What every business owner should know about GDPR

posted by 5 years ago in Guide

In May 2018 the new General Data Protection Regulation (GDPR) will come into effect with the aim of giving people greater control over how businesses use their personal data. A 450 per cent rise in the frequency of the search term ‘GDPR compliance’ indicates uncertainty about what the changes will mean for businesses and organisations. So, if you have trouble remembering the last time you read a privacy policy, you may want to brush up on the basics…

What is GDPR?

It’s a comprehensive set of rules governing how personal data is collected, processed and stored. It exists to offer greater protection to consumers.  If your business collects, stores or processes any form of personal data, then GDPR applies to you.

Why is GDPR being introduced now?

The regulation represents the biggest shakeup to data protection in more than 20 years. If you consider how radically the internet has changed the way we share and use data, it’s astonishing it’s taken this long! GDPR is an EU-led regulation. Despite Brexit, it will apply to all British businesses because the UK will still be a member of the EU when it is implemented in May next year.

What does GDPR mean for my business?

You’ll have to make some important changes to the way in which you deal with personal data in your organisation.

5 key areas are:


A clear affirmative action, either written or oral, must be given to indicate an individual’s consent for your business to process their data for each purpose.

Right to be forgotten

Customer’s data must not be stored indefinitely, and should be deleted once it is no longer relevant bearing in mind the original reason why it was collected.

Rights to access data

If a customer requests a copy of their data, you must provide one without delay, and no longer than one month from the request. In addition, the first copy requested must be free of charge.

Data breaches

If you’re faced with a data security breach within your organisation, then you must report it within 72 hours.

Data protection

Encryption and pseudonymisation are terms not all of us are familiar with but they matter under the new regulations which take cybersecurity up a notch. Personal data must be stored securely. One of the ways that this can be achieved is by encryption and pseudonymisation in order that the personal data can’t be traced to a specific individual without more information.

What happens if I don’t comply with GDPR?

Your business will be hit in the wallet for failing to uphold the new data protection standards. Penalties will reach an upper limit of €20 million or 4% annual global turnover (whichever is higher). On top of that, companies failing to uphold the regulation will face significant PR fallout and reputational damage.

Where can I find more guidance on GDPR compliance?

The Information Commissioners Office (ICO) has produced an overview of the GDPR which you can access here.