Demystifying GDPR

Change is on the horizon

(Photo Credit)

If you wish to print or share THIS then you can download a PDF version here : Demystifying GDPR

On 25th May 2018, GDPR will come into full force across the EU

The General Data Protection Regulation is a huge new piece of EU legislation – one of the biggest and most significant changes to privacy legislation in the history of Europe. Long overdue, it constitutes a comprehensive overhaul of the EU’s aging and outdated data protection laws, which were enacted in a time when modern advancements such as cloud technology, cookieless tracking and mobile browsing had not yet allowed for new ways of misusing and exploiting data. Specifically, GDPR will replace the current Data Protection Directive from 1995. Subject to much discussion and controversy, thousands of amendments were proposed along the way. GDPR was officially adopted in April 2016, and will have broad and far-reaching impacts on technology and businesses processes, both in Europe and further afield. Regardless of Brexit, the regulations will have a substantial impact on British organisations and remain relevant.

GDPR aims to strengthen data protection for all people within the EU, reinforcing the European notion that privacy is a fundamental human right. This law will reshape the way organisations approach governance of data while simultaneously giving people more control over how their personal data is used. It will also harmonise data privacy laws across the region (where previously each member country had its own set of rules), meaning that businesses will have a clearer, simpler legal environment in which to operate. All individuals and companies involved in the use of data in the context of selling goods and services to EU residents will have to abide by GDPR, regardless of where in the world they are located. GDPR applies to both data controllers and data processors, as well as to organisations who monitor the behaviour of EU data subjects. The regulations will be implemented by May 2018, when the grace period for compliance will come to an end. Furthermore, enforcement of this legislation is going to be robust, with considerable penalties for non-compliance. These penalties increase along a tiered scale in relation to the seriousness of the violation. Organisations who breach GDPR face fines of up to €20 million, or 4% of their previous annual global turnover – whichever is higher – meaning that the potential for loss of revenue is severe.

In order to understand what GDPR means for individuals and companies, its key aspects must be highlighted. The major standout points of GDPR cover several major areas, including a number of new individual rights which are codified under the legislation.

Key Points

  • Right to access – An individual has the right to access their personal data, have it changed or corrected, and be informed of how it is being processed. “Personal data” covers PII (Personally Identifiable Information) such as name, address, contact information and bank account numbers, as well as data profiles (interests, buying patterns and habits) and lists of associated devices. Data subjects are also entitled to know how long their data is being stored for and who is able to view it.

  • Right to portability – An individual has the right to be given their data. Data controllers are obligated to provide an electronic copy of personal data to data subjects if requested, for free. This allows people to reuse their personal data for their own purposes and transfer it across different IT environments. Data must now be stored in commonly-used formats, and requested moves must be undertaken within one month.

  • Right to be forgotten – Also known as “right to erasure”. An individual has the right to have their personal data erased when it is no longer relevant to its original purpose. Data controllers are obligated to stop the distribution of such data if requested, and are responsible for informing other organisations to delete any copies (or links to copies) of that data.

  • Privacy by design and default – This requires data protection measures to be purposefully entrenched in the development of businesses processes and throughout daily operations within organisations. Going forwards, when it comes to implementing new procedures and products, data protection must be included from the very outset.

  • Breach notification – Organisations must inform their Supervising Authority of any data breaches they suffer within a 72 hour timeframe. Data controllers must also notify their customers of any risk of compromise. A personal data breach is defined as any breach of security which leads to unauthorised access or loss and destruction of PII.

  • Consent – When obtaining consent for the use of data, organisations must use clear and easily understandable terms and conditions. Companies which profile and track individuals must get the individuals’ explicit consent to do so. Withdrawing consent must be as easy as it is to give it, and consent must be active on the part of the data subject, i.e. opt-in rather than opt-out.

  • Data Protection Officers – Officers must be appointed to oversee data protection in all large organisations (over 250 employees) that engage in systematic processing or monitoring of personal data. These officers must be professionally qualified. DPOs will need expertise in security, project management and risk assessment in order to carry out their duties.


The clock is ticking. Start preparing for GDPR today.

So how can businesses ensure that they abide by these new rules and standards? They should begin by developing company-wide awareness of the law (at all employee levels), and allocating resources required for the compliance effort. Additional specialist staff or consultants may need to be brought on board.

Next, since good data hygiene is a central tenet of GDPR, businesses must become aware of what data they collect, how they use and manage it, and how this information flows through their organisational structure. Information audits, gap analyses and internal reviews of procedures and processes will need to be undertaken. Going forwards, maintenance of these systems will have to continue, as ongoing compliance is the overarching goal.

