On May the 25th 2018, the General Data Protection Regulation (GDPR) will be put into place with the purpose of strengthening and unifying data protection for individual people. The GDPR also addresses the export of personal data outside the EU if related to an EU citizen. In the UK the GDPR will be overseen by the Information Commissioners Office (IOC)


The General Data Protection Regulation is a catalyst for change. With the increase of data breaches reported in 2016 it should be no surprise that there is a need for greater data protection in our increasingly interconnected world. The changes are important because it places ‘Accountability’ across its principals, meaning that if a company is found to be careless in its management of data protection, then the DPO will be held accountable and the company may be fined.


The preparation stage for GDPR is essential, it’ll allow you to determine what EU data they have, where and how it’s kept, and set legal policies for how that data will be collected, managed, and erased. A great start is creating consent forms, these MUST be sent before the GDPR regulation takes place as any emails asking for consent post GDPR will be sent without consent.


As well as protecting data, GDPR wants to see that it is safely stored, a filing cabinet just will not do. The ICO recommends all information is stored digitally as physical forms of information is too risky and can easily be obtained. Organisations can implement logging technologies to track what data is used and by who, something that can’t be done physically but can be accomplished digitally. Although this isn’t mandatory, it’s something the ICO thoroughly endorse.


People must be opted in! Under the GDPR there are some additional things to tell those you contact. For example, there must be a provided explanation on the lawful basis for processing the data. Contacting anyone who hasn’t chose to opt-in will be against the law and result in negative repercussions, don’t learn the hard way!


Those people who op-tout have the right to be forgotten and all data on them must be eradicated. If someone does get int touch, you must act upon the request without undue delay and at the latest within one month of receipt.


If you suffer a data breach, new rules mean you must notify the ICO within 72 hours. This short deadline gives you the chance to report the nature of the breach and the approximate amount of people that have been affected by it. The people affected should also be notified, even if this takes place before reporting it.


There are serious consequences if a Business fails to meet the requirements of the GDPR. Under the GDPR, the ICO can impose fines up to 20 million Euros or 4% of a company’s turnover. For breaches that aren’t as severe, the maximum fine is 10 million Euros or 2% of a company’s turnover.


Let’s address Brexit; although Britain are leaving the EU this doesn’t mean it won’t come into effect. Brexit is scheduled to be in full swing by March 2019, until then we are all still EU citizens. Once Brexit happens and we leave the EU, the British government has already proposed a new Data Protection Bill that will enshrine the basics of GDPR within British law.


A number of companies will need to appoint a Data Protection Officer. This will include organisations that come under public authorities, any businesses that engage in large-scale systematic monitoring and companies that process lots of sensitive personal data.


Many people think of GDPR in a negative way. The truth is that the General Data Protection Regulation has been put into place to benefit people, keeping information private and voices heard. Realistically, the rules are relatively straight forward, all they require is privacy for those who don’t want to be contacted. Theoretically, the GDPR will strengthen relationships between the company and their customers. This means there will be no time wasted chasing people who are not interested and no resentment from unwanted communications. This creates a better community and work environment between businesses and individuals.