The GDPR became law on May 25th 2018


The General Data Protection Regulation (GDPR) became Mandatory from MAY 2018. Anyone, or any company who collects and processes personal data will be required to comply with the new GDPR regulations.

What is the GDPR?

The General Data Protection Regulation (GDPR) is a new EU regulation aiming to help strengthen data protection for EU citizens and residents both within the EU and internationally. Essentially it aims to tighten up the handling and use of the personal data of people within the EU.

Anyone, or any company who collects and processes personal data (which the GDPR defines as a Data Controller) must comply with the new GDPR regulations. This may include organisations who use internal databases, for example for marketing, payrolls, or staff contact details, companies that have websites or apps, 3rd party customer relationship management (CRMs) systems, or simply if you just use email.

A large portion of the GDPR is concerned with transparency and informing individuals about how their personal data is being used, for what purpose, by whom and for how long. GDPR requires ‘data controllers’ to state what data is being processed and for what reasons. Furthermore, controllers are required to inform individuals about how long the data will be retained for. They must also specify who the subject should contact regarding any part of the controller’s data processing procedures.

“Non-compliance could lead to a significant loss of business to competitors who are able to demonstrate their GDPR compliance”

What Are The Implications for Non-Compliance?

Potential fines:


Million Euros


of Global Turnover

The GDPR imposes significant penalties for non-compliance.
The most significant potential fine under the GDPR is 4% of global annual turnover of the preceding year or 20 Million Euros (whichever is the greater). This is reserved for organisations who are found to have failed to implement basic security measures.

The second largest fine is 2% of global annual turnover of the preceding year or 10 Million Euros (whichever is the greater). This would be applied to any organisation who fails to notify the relevant authorities and the individuals affected following a breach in data security. The relevant authority in the UK is The Information Commissioner’s Office (ICO).
Under the new legislation an insufficient strategy for notification of a breach could be a very costly mistake for an organisation, not to mention any legal costs associated with defending the company’s inaction.

Potentially even more expensive long term consequences for violation would be the loss of customer trust and brand confidence.
Furthermore as the deadline approaches many businesses will require their vendors to be fully compliant with the GDPR as a condition for continuing to do business. These requirements in future will typically be part of the RFQ process and / or privacy & security audits.


Answering three simple questions can help determine whether your company is impacted by the GDPR:

  • Does your company offer goods and services to individuals in the EU?
  • Does your company have employees in the EU?
  • Does your company monitor the behaviour of individuals?

If the answer is “yes” to ANY of these questions, and unless your company has special exemption from EU law, then the GDPR will most likely apply to your company.

Whats Involved?

The GDPR applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s size, location, or nature of business.The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU individuals (defined as data subjects by the GDPR).

The GDPR is a risk-based framework, and because it covers personal data, the GDPR focuses on having the right governance structure, policies and operational practices, as well as monitoring, detection and response processes in place. For these reasons, there are important implications for information security practice, which could mean significant changes for organisations that are unprepared.

While virtually all organisations will have to implement some changes to become compliant, some will be able to take partial advantage of existing compliance with other mandates and frameworks, such as ISO 27001, BS10012 and PCI, by extending those measures to the protection of personal data. However, despite having achieved compliance with other mandates, further work could still be required to comply with the GDPR.

What’s the Relevance of GDPR for My Organisation?

GDPR relates to personal data. The relevance of GDPR to your organisation will depend on several factors. Obviously, if you handle data for European citizens then it applies to you.

Personal data is any information relating to an individual, whether it’s in connection to his or her private, professional or public life. According to the European Commission, this can include but isn’t limited to a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address. Thus, there is a high likelihood that any data you process for EU citizens is relevant.

What Is The Purpose Of The GDPR?

The aim of the new rules is to ensure businesses are more open about how they use personal data, and that they consider carefully and implement the appropriate security measures to protect that personal data. By increasing transparency through suitable procedures, this will ensure that individuals are made fully aware of what they are signing up for before they consent to their information being used (processed).

Will the GDPR be Affected by Brexit?

No, the indications from the government and the Information commissioner are that the GDPR is here to stay.

This is because firstly when the GDPR came into effect the UK is still part of the European Union even though it has started the withdrawal process. Secondly, the UK will adopt all EU legislation immediately following Brexit. During this period, referred to as ‘The Great Repeal Bill’, the EU laws will be rewritten inline with Britain’s new status outside of the EU. So unless you are planning on denying access to your services or products to any EU citizens or residents then you will be required to comply with the GDPR or suffer the consequences.

Other Implications

Supervisory authorities such as The ICO have a wide range of other powers and sanctions at their disposal. This includes investigative powers, such as the ability to demand information from controllers and processors, and to carry out audits. They also have corrective powers enabling them to issue warning or reprimands, to enforce an individual’s rights and to issue a temporary and permanent ban on processing.

Individuals also have a right to bring a claim against a controller or (importantly) processor in court. They also have the right to recover both material damage and non-material damage (e.g. distress). Where more than one controller and/or processor is involved, they are jointly liable to be compensated.  In certain cases, not-for-profit bodies can bring a representative action on behalf of individuals. It’s considered highly possible by some experts that this will lead to a ‘claims culture’ in future, similar to the PPI market where individuals are encouraged to pursue claims against organisations who have sloppy personal data practices, or look to exploit holes in personal data security systems.



What You Need To Do To Comply

If you haven’t started considering how to implement the GDPR into your company yet then you need to start NOW as a matter of urgency.

You will need to make sure all practices, policies and processes relating to the collection and use of personal data across your organisation have been assessed and brought into alignment with the requirements of the new Regulation.

That includes understanding and complying to all 99 Articles and 173 Recitals included in the Regulations!

The following list outlines just a few key mandates defined by the regulation that your organisation needs to consider under the GDPR:

What Are Your Options?

  • OPTION 1 – Implement the Procedures Yourself
  • OPTION 2 – Employ a Data Protection Officer (DPO)
  • OPTION 3 – Sub Contract a European Data Privacy Professional

CIPP/E Certified Privacy Professional Europe

We have consultants certified at the highest level to advise and implement the General Data Protection Regulations (GDPR).

Professional Service

We can advise, train and implement GDPR best practices within your organisation.

Extensive commercial experience.

Our Directors have over 20 years experience in implementing business systems in commercial and industrial environments


Our Consultants are qualified in a range of quality and governance standards including CIPP/E, ISO 27001, ISO 9001, ISO 14001, BS OHSAS 18001, AS 9100D, and PAS 2030.


We can help you comply with the GDPR. To discuss the most effective way forward please contact us by phone, email or online form:

Call us on:

0333 987 5160

Email us:

Fill out this field
Fill out this field
Fill out this field
Fill out this field