General Data Protection Regulation (GDPR)

The EU General Data Protection Regulation (EU GDPR) is one of the most important changes to data privacy in 20 years. It's an act which will affect businesses of all shapes and sizes so make sure you're prepared.

What is General Data Protection Regulation (GDPR)?

The General Data Protection Regulation (GDPR) is the result of four years of preparation and debate by the EU to bring data protection legislation in-line with how data is used within businesses. It has been designed to protect and empower the data privacy of all EU citizens and to reshape the way businesses approach data privacy. 

When does GDPR come in to effect?

The regulation will be directly applied to all EU member states on 25 May 2018. Regardless of Brexit, all UK organisations handling personal data will need to comply with the General Data Protection Regulation.

How will it affect me and my business?

It applies to 'controllers' and 'processors' of data. A controller states how and why personal data is processed, whereas a processor handles the overall processing of the data. This applies to all data sourced from inside the EU - even if the controllers and processors are based outside the EU, the General Date Protection Regulation still applies.

At the moment, the UK relies on the Data Protection Act 1998 (DPA) for best practice use of data which imposes a maximum fine of up to £500,000 when breached. This will be superseded by a new DPA which enacts the requirements of the GDPR, enforcing fines of an upper limit of €20 million or 4% annual global turnover - whichever is the highest, if seriously breached. This could make the threat of insolvency, or even closure, all too real for many businesses so it is essential to prepare now.

How to prepare for GDPR

  1. Make sure that key players in your organisation are aware that the laws of data protection are changing
  2. Document the personal data you hold, where it came from and who you have shared it with
  3. Review current privacy notices and plan for making the necessary changes in time for the GDPR implementation
  4. Check your procedures to ensure they cover all the rights individuals have
  5. Update procedures and plan how you will handle data access requests
  6. Identify the lawful bias for your processing activity in the GDPR, document it and explain it by updating your privacy notice
  7. Review how you seek, record and manage consent
  8. Think about if you need to put systems in place to verify ages or obtaining parental / guardian consent
  9. Ensure you have the right procedures to detect, report and investigate breach of personal data
  10. Adopt a privacy by design approach and orchestrate a Privacy Impact Assessment (IPA)
  11. Designate a member/s of the team to take responsibility for compliance
  12. If you have establishments in more than one EU member state, determine which state your main establishment is so a lead data protection supervisory is allocated

GDPR workshops coming up

Proctor+Stevenson presents We Love GDPR - Thursday, 25 January 2018

SW Development Directors Forum hosts GDPR: charity case studies - Wednesday, 31 January 2018

How we can help

The Information Commissions Officer (IPC) will be assisting businesses and public bodies to meet the requirements of the GDPR ahead of May 2018. And we're here to help too - we can help answer any questions you have about GDPR and build on providing relevant information, advice and support with best practice to local businesses across the South West.

Read related guides, events and advice on GDPR below...

  • Let us help you

    By registering your interest, we'll be equipped to help answer any questions you may have about the GDPR and provide further information about how it will affect your business

  • Let us help you

    Receive further information about the GDPR and how it will affect your business 

  • Sign up to access our free business guides and resources