What You Need to Know About GDPR


On 25th May this year, we welcome the arrival of GDPR – the General Data Protection Regulation.

As the first data protection law since the Data Protection Act in 1998, the GDPR will overhaul how organisations process and handle personal data in a more digital age. The act will bring great benefits to organisations and data subjects. However, those that fail to comply with it could suffer huge consequences.

The GDPR revisits the 20 year old Data Protection Act that was failing to keep up with advances in technology and the growing use of electronic data. GDPR will bring new, and strengthen existing data protection rights to ensure that all personal information is protected, stored and processed fairly. After four years of preparation and discussion, the GDPR was approved by the European Parliament on 14th April 2016 and is due to come into effect on the 25th May 2018.

The new law affects all companies which operate within the EU that collect and process personal data. All companies outside of the EU that collect and process personal data from people residing inside the EU must also comply. According to the law, personal data includes any information which is related to a person and that can allow them to be identified.

Consequences of a Data Breach

In the event of a data breach, organisations must act accordingly. GDPR provides a framework for how data breaches must be handled and their consequences if organisations fail to comply:

• Data breaches must be reported to the affected individual without ‘undue delay’.
• Data breaches must be reported to the Data Protection Authorities within 72 hours.

In the event of a data breach, organisations can be fined up to 4% of their global turnover or £20 million, depending which is higher. Failure to report breaches could result in fines of up to 2% of annual turnover or £10 million, depending which is higher.

GDPR – A Basic Guide for Businesses

Individuals, organisations and businesses that collect, store and process personal data will be impacted by the GDPR. Here are 6 basic steps to ensure you’re prepared for GDPR:

1. Carry out a general audit of your data. Investigate within the organisation; what data is stored, where it is stored, where it is sent, how it is processed, and how you communicate with data subjects.

2. Ensure that 3rd party providers of the company are compliant and familiar with GDPR. 3rd party examples include; health insurance, payroll, pensions.

3. Establish which individuals are protected by the GDPR and where they are geographically located. By exploring geographical jurisdictions of your data subjects, you could create an inventory of laws for future use.

4. Employ a dedicated Data Protection Officer to oversee the company’s data storage and processing protocols.

5. Understand an individual’s right to information. Be proactive at responding to individuals’ requests to know how their personal data is managed and what is being stored about them. The time limit to respond to an information request is 30 days.

6. Provide relevant GDPR training for employees.

7. Have a good old clear out of old, unused data by investing in a high-quality paper shredder.

Sam Rose