One Year to go: The Road to GDPR Compliance

GDPR Road to Compliance

Share This Post

A year today (on the 25th May 2018) the General Data Protection Regulation (GDPR) will come into force in the UK (and across Europe) and replace the UK’s own Data Protection Act 1998.

According to the Flavourfy Digital State of Data Security in Dorset 2017 survey, 51% of the county’s businesses are yet to start thinking about their approach to the GDPR; we get a sense that is probably a good indicator for the whole of the UK, and worryingly it is also being reported that a quarter of UK businesses have suspended their GDPR compliance plans because they think it won’t be relevant as the UK’s leaving Europe – not true: the UK will Brexit around a year after the Regulation becomes UK law and is likely to be a key part of UK legislation post-Brexit too.

So, if you haven’t already started thinking about your business’s own journey to compliance and how your business will be impacted by the GDPR, now’s probably a good time to start. To get you on your way we’ve summarised the top 10 changes that the GDPR will bring to most businesses across the UK on 25th May 2018.

1. Scope

As well as the Regulation applying to the whole of Europe, the Regulation extends the data protection principles to data processors, those organisations who process data on behalf of other organisations (the data controllers).

2. Definitions

Whilst not a big change, the GDPR does extend the current definitions for personal data to definitely include online identifiers. So, whether you’re wondering about whether an email address, an online username/nickname or an IP address is personal data, now there’s no doubt.

3. Children

The GDPR introduces new rules which will impact business whose services and products that are of interest to children. Not only will they now need to verify the age of the data subject (for the data they’re collecting) but they’ll need to seek guardian consent and provide information and privacy notices which can be understood by a child.

4. Consent

This is probably the biggest issue for most businesses. The whole consent mechanism is changing. At the points businesses collect data they will need to provide clear messaging about the purposes of collecting the data, only allow for positive opt-in (no more “untick this box” or implied consent) and record how and where they collected consent.

5. Individuals’ Rights

The Data Protection Act already provides comprehensive rights to data subjects around the use of their data (e.g. subject access requests and the right to remove consent for marketing), but the GDPR introduces a couple of new rights: the right to be forgotten and the right to have your data exported in machine readable format (so it could be used elsewhere)

6. Documentation

Business with over 250 employees or (where less than 250 employees) who carry out high risk processing are required to record their processing activities and processes.

7. Data Protection by Design

Currently Privacy Impact Assessments (PIAs) are an ICO best practice, but under the GDPR all businesses will need to be able to demonstrate they have carried out impact assessments on the data protection and users’ rights impacted by all new services and technologies.

8. Data Protection Officers

Large businesses and those who process large quantities of data will have to employee (either directly or outsourced) a Data Protection Officer, an individual responsible, at Board level, for GDPR compliance across the business.

9. Breach Notifications

The GDPR requires all organisations to report certain types (where there is potential for harm) of data breaches to a supervisory body and in some circumstances to the data subjects themselves.

10. Fines

Fines for organisations found to be in breach of the rules of the GDPR can be as high as 4% of global turnover or €20m, whichever is the highest

So, if you’re looking at that list and thinking you could be impacted, then now’s the time to start thinking about a plan of action which will need to take in preparing your business, auditing your data and systems and reviewing and updating your company policies. Your approach to ongoing management of data protection across your business will also be changing.

And remember, you can always sign up to the Digital Compliance Hub for help with reaching compliance within the deadline.

GDPR Changes Infographic

Get the GDPR Changes Infographic

More To Explore

Eat. Sleep. GDPR. Repeat.

We live and breathe GDPR and ePrivacy compliance, so you don’t have too. Our GDPR UNLIMITED helpline is all about offering you help and support, whenever you need it most. As well as the unlimited helpline, you get up to 4 hours “hands-on” help each month, which we can configure to help you in anyway you need such as a GDPR review, or acting as your DPO.

As well as the unlimited helpline and hands-on help you get GDPR and privacy updates, access to our GDPR knowledge centre and webinars.

Unlimited email & phone support

Unlimited email and phone support. Email or organise a voice call as often as you need each month.​

Up to 4 hours "hands-on" help per month

We use these "hands-on" hours to do the GDPR work for you, such as reviews, acting as your DPO, checking DPIA, dealing with breaches, training your staff, etc. (Additional hours: £100+VAT per hour)

Online resources

Our Knowledge Centre gives you access to information, guidance, topic related guides and other tools to support your GDPR and PECR compliance

Updates, alerts & briefings

We provide updates and alerts and a monthly compliance briefing. You can either sign into the Knowledge Centre or sign up via email to receive an email every time we add a new update or alert

DPO services

Whether mandated or not we can act as your Data Protection Officer (DPO) and manage your day to day compliance

Webinars, workshops & training

Whether updates on the latest issue, workshops or team training, it's all included in your monthly retainer.

LIKE WHAT YOU'RE READING? join our email list

Sign up for monthly briefings and the occasional emails about our webinars and services

Want to know more about how we use your data? Check out our privacy policy