The General Data Protection Regulation (GDPR) came into force in May, but many businesses are still in the dark about what it really means for them.

IT project management expert Tony Fleming addresses some of the key questions about the regulation and how companies can prepare for the new rules:

How does GDPR affect my business?

The European Union’s (EU) GDPR and the UK’s Data Protection Act (DPA) 2018 replaces legislation that, in this country was 20 years old. In fact, the legislation was so old it did not take account of the Internet, DNA testing or Cloud storage.

First of all, you need to be clear that the legislation affects all businesses irrespective of size – don’t think the law won’t apply if you’re a small business. It’s only the details that change.

The new regulation brings in several changes. The biggest change for companies is that they must demonstrate compliance. Before a lot of companies paid lip-service to data protection legislation.

Now, the Information Commissioner’s Office (ICO) will now look for evidence that businesses are taking what GDPR and the DPA call “appropriate technical and organisational measures” to look after data, including appointing a data protection officer (where necessary).

It also broadens the definition of personal data to include any data that can identify an individual or organisation. This includes a computer IP address or even a DNA sequence!

It’s worth noting that if your details are held on a database accessed by a reference number, the reference number itself becomes personal data – after all, it can be used to identify you.

Under the new rules, a range of new rights have been introduced such as the right to have – in some circumstances – your personal data transferred from one company to another (at the company’s expense). Also, the existing right to have data deleted in special circumstances is broadened to make it easier to exercise.

What do I need to do to ensure my business is GDPR compliant?

It might be better to call it GDPR ready; ‘compliance’ implies once you’ve done the work you will receive a rubber-stamp or certificate. However, the key steps to get you started are:

Knowing what you know – make out a list of the types of personal data you keep, where they are held and why you have them. This type of list is sometimes known as an information asset register and an example of a simple template is held by the Isle of Man government at (See page 10)

Hold onto what you need – do you really need all of the information? One of the key principles behind GDPR is that you should not hold onto data for longer than needed. If the law says you must retain it, then fine. Otherwise, be ready to justify holding onto the data and if you can’t do that, then consider deleting it. Saying to yourself that the data might come in handy one day doesn’t cut it.

Third-party contracts – if you pass personal data onto third parties, for example, for marketing purposes (or if you receive personal data), check the contract. Is it clear who the data controller and data processor are? Are both parties’ duties clear? This includes, securing the data, transferring the data, and notifying the data controller if there is a breach.

Be straight up – GDPR and the DPA both state that data processing must be fair and transparent. When you collect personal data from customers such as on a webform, do you tell them what you do with their data? Do you send it outside the EU? Do you share it? Who can they contact in your company to complain? The best way to do this is through a privacy notice that you can put on your website and include in your draft terms of business.

Consider registration with the ICO – I say ‘consider’ because not all companies that process data must register. However, the ICO has a useful online tool to help you work out if you need to register or not. Go to

What do I have to do in the event of a data breach?

Companies that own the data they are processing have a duty to inform the ICO of a serious data breach within 72 hours. Remember that the word ‘breach’ doesn’t just include being hacked but also loss or accidental disclosure.

The ICO sets out the details you should provide when notifying them of a breach and allows you to supply the information in stages if all the facts aren’t known immediately.

If you don’t own the data but are processing it for someone else (the controller) you have a duty to tell the controller in sufficient time to enable them to make the notification in the 72-hour window as well as providing the necessary details.

However, the key question is what is a serious breach? The legislation states that it is if the breach seriously interferes with the rights and freedoms of a data subject but there is no further guidance on the subject.

This is where the business will have to make its own assessment of the likely damage based on the facts (not on the answer they would like) and keep a record of the justification and reasoning if it is ever challenged.

Will Brexit affect GDPR?

In short; no.

The more detailed answer is that businesses should not hope that the UK’s departure from the EU is going to make GDPR go away. As mentioned before, GDPR is already embedded into UK legislation as the Data Protection Act 2018.

How the EU treats the UK under GDPR is still being negotiated but at this stage the one major difference will be where an EU company passes data to a company in the UK. The onus will be on the EU company to show it is taking steps to ensure its data is being processed securely in the UK.

One approved measure is the use of what is called “EU Model Clauses”. This is a standard data protection agreement (already approved by the EU Commission and downloadable from the Internet) that can be signed and put into place between the two parties.

Note that this is the bare minimum and depending on the type and quantity of data being passed, additional measures such as auditing, certification to recognised security standards and contract management meetings should be considered.

What are the consequences if I fail to comply?

The headline punishment often cited in the press is a maximum fine of €20 million or four percent of a company’s turnover (whichever is greater). However, this is only likely to apply for large-scale breaches and where there was flagrant disregard for data protection rights.

The important point though is that the original maximum fine of £500,000 from the ICO has now gone.

Complaints can come from any member of the public who feels that you have not complied with your obligations under the legislation and if the ICO upholds the complaint, then apart from any fine you also run the risk of reputational damage, through adverse publicity and how you are judged against your competitors.

Is your business ready for GDPR? Do you need help in getting up to speed with the new regulation? Call Tony Fleming on 07775 601969, email