The General Data Protection Regulation

You may have heard about GDPR, but if you have not, you need to get up to speed!

The General Data Protection Regulation (“GDPR”) comes into force on 25 May and brings in significant changes in how personal data has to be managed by businesses with significant penalties for failures.  A recent survey showed that nearly one third of directors were unware of GDPR and its impact.

The first point is that GDPR will apply to all businesses, there are no exemptions from the rules.  Businesses of any size who process data, even on paper, will need to keep records of how they handle their data.  We struggle to see how any business does not handle data, whether it is client/customer details, employee information, black book of contacts, etc, so the regulations must apply to every business.

The main shift is that the new law will give more rights to individuals and make companies that use that data more accountable.  If you read Harbour Key’s updated terms and conditions, you will note they reflect the changes in respect of client information.

As a quick introduction to the regulation, we have set out below the five most frequently asked questions to the Federation of Small Business:

What is GDPR?

It stands for General Data Protection Regulation and from 25 May 2018, will be the main law on collecting and processing personal data.  It will come into effect across all EU member states and is an EU driven regulation.  The UK Government is enacting the legislation via The Data Protection Bill which is currently going via Parliament, so Brexit will not have any impact on the new regulation nor prevent it being introduced.

How is GDPR different from current regulations?

Individuals have more say in how their data is used.  The Information Commissioner’s Office (ICO) can impose increased penalties and fines, with a maximum limit of £20 million or 4% of annual turnover, whichever is higher.

What do businesses need to do?

Any business (which will be every business) which processes personal data, whether online or offline, needs to conduct a review to understand what and how much data it holds.  The review will include:

  • how it handles the data it holds,
  • how and where it is stored,
  • whether it is shared with third parties and
  • whether the data is needed.

As part of this review, an initial step would be to conduct an impact assessment to map out what personal data is held and how it is used, which can be generally divided in to three parts:

  1. How employees control and process data
  2. How your business acquires personal data and how it is stored
  3. Risk assessment of how personal data could be at risk, for example by cyber-attack, taking personal information offsite, etc.

The business needs to ensure that it has taken appropriate steps to avoid a security breach, defined by the ICO as anything that could lead to the destruction, loss, alteration, unauthorised disclosure or access to the data. If there is a security breach, it must be disclosed to the ICO within 72 hours of becoming aware of the breach.

What is a Data Protection Officer?

A data protection officer (“DPO”) is responsible for overseeing the business’s data protection strategy and implementation to ensure compliance with GDPR requirements.  A DPO is a legal requirement for a business employing more than 250 employees, or any business that processes very large amounts of personal data.  Although you may not legally have to appoint a DPO it is good practice to appoint someone to oversee the GDPR implementation and monitor processes going forward.

This is only a brief summary, and we at Harbour Key are not experts, learning as we implement our own processes – you will note that you are being asked to re-sign up to our newsletters and the statements we make with regards to the use of your information when you sign up, as mentioned above with regard to our revised standard terms and conditions.

The ICO has produced a 12 step guide to preparing for GDPR, which can be found at