Becoming GDPR Compliant

Becoming GDPR Compliant

Notes and guidance on the right road to compliance

(Photo Credit)



With less than 200 days to go until GDPR becomes enforceable, the pressure is on for companies and other organisations to become compliant before the deadline of 25th May 2018. Alarmingly, there are recent signs that a significant number of businesses are still unprepared – in September 2017, a survey by law firm Blake Morgan found that 9 out of 10 businesses had still not made critical changes to their privacy policies, and in November, a survey conducted by trade body DMG Group revealed that 40% of marketers in the UK felt that their businesses were not yet ready. With the potential for towering fines and the scale of change required, companies must implement a plan for GDPR compliance as soon as possible.


Not everyone is aware of GDPR; outside of IT departments, individuals may know about the change but not appreciate how significant it is or realise the impact it will have. Initially, key people within an organisation – board members, management, decision-makers and resource allocators – should all be well-versed in what GDPR encompasses. Later, all employees should be brought up to speed through training across the business.

Data Mapping & Privacy Policies

As a foundational activity, companies must also become aware of what information they hold. All sensitive personal data stored should be documented, including details about its origin, where it is held and with whom it is shared. One way of doing this is through an information audit. This involves asking questions about how the business processes personal data and how client-facing representatives obtain customer details. Data mapping (the process of identifying, understanding and mapping out the data flows within an organisation) can contribute to the development of a comprehensive overview of these facts and findings. Since GDPR dictates that privacy information must be given to data subjects when their personal data is collected, it is imperative that companies take stock of their existing privacy policies and notices, and check if these will need to be updated.

PII & Access Requests

Further procedures requiring internal review will include those pertaining to the rights of individuals, and subject access requests. Indeed, all such processes and codes of conduct will need to be held up, critically examined and checked for adherence to GDPR. Comparing them in this manner will serve to highlight inadequate areas and identify any ‘missing pieces’ (a form of gap analysis). Businesses should carefully consider their system architecture and all relevant third party data processors. In addition, they will need to ensure that they are capable of swiftly responding any requests for Personally Identifiable Information (PII) i.e. access requests. Right to data portability (an enhanced form of subject access) is an entirely new right that will need to be accounted for; organisations should come up with a way of providing such data in a manner which meets common industry standards. The existence of a Subject Access Request Register is therefore an important box to tick here. It should be noted that for companies which process a vast quantity of requests, logistics may become an issue. In these cases it would be advisable to consider automation i.e. developing online access systems, in order to reduce administrative strain.

Consent & the Law  

A combined approach on both technological and procedural fronts will be key when it comes to achieving compliance, as there is no ‘magic bullet’ solution. Businesses should document their legal grounds for processing personal data; start keeping records of their assessments of these legitimate interests; and when consent is the basis for processing, ensure that it was captured in a compliant way. GDPR’s significant shift in the role of consent means that organisations will have to review their tactics relating to obtaining and recording consent. For many, it will mean a move away from their current opt-out consent models, and adopting the required opt-in approach. And when it comes to consent and children, special steps will also need to be followed – for example, privacy notices aimed at children will have to be written in clear and child-friendly language.

Data Breaches

Furthermore, recent high-profile data breaches show how critically important it is for businesses to reinforce their cybersecurity and ensure that they are equipped to handle any data breaches. Breach notification duty will be new to many organisations, but regardless they should adopt robust internal processes for detecting, reporting and investigating personal data breaches. This may involve implementation of enhanced incident response procedures, and investigating measures such as encryption, pseudo-anonymisation and data masking. It is highly recommended that companies create and maintain an internal breach register and identify their Lead Supervisory Authority (e.g. the ICO for U.K.-based companies). Protection Impact Assessments will also be valuable in this arena, particularly when it comes to high-risk situations.


A plethora of such assessments, toolkits, checklists, analyses and other preparation roadmaps are available on the market. Independent specialists with the right skills are now in high demand but short supply. This is because an essential stepping stone to becoming compliant for many larger companies will be to designate or employ a Data Protection Officer. DPOs can be from within or out with the organisation, but as it is such an important role, they must have suitable and relevant experience.

Different staff and different departments will have different roles when it comes to ensuring compliance. It is important to note that getting ready for GDPR cannot just be the remit of IT. There is no definitive way to prepare, and the aspects discussed here are by no means exhaustive. Firms will have to be thorough in devising a plan to tackle such issues, and adopt a multi-pronged strategy. Taking action and making GDPR preparation a top priority now will serve to protect against serious financial and legal consequences in the future.