Skip to main content

GDPR Part 1: Get Ready for GDPR

Published date: 03/05/2018 09:53


The European Union (EU) has changed its data protection rules. The changes are now law and they will go live across the EU on Friday 25th May 2018. These rules are called the General Data Protection Regulation (GDPR) and apply across the board from public authorities to small and medium-sized businesses. These will change the way we all do business. 

What is the EU data protection and what does it apply to? 

In the EU there are existing legal rules for the collection and processing of personal data. Anyone who collects or processes personal data must protect it from misuse and comply with a range of legal requirements. The GDPR upgrades the existing rules. 

The GDPR will apply to both electronic data (like emails and databases) and hard copies (with a few exceptions). 

Will businesses have to do more?


Yes. Every organisation will have more responsibilities and obligations under the new rules. In particular, organisations have to implement technical and organisational measures to make sure that they are processing data properly. To assess the right level of security you must consider the risks that presented by processing - especially from accidental or unlawful destruction. You will also need to be able to show the measures you have taken when a regulator asks you what these measures are. An important part of that is checking who you send personal data to - for example, you will also need to check the processes of people you work with like mailing houses, shredding companies and temp agencies. 

What kind of fines can my business face for breaching the rules? 

Under the new regime, data protection regulators can impose high fines for infringing the new rules - the highest level of fine is either a maximum of €20 million or 4% of the global annual turnover of a business, whichever is the higher. Although not every breach will result in the highest fine, getting fined is simply not an option - we must all make sure that we follow the rules. 

Has anything changed with the data transfers to third countries? 

Not really. Special existing rules about the transfer of data from the EU Member States to third countries (including the US) remain in place under the GDPR, including the requirement that those data transfers can only occur where an adequate level of protection is assured by these third countries. Under the new regime, these rules have in effect just become more detailed. This is a complicated topic that is also subject to development under the existing data protection rules which you should talk through your legal team. 

What should you do now? 

To do the work to be GDPR-compliant you must budget and plan resources (including IT). Also use your planning time well to adapt. The following are ten top compliance issues to start addressing: 


1Put in place a privacy impact assessment process - map your data and determine areas of risk.
2Thoroughly review vendor contracts - you will need your vendors' help especially in reporting security breaches very quickly and so make sure that you have the contractual rights to insist on this;
3Update systems and materials and prepare new detailed documentation and records ready for production for regulatory inspection;
4Review key practical aspects including data retention with all the data used by the business;
5Make sure you have plans in place to securely destroy data that you don't need;
6Ensure that new aspects such as explicit consent, the right to be forgotten, the data portability right, and, the right to object are all included in policies and procedures;
7Put in place a data breach notification procedure,including detection and response capabilities, and rehearse this like you would a fire drill;
8Consider appointing a data protection officer;
9Training, training, training - train staff on all of the above (data protectionregulators pay speical attention to this); and,
10Set up and undertake regular compliance audits in order to identify and rectify issues.

Now you are in the know, why not check out our GDPR Part 2 article. 

If you have any unanswered questions, you can find the new rules on the European Commission's website. 




There are currently no comments, be the first to comment.

Leave us your comment

You need to login to submit a comment. Please click here to log in or register.

Back to Article List