GDPR – Time to act

The General Data Protection Regulation is nearly a year away and many businesses still don’t know what it is, why they need to follow it and when it happens. This means that businesses are still potentially putting themselves and the data they host at risk but also risking fines that could be put small businesses into administration.

What is GDPR?

GDPR or the General Data Protection Regulation is an EU regulation intended to unify and strengthen data protection across the European Union. The regulation comes into effect in May 2018.

Aren’t we leaving the European Union? Surely this doesn’t matter!

Well this is the funny thing about Article 50. It lasts for 2 years and during this time the UK must abide by all laws the EU set out. The current UK Government have proposed that in the short-term post Brexit the UK will continue to operate EU laws and will revise them over time. Either Brexit might mean Brexit but it doesn’t mean dodging GDPR.

What is in the regulation?

In short GDPR augments the Data Protection Act 1998 by harmonising data protection law across the EU. In summary, the regulation is as follows

- Defines ‘personal data’ – Any information relation to a person who can be identified, directly or indirectly. This could be an IP address, a name, a number plate or address.

- Defines ‘data controller’ and ‘data processor’ – Simply, the ‘Data controller’ decides what the data should be used for and the ‘data processor’ is responsible for performing the what the data controller has defined it should be used for.

- Suggests the types of security that should be used but stops short of enforcing technology such as cryptography (encryption) to protect data.

- Suggests processes for ensuring high levels of security

- Introduces large fines if you do not follow the rules.

- Requires all organisations to have a Data Protection Office, a person to champion data protection and ensure processes are followed to ensure data is protected.

- Provides a legal basis for consent

- Information must be provided opening to disclose exactly what information that is collected is used for.

Who can be a Data Protection Officer?

The regulation does not require a full-time member of staff to be Data Protection Officer, it can be a contractor, which should come as a relief to many small business owners. However, all businesses that handle data of any kind to have one. This person(s) role will be to champion and police data protection processes and ensure they are followed. The ideal candidate should have good grasp of data protection law and many courses are available to bring staff up to date with all the legislations.

Where do we start?

The best place to start is to look at your business and the data you hold. Ask yourself, whether it should be considered identifiable, this could be customer data this could be your employees, in which case the latter is identifiable. Then consider how you store it, who has access to it, do they need to? Are you using it for the purpose it was intended?

These are some of the basics but it’s vital to ensure that you follow these guides. To read the full regulation please visit the