GDPR – 93 days to go!

As I prepare to go on the radio tomorrow, to discuss GDPR with a panel of other ‘experts’, I have been considering my experience so far.

Views on it seem to vary widely from a complete ignorance about it to the attitude that it’s just another Y2K, to complete panic.  Whilst no one really knows what’s going to happen when, on 25 May, the ICO starts to regulate and penalise companies who are in breach of the rules, it does seem dangerous to do nothing.

My previous blog covers the advantages to you, the individual, and this alone could mean the ICO will experience a number of whistleblowing situations from individuals who feel they’ve had their rights breached.  Having recently recruited a further 200 people, the ICO will almost certainly be ready to investigate these situations.

On Monday I posted an article published by ( suggesting that a high percentage of people are likely to exercise their right to be forgotten as they’re concerned about the safety of their personal data. 

Another thing that struck me is how people seem to be stuck on getting ‘consent’ to hold data as if it’s the only ‘lawful’ reason for holding it.  Of course, for most people that will be the best reason to hold it, and is certainly preferential if practical.  But, it shouldn’t be forgotten that there are a total of six reasons for holding data so, before you get into a huge campaign to obtain consent, consider whether it is necessary.

For most companies, they already have measures in place to be compliant with the original Data Protection Act and their main aim will be to tighten the practices they already use.  For others, it might take a bit more thought.  Either way, getting someone, like me, to go through everything with you, will make everything clear, get it recorded in a policy and help you to be compliant before the May deadline.

What is this ‘GDPR’ people keep talking about?


As I’ve been networking over the past couple of weeks I’ve had numerous conversations with people asking me about GDPR.  People have heard a number of rumours about it and over the next few blogs I intend to unpack some of the confusion.

So what is it?

GDPR stands for General Data Protection Regulation.  A regulation is a number of specific requirements or enforcements, and, in this case, they are set out to protect an individuals data.  Whilst is it an EU regulation, it is something that the UK will be adopting regardless of Brexit and so, for the purpose of this blog, any reference to EU citizens include the UK.  The regulation comes in on 25 May 2018 by which point all companies need to be compliant.

Who does it affect?

The short answer is all companies, worldwide, that process personal data of any EU citizen.

This will harmonise data privacy laws across the EU and give an individual more control over what happens to their data.

block-chain-2853054_1920What is the definition of ‘personal data’?

GDPR considers ‘personal data’ to be anything that can be used to identify an individual.  This includes genetic, mental, cultural, economic and social information.

Surely this is just another way of presenting the Data Protection Act (DPA)?

There are key differences to GDPR, not addressed by the DPA, and a key one is to note that the DPA is a UK act only, whereas GDPR is an EU directive ensuring consistency across all EU countries.

Other differences are set out below:

  • Non-compliance of DPA can result in fines up to £500k, or 1% of annual turnover however with GDPR these fines could be up to €20m or 4% of annual global turnover
  • Companies of more than 250 employees will need to assign a Data Protection Officer to ensure compliance
  • Under DPA businesses are not obliged to report data breaches. With GDPR any data breach must be reported to the Supervisory Authority within 72 hrs of the incident
  • Under GDPR an individual will have the right to have their data permanently deleted from all databases, including web records etc, where there is no requirement under DPA
  • Where DPA didn’t necessarily require an opt-in for data collection, with GDPR this will be required, along with clear privacy notices that are transparent. Consent must be able to be withdrawn at any time

Interested in knowing more?  Look out for my blog on Wednesday setting out what actions you need to take now.

Or check out the following sites:

GDPR: I’m confused! 9 actions every business needs to take now!

I’m a small business, do I need to do anything?

Yes, you do!  You need to be ready by 25 May 2018 as no business is exempt.

Some of the regulation is still being agreed, however here are the actions you can take now.  Remember that the individuals’ rights under GDPR are:

  • Appoint a Data Protection Officer if you are a firm of 250 people or more.
  • Document what data you hold. Where did it come from?  What is it used for?  Where is it held?  Note, if you use cloud-based systems, you need to identify where that cloud is held.
  • Review your privacy notices. Are there any changes you need to make?  Note:  this can no longer be embedded in your terms and conditions, but needs to be somewhere more visible.
  • Identify the legal basis you are holding the data. Is it necessary?
  • Did you ask the individual for permission to hold their personal data? Review your processes for obtaining data.  Do you specify what you’d use their data for and ask them if you can use it for that purpose?  Can you prove you have permission to hold their data and use it for those purposes specified?  Is the data up to date and accurate?  If you answered ‘no’ to any of these questions, you will need to run an exercise to obtain permission from your clients to hold their data.  Consider how you will do this going forward
  • Update your procedures to ensure they cover all individuals rights, including how you would delete personal data or share it electronically. What is your procedure for handling requests for access to data?
  • Data breaches – you need to have a procedure to act on this as all data breaches need to be reported to the Supervisory Authority within 72 hrs.
  • Do you carry out Data Protection Impact Assessments? These will be a requirement under GDPR so, if you don’t already do so, you need to bring in a policy for doing so and start acting on it.
  • Children: if you hold data for children you need to identify what age you need parental consent up to.


Overwhelmed?  Give me a call on 0845 869 0141 or use the ‘contact me’ form on this site.  I can help!



For more reading:

Click to access preparing-for-the-gdpr-12-steps.pdf


So how does GDPR affect me as an individual?

 What are the rights of the individual under GDPR? 

Whilst my other posts have focussed on what you, as a business owner, need to do to be ready for GDPR, I thought it would be good to remind you of the benefits of GDPR, for you as an individual:

  • You will be able to request access to your data and companies will be obliged to provide it, providing the request isn’t deemed to be manifestly unfounded or excessive, primarily meaning repetitive! The company will need to specify why they refuse if they do so.  Previously a £10 charge would have been made for any requests of this nature, however, this is no longer acceptable.  You should expect to receive that data securely, however, where a large amount of data is requested, you should expect to specify your requirements.
  • To have inaccuracies corrected. Data should be reviewed by companies on a regular basis, and updated for any inaccuracies.
  • To have information erased. Just because you signed up for a newsletter once, doesn’t mean you have to continue to receive it.  With GDPR you have the right to have your data removed from the distribution list, and deleted entirely from the companies’ systems.
  • To prevent direct marketing. We all hate it, right?!!  With GDPR you can determine what marketing you’re happy to receive and what you don’t want any more.
  • To prevent automated decision-making and profiling. So what does this mean?  The definition I found stated that it’s ‘an automated decision made following processing of personal data where no humans are involved in the decision-making processes and where the automated decision can have a significant impact on the individual (ie where the decision relates to job performance or creditworthiness  etc)
  • Data portability, ie to have the right to your own data in order to use it for your own purposes across different services.