Search Our Site

2,869,445 registered online learners.
38 New learners so far today.

GDPR – What businesses need to know

The General Data Protection Regulation (GDPR) is a new piece of EU legislation that overhauls the UK’s laws on data protection and cyber security. It will come into force on 25th May 2018, and will apply to businesses and public-sector organisations of all sizes, enforcing new guidelines and regulations for data handling.

It’s something every business needs to prepare for, as it impacts how you communicate with your customers and how you handle any information you store about them. Read our guide below to understand what GDPR will mean for businesses, or you can register for our free ‘An Introduction to GDPR’ online overview.

A Guide to GDPR

Who does GDPR apply to?

If you’re currently subject to the Data Protection Act 1998 (DPA), the new GDPR legislation should also apply to you and your business. As under the DPA, the GDPR defines businesses as data processors and data controllers.

As the names suggest, a data controller decides how and why a person’s data is stored or used. A data processor carries out those instructions on behalf of the data controller.

Data processors are subject to the specific regulations of the GDPR, but data controllers are also responsible for ensuring the data processing firms they employ are compliant with the law.

Risk of cloud file sharing at work and data protection problems

GDPR at a glance

GDPR has been introduced to create more rigorous regulations around how companies use and store data they collect from customers, and to encourage them to take cyber security and data protection more seriously. So, what are the important changes being introduced under GDPR?

Increased fines

Under the Data Protection Act, security breaches could result in fines of up to £500,000. Under the GDPR, this will increase to a maximum of €20 million, or 4% of annual global turnover.

The right to access

Under GDPR, customers of any business or organisation will have the right to access any personal information held about them.

The right to be forgotten

Customers can also ask to be ‘forgotten’ if they withdraw consent for their data to be used, which means companies will have to securely delete their data.

Cogs inside a head

Data Protection Officers

Any company employing over 250 people must employ a Data Protection Officer to oversee the business’s data protection and cyber security measures and procedures.

Smaller reporting window

Any security breach likely to result in ‘a risk for the rights and freedoms of individuals’ must be reported within three days. Data processors will also have to immediately inform their clients (the data controllers) after becoming aware of a data breach.

Personally Identifiable Information (PII)

The definition of PII data is being expanded to include IP addresses, genetic information (DNA), social media posts, photos, and more.

Tick image

Opt in and not out

Companies will no longer be able to use pre-ticked, or opt out options to gain data consent from customers. A clear, positive opt in tick-box must be used.

Clear terms and policies

Complicated and long-winded terms and conditions will no longer be allowed for gaining consent from customers. Any request for consent on personal information will need to be in a clear, concise and easily accessible form.

Business people working on computer and cityscape

The GDPR and the EU

While there may be some uncertainties