GDPR Overview

This page is intended as a helpful overview of GDPR and the key changes being introduced, as well as the steps needed to comply. This is by no means a complete or detailed review of what companies are required to do. For more information on how Buto can help customers comply with GDPR, please contact your account manager.

What is GDPR and why does it matter?

The EU General Data Protection Regulation is a Europe-wide set of data protection laws designed to harmonize data privacy practice across Europe (which previously have been adopted inconsistently). While the regulations apply directly to companies located in the EU, its mandate extends to all that do business in the EU or have customers with EU citizenship, and so potentially could impact any company with an online presence. The emphasis is on protecting citizens and their data and giving users more information about and control over how it’s used. The new regulations are scheduled to take effect on 25th May 2018.

Why is it necessary?

The widespread use of the internet, technological advances in cloud storage and the advent of social media has changed the way data is processed and transferred. This means the previous rules not only needed to be updated, but needed to be uniform across Europe and applied more rigorously.

Who does it affect?

Anyone person or entity who collects, stores or processes personal data located in the EU or doing business with a citizen of the EU needs to comply with GDPR. (There is some question over the UK after Brexit but it is highly likely the legislation will be similar to GDPR.) There are two distinct entities who need to comply with GDPR regulations:

  • Data Controller: the entity that determines the purposes, conditions and means of the processing of personal data
  • Data Processor: the entity that processes data on behalf of the Data Controller

What is considered personal data?
Personal data is defined as anything that can be used to directly or indirectly identify the person – for example names, photos, email addresses, bank details, social posts, medical information or IP addresses.



Nominated Owner (Data Protection Officer)
A director within the data controller or data processor needs to be appointed to be accountable for data protection. This person has to be suitably competent to handle the technicalities involved. It is worth considering where the accountability should fall – with IT, legal, marketing or elsewhere.

Explicit opt in
When collecting personal data, data controllers need to ensure that each individual explicitly consents with an affirmative action (NOT an opt out) and that a record of how, when, and where the consent was consummated is retained.

Right to be forgotten
Under the new regulations, a user has the right to be forgotten. They can request that all the data which is held on them is permanently deleted or anonymized if deletion is not possible.

Plain Language
The onus in on companies to use plain language to explain what data is being held, how long it is being held for and how a user is able to withdraw their consent.

Access requests
As people become more aware of their data privacy rights, there is likely to be an increased number of queries on the data being held on them, which companies will need to respond to without delay.

Data controllers need to be able to tell a person, what data is held on them, what it is used for (why), how it was obtained and for how long. GDPR requires companies to provide notice to website visitors regarding (among other things) the use of tracking technologies.



  • Appoint a responsible director for data protection.
  • Ensure all service providers used to process data comply with GDPR standards.
  • Ensure customers, clients or website users have explicitly consented to their data being stored. Records need to prove that users have agreed to their data being stored and failing to disagree is not enough.
  • Have the capacity to permanently erase (or anonymize) a user from records on request.
  • Check the terminology of privacy documentation to ensure it is using understandable language.
  • Update notices to website visitors to include information on the use of tracking technologies, the use of third-party service providers with whom their data may be shared, how to opt out of such data processing and the consequences of doing so.



  • modified our products to reduce collection of personal data and ensure compliance with GDPR requirements for processing personal data.
  • ensured our data deletion practices comply with the GDPR's right of erasure requirement.
  • provided a means of deleting, modifying and exporting the personal data of the data subjects for our customers.
  • updated product design policy to ensure new product builds have privacy principles in mind.
  • updated our privacy policy to keep our website visitors and customers informed of how we may collect and use their information.
  • reviewed all suppliers to ensure compliance with GDPR and where appropriate, certifying to the EU-US Privacy Shield.
  • reviewed our marketing practices to ensure we are communicating with customers and prospects in a manner that respects their rights under GDPR. 
  • reviewed our security practices to ensure that the personal data we process on behalf of our customers, through their use of our services, is adequately protected.


The privacy landscape is changing fast and we take very seriously the immense responsibility of caring for our customers’ data. Buto has a team of professionals dedicated to our compliance and to helping you maintain your compliance when using Buto.

If you would like more information or have follow-up questions please reach out to us at

You can find a copy of our Privacy Policy here

Buto London

Level 6

125 Old Broad Street



Buto Birmingham

Studio 11

50-54 St Paul's Square

Jewellery Quarter

B3 1QS