steps to enter into a contract – we keep data so we can search for roles for Scrollies

We’ve planned data audits once a year to ensure the only data we hold is covered by one of the legal bases above.

Interestingly, under GDPR, personal data is not just the usual things you’d think of, like name, address and email, etc. It now encompasses web data like location, IP address and cookie data, which makes things a bit trickier.

Being fair and transparent about data you hold

There are other rules about holding data, which are identical or very similar to the current Data Protection Act. They mostly come across as rather reasonable things to demand. For example, you must:

  • only collect data you need
  • tell people clearly why you’re collecting it (we do this via short privacy notices, that we show at the point of collecting people’s details)
  • make sure it’s accurate and up to date
  • not use it for any other reason than the one you told people about
  • not keep it longer than you have to

At Scroll, we did a data audit so we now know what data we have and where it’s stored. This means we can keep track of how long we keep information for, who has access to it, why we collected it and who is responsible for it. That helps us stick to these rules.

Keeping personal data secure

Under GDPR, you must keep personal data secure, protecting it from unauthorised use, accidental loss, destruction or damage. Securing your data involves looking at whether your systems are secure and who has access to them, among other things.

As part of our data audit, we classified the data so we knew which was most important to protect – for example, we classified our newsletter sign up list as less sensitive than our Directory, which contains names, past projects, test results and interview details.

We could then make decisions as a team about how to protect the most important data first – we limited access to the sensitive stuff and we’ll be running training on how to handle data properly.

Acting quickly if you have a data breach

If your data is accidentally or unlawfully destroyed, lost, altered, disclosed or accessed, you’ve had a data breach (and you have a problem).

Carphone Warehouse was fined £400,000 when it happened to them.  Wetherspoons deleted their entire database rather than risk another breach.

If you have a data breach, unless it’s a breach of data that can’t be used to identify people, you’ll have to report it to the Information Commissioner’s Office (ICO) and soon. If you don’t do it within 72 hours, you could face a fine. You may also have to inform all the individuals concerned, depending on what kind of data it was.

At Scroll, we’ve set up a data breach procedure and a notification form, so we quickly know what to do if it ever happens to us.

Respecting people’s rights around their data

Under GDPR, people have the right to:

  • access their personal data for free
  • have data corrected if it’s wrong
  • object to or stop you processing their data
  • be forgotten (a person can ask you to delete their personal data)
  • data portability (moving data seamlessly from one internet provider to another, for example)

Most of these rights are the same ones they had under the Data Protection Act, but with some added extras – eg the right to data portability.

All of these rights make it imperative that you know what data you have on people and where it’s stored, which is why you need – yep – a data audit. If this blog makes you think we’re obsessed with data audits, it’s because we truly are!

A summary of what else Scroll has done

There’s far too much to go into in detail, but we have also:

  • documented our journey to compliance and why we made the decisions we did (GDPR is big on accountability) – this document has been really useful as a ‘to do’ list to check off
  • carried out a risk assessment
  • thought about cookies (still thinking about cookies…)
  • updated Scroll’s data protection policy and privacy policy
  • thought about what ‘privacy by design’ will mean for us if we get a new Customer Relationship Management (CRM) system
  • acted on Mailchimp’s recommendations for compliance (we have a Mailchimp mailing list)

What else you should do about GDPR

Most clients you work for will have data protection policies in place already under the Data Protection Act, and will be strengthening them in readiness for the GDPR. Make sure you’re up to speed with what’s expected of you.

You can also have a flick through the GDPR guidance from the ICO – it’s written in a fairly straightforward, easy-to-understand way and is pretty user friendly, with ‘at a glance’ summaries and checklists.

I hope you learnt something new about GDPR from this blog. If you didn’t… could you get in touch and make sure we’re doing it right?

What happens when content design crashes into the General Data Protection Regulation (GDPR)?


What would it be like to produce content in a total data vacuum? Picture yourself working in soundproofed blacked-out box with a computer that can only send but never receive information. You have a brief to design some content, but you haven’t been given much information about your users. You’re going to have to rely on intuition and assumption about their needs, interests and behaviour. No matter – you’re a resourceful person, so you make the best of it and cobble together some best-guess content. It’s a relief to press send.

Off it goes into the ether and you’ll never have to think about it, the users or their needs again – because there won’t be any feedback. That includes all metrics, page views, click-throughs, bounces and everything else you’re used to for assessing whether your work is fulfilling its aims. It sounds like a recipe for awful content, doesn’t it? It must be – though of course you won’t get to know either way.

Data drives content

For content professionals, such a scenario in the real world is unthinkable. Content is driven by data and databases, from analytics to A/B testing. Data is the beating heart of how content designers think about user needs and what we do to deliver on them. It’s also the biggest weapon in our armoury when it comes to dealing with sceptical and obstructive forces in the organisations we work for.

And yet, the situation above isn’t just a thought exercise. Working in a data void – or at best with a seriously diminished data set – could well become a reality for many of us in a couple of years if we don’t take timely steps to stay compliant with imminent new data protection legislation, according to Hazel Southwell, Data Protection Consultant, speaking at a recent Content, Seriously meetup.

