GDPR – what you need to know

  • GDPR

The General Data Protection Regulation (GDPR) supersedes the Data Protection Act 1998. GDPR creates new requirements for organisations that process EU residents’ personal data and allows authorities to enforce fines of up to 4% of annual global turnover.

“We’re all going to have to change how we think about data protection.”

Elizabeth Denham, Information Commissioner

Who is affected?

GDPR applies to everyone involved in processing data about individuals in the context of selling goods and services to citizens in the EU; this will affect UK organisations.

The big picture

The General Data Protection Regulation (GDPR) tackles the inconsistent data protection laws currently existing throughout the EU’s member states and facilitates the secure, free-flow of data.

The outgoing 1998 Data Protection Act has become outdated as technology has evolved, making much of the legislation obsolete in protecting people.

GDPR aims to create a level playing field across Europe so that everyone has the same rights with regards to their personal data.

The good

Implementing the GDPR guidelines effectively will strengthen customer trust and confidence as the reputational damage of suffering a data security breach is extremely costly. In the long term, GDPR is a necessary step to safeguard the publics security rights in this digitised world.

GDPR is an opportunity to organise and refine databases.

The bad

For businesses, GDPR poses more restrictions on what they can do with data to gain commercial benefit. Also, the necessary structural changes can cost millions of pounds on compliance spending.

Why is this happening?

As the economy becomes increasingly more digitized, companies are holding enormous amounts of highly sensitive personal data; this data is gold-dust to cyber criminals. The fact that EU countries currently have different, and somethings conflicting, laws is creating opportunity for cyber criminals.

Cybersecurity is a hot topic in a world that is increasingly rife with cyber-attacks. It doesn’t just affect big businesses (and their customers). Whist people may be talking about the NHS, Talk Talk, and Carphone Warehouse, smaller businesses are increasingly being targeted.

74% of UK SMEs had a security breach in 2016.

Data privacy has become a priority for both businesses and individuals, with public awareness surrounding data security and privacy generating question marks over how data – which is being produced at an exponential rate – is actually collected, processed and stored.

Rapid technological advances have commoditised personal data, with GDPR set to change that with a standardised approach to data protection.

GDPR Breakdown


The use of the data must be made clear at the point of obtaining it. In obtaining consent for data use, companies cannot use misleading terms and conditions. Also, a company can no longer bribe people for their data. For example, tactics such as: ‘provide us your email address to download this ebook’ will not be allowed. Furthermore, it must be as easy to withdraw consent for personal data use and it is to give it.

Breach notification

In the event of a data breach, data processors must notify their controllers and customers of the source, risks and solution within 72 hours. As most breaches happen on Friday afternoon, this will be difficult is the right procedures aren’t in place.

Right to access

The data subjects have the right to obtain confirmation from the data controller of whether their personal data is being processed. Upon being requested, the data controller should provide a free electronic copy explaining how the subject’s data is being used.

Right to be forgotten

When the data is no longer relevant to its original purpose, data subjects can have the data controller erase their data.

Data portability

This is another right for the data subject, it allows the individual to obtain and reuse their personal data for their own purposes.

Privacy by design

This calls for inclusion of data protection from the onset of designing systems, implementing appropriate technical and infrastructural measures.

Data Protection officers

Professionally qualified officers must be appointed in public authorities, or organisations that engage in large scale (>250 employees) systematic monitoring or processing of sensitive personal data.

Avoid Reputational Damage

As well as the monetary loss, the reputational damage caused by being found in breach of the incoming GDPR legislation would be significant.

profile image of Elizabeth Sheldon
Written by Elizabeth Sheldon

ISMS Scheme Manager - Experienced Senior Lead Auditor with a demonstrated history of working in the information services industry. Skilled in ISO 27001 ISO 9001, ISO14001 and ISO 45001.