GDPR—what it is and why you need to act on it

20th February 2018

General Data Protection Regulation (GDPR) is set to replace the outdated Data Protection Act 1995. 

This legislation is in line with EU standards and will become law in the UK on 25th May 2018 despite our impending departure from the EU.

GDPR makes data protection more stringent and aims to strengthen the rights of individuals to protect their personal data.

Once GDPR comes into effect there will be a two tiered sanction in place for fines with lesser incidents subject to a maximum fine of €10 million or 2% of an organisation's overall turnover. The more serious incidents can result in fines of up to €20 million or 4% of a firm's overall turnover (whichever is greater). 

GDPR Definitions

There are two company definitions GDPR applies to: 

  1. The Data Controller—"the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data"
  2. The Data Processor—"a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller"

You should define exactly which your firm would sit under. Remember, if you work with an external agency that handles your data and customers data, they will also need to be GDPR compliant.

You may also be obliged to appoint a Data Protection Officer, to be in charge of data management, breaches, procedures and compliance issues.

Your First Steps to GDPR Compliance

The main steps to take to adhere to this new legislation can be summarised as follows:

  • Awareness of GDPR – Make sure your key people know what GDPR is, how it affects your company and what the repercussions of being non-compliant can be
  • Compile a Data Inventory - GDPR affects all of the data you hold on customers and non-customers. Produce an inventory of all of the data you currently hold, how you get it and how it is shared with other entities
  • Communicate Privacy Information – review and make the necessary changes to your privacy policy. Remember to identify the lawful basis for processing personal data on this document
  • Prepare to Comply with Individuals' Rights – You need to have appropriate procedures in place in order to conform to the GDPR rights of individuals
  • Get Consent to Hold & Use Personal Data – You are obliged to have opt-in process and opt-out process in place for your customers and non-customers. GDPR states these processes need to be specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn. For instance, any website forms which involve individuals submitting their data will require an ‘opt in’ checkbox
  • Implement Data Breach Systems - As of 25th May all UK businesses will be required to notify the Information Commissioner (ICO) in the event of a data breach. You should implement systems to detect, report and investigate any breaches

Here’s where you get full GDPR information

It’s important to note that grey areas exist around GDPR and speculation as to how the ICO will be able to enforce the new legislation. 

It pays to prepare your business regardless of these outcomes. 

For more information on GDPR see the guide on the ICO website. There are also a few useful GDPR checklists on the website