Ignore data protection at your peril

Content producers who ignore the new rules will be destined to launch their content into the void, she warned, like the Soviet scientists who shot Laika, a Moscow street dog, into space with scant means of monitoring her progress and no hope of her survival. The ill-fated dog died from overheating after only a couple of hours and the scientists learned next to nothing from the adventure. At least she got to be the first animal in orbit – which is far more than content producers can hope for in return for their doomed efforts.

Producing content without user research and analytics (both pre and post publication) makes it far more likely to be irrelevant to target audiences – and useless to our objectives. More than that, data is the trump card, the invincible ace of spades, in any argument about the direction that content should be taking.

How often does data come to our rescue when subject matter experts are blocking improvements to clarity and readability, or when managers are resistant to important content changes? They can’t argue with the data. Without data in the armoury, we’re fighting blindfold with both arms tied behind our back.

Say hello to the General Data Protection Regulation

On 25 May 2018, the EU General Data Protection Regulation (GDPR) will come into force, making sweeping changes to rules governing the way we collect, use and store data. It will have an impact on any organisation, whether based inside or outside the European Union, that processes the personal data of any resident of the EU or any EU citizen elsewhere.

Companies will no longer be able to sidestep data protection obligations because their head office is in the US, say, or their servers are in Vanuatu. If they’re dealing with the personal data of EU citizens then they must comply with the rules. So Brexit will not provide a way out for UK organisations either.

The UK currently has one of the toughest data regimes in the world in the Data Protection Act 1998, backed up by the enforcements of the Information Commissioner’s Office (ICO). But the GDPR knocks that into the shade, not least with sanctions that are designed to bring the global tech behemoths out in a cold sweat. Even the likes of Google and Facebook might think twice about transgressions, faced with fines totalling €20 million or 4% of worldwide annual turnover – whichever is greater.

Personal data will include photos, email addresses, bank details, social media posts, cookies and IP addresses – anything, in fact, that identifies you directly or indirectly in your private, professional or public life. And if you’re processing this data, whether you’re a multinational or working from your front room, whether you’re turning a profit or not, then you’ll need to comply.

It might be a shock for a humble WordPress blogger to find their use of tools such as Google Analytics (much of which is based on monitoring IP addresses) could fall foul of the law. And their difficulties will be compounded if they deal with personalised content tailored to their audiences – for example, if they use a formula whereby 2 users might see a different paragraph within a single page depending on their age. It seems the quest for making highly relevant content is to become even more tortuous.

So how do you comply with the GDPR?

You’ll have to get explicit consent for obtaining and keeping personal data, which must be given to you freely, rather than as a bargaining chip for accessing your services. You’ll need to ask for it in clear and obvious way, not just imply you’re taking it and going ahead.

Having obtained consent fair and square you’ll have to store it, not only so the ICO can check you’re doing things right, but also so individuals concerned can see what you have on them. They should be able to transfer their data to other data controllers if they want – what’s being described as a new right of ‘data portability’.

Consent can be withdrawn as well as given, and you’ll have to erase data or correct inaccurate data if requested, or restrict processing data if you get an objection. If the data you’re keeping gets compromised through a security breach you may have to notify the relevant authority, the individual concerned or the public at large.

You’ll have to demonstrate that you’re complying with the GDPR, through policies and procedures, staff training, monitoring, documentation – and if your organisation is large enough, with the appointment of a designated data protection officer and appropriate records of your data processing activities.

Privacy will be prioritised by better design (privacy by design) and through more stringent default settings (privacy by default), and you’ll be encouraged to use data only when strictly necessary for your services.

Privacy fights back

If it sounds tough, that’s because it is. There are some obvious exemptions to the rules – such as for national security, defence, law enforcement, public services and health and so on – but it seems the EU has had enough of companies storing and selling huge quantities of personal information, our interests, health, social background, jobs, wealth, education and much more – information that has very likely been obtained in ways we were not wholly aware.

While we unwittingly surrender the details of our address books, calendars, emails and map co-ordinates to apps and companies that seem to have no call to know them, many of us are only dimly realising that our most private information is forming part of a vast global trade far beyond our control. Marketing giant Acxiom, for instance, is said to have stockpiled up to 3,000 separate nuggets of information on each of the 700 million people in its files.

In this context, the GDPR could be a welcome rebalancing in favour of the individual. Even so, EU member states still have some flexibility about how they implement many of the GDPR’s 99 Articles – not to mention the uncertainty of how a post-Brexit UK might slot into those arrangements.

There may also be ways to anonymise or ‘pseudonymise’ data so that it can be used without stepping on anyone’s toes, or making the most of exemptions for statistical research that doesn’t rely on the identifying aspects of the data. The sweep of the legislation may be fixed, but the crispness of its final boundaries are still to be defined.

Respect privacy, improve content, win trust

However the cookie in your cache might crumble come May 2018, content strategists must start putting data protection much higher up the agenda now. Content professionals are creative people and will be able to conjure up inventive and unimposing ways for users to give consent about their personal data.

It’s in everyone’s interests that content is engaging and relevant, and it won’t take much for users to understand how important data is for the best in content creation. It will be even more important for content professionals to create the kind of compelling content that will make users care enough to click the consent button – in whatever form it takes – without a second thought.

Many thanks to Hazel Southwell for her contribution to the Content, Seriously meetup.



Talk to us


© Scroll Ltd.