Questions? Feedback? powered by Olark live chat software



13.11.2017 - by  John Clough


General Data Protection Regulation (GDPR) is the new European wide standard for processing data. It comes in to force on 25th May 2018. It builds on existing national legislation and, where necessary, enhances it.


Key Points

(1) GDPR applies to all companies processing personal data or European citizens;

(2) It widens the definition of personal data to include any identifiable data, including for example, biometric data or IP address;

(3) There are new rules for obtaining valid consent from individuals to store and use data that relates to them;

(4) Personal data should only be held for as long as necessary. The subject has a right to be forgotten;

(5) Those processing data on behalf of organisations are now liable for correct processing activities, whereas previously only the data controllers were liable;

(6) GDPR requires that privacy is included in systems and processes by design;

(7) All businesses processing personal data must appoint a Data Processing Officer (DPO);

(8) GDPR requires data controllers to assess privacy risks to individuals ;

(9) In the event of a breach the relevant supervisory authority must be notified within 72 hours;

(10) GDPR restricts the transfer of personal data to countries outside the European Union;

(click here for detail)


Requirements of your IT infrastructure

Section 2, Data Security, Article 30: Security of Processing states3:

1. Having regard to the state of the art and the costs of implementation and taking into account the nature, scope, context and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of individuals, the controller and the processor shall implement appropriate technical and organisational measures, to ensure a level of security appropriate to the risk, including inter alia, as appropriate:

a) the pseudonymisation and encryption of personal data;

b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services processing personal data;

c) the ability to restore the availability and access to data in a timely manner in the event of a physical or technical incident;

d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing


What you need to do to prepare

(1) Ensure that all decision makes are aware of the change in the law;

(2) Document what personal data you hold;

(3) Review privacy notices and plan for making necessary changes;

(4) Check procedures to ensure they cover individuals rights;

(5) Update procedures for how you will handle Subject Access Requests;

(6) You should identify the lawful basis for your processing activity in the GDPR;

(7) You should review how you seek, record and manage consent and whether you need to make any changes;

(8) Start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity;

(9) Make sure you have the right procedures in place to detect, report and investigate a personal data breach.;

(10) Appoint one or more Data Protection Officers;

(11) If you operate in more than one EU state you should identify your lead data protection advisory authority

(click here for detail on how to prepare)

Category Compliance


© 2016 Harwood Brittain Technology Ltd


Follow and connect with us