According to recent research, many companies are still completely unprepared for the GDPR coming next Spring. There is a requirement for all businesses, regardless of size, to comply or face the pretty significant consequences. Firstly, failure to comply with the complex legislative obligations could lead to damaging penalties but, just as importantly, it is in every business owner’s interest to get data protection right and to safeguard the security of its systems and data.

So what is the GDPR?

The EU General Data Protection Regulation (or the GDPR) supersedes the Data Protection Act 1998 and simplifies data protection laws by making them common throughout the EU single market, effectively facilitating the free transfer of data between the EU member states. The new EU legislation gives individuals more control over how their data is used and stored, while protecting the privacy of EU citizens across the board.

the GDPR came into force on 24th May 2016 but businesses have until 25th May 2018 to comply. Despite the UK triggering Article 50, the GDPR will automatically apply to the UK until such time as we finally leave the EU – and it seems likely the UK will keep the provisions of the legislation after Brexit. In fact the Queen’s speech confirmed the UK’s plans to introduce new data protection rules as part of a Data Protection Bill in addition to the GDPR to give the UK the “ability to share data with other EU members states … after we leave the EU”. So there is no longer any doubt that businesses need to be ready for the GDPR.

Controller vs. processor

The impact of the new EU legislation is on ‘controllers’ and ‘processors’ of data where any of that data relates to EU citizens – so the chances are, your business will be required to meet the GDPR standards wherever you are based and, depending on the size of your business, you may even need to appoint a Data Protection Officer.

  • Controller – determines how and why personal data is processed eg. A small business building a database of sales leads or a housing association holding records of its clients
  • Processor – actually handling and working with the data eg. Third party agency creating and mailing a direct marketing campaign.

Data handling

It’s important that your business has proper guidelines in place to ensure the safety of all stored personal data as, under the GDPR, data controllers and processors will be held accountable for data privacy breaches. Having a robust policy or framework which can be cascaded to all relevant areas of the business is a must, with a process in place for ‘testing, assessing and evaluating’ the effectiveness of those security measures.

Once the legislation comes into effect next May, all data controllers must process data “lawfully, transparently and for a specific purpose” and, once that purpose has been fulfilled and the data is no longer required, it should be deleted. We can help you define what “lawfully and transparently” means for your business and put processes in place to ensure you are fully compliant with the GDPR ahead of the deadline.

Under the GDPR, data must be gathered with an active consent for use by a controller or processor – actively opting in rather than failing to opt out – and consent can be withdrawn (or unsubscribed) at any point and a request made for held personal data to be deleted under the ‘right to be forgotten’ provision. Failure to meet the requirements could incur a penalty of 4% of global annual turnover, or €20 million, whichever is higher so it’s vitally important businesses are onboard with the requirements of the GDPR.

What is ‘personal data’?

Anything which was deemed ‘personal data’ under the Data Protection Act 1998 still qualifies as personal data but the provisions have been expanded to include online identifiers such as IP addresses and cookie identifiers, along with any other information which could be used to identify an individual.

It will now be possible for individuals to request access to any personal data you hold about them, including how it is stored and used. They may also ask for incorrect or missing data to be updated. A cloud-based service such as Microsoft Office 365 with online back-up could be deployed to provide a superior platform with flexible storage and retrieval solutions.

Data security

The GDPR legislation aims to improve security of private individuals’ data so a robust system for data protection and backup is key. If you suffer a data breach you must notify the Information Commissioner and all those affected by the breach within 72 hours. Failure to meet that deadline could result in fines of up to 2% of annual worldwide revenue, or €10 million, whichever is higher.

The GDPR Assessment

We can assess your security requirements and deploy cost-effective IT security measures to protect your data from the threat of hackers and malware. If you’d like to discuss how M2 can help you prepare for the GDPR, speak to a member of the team on 01293 871971 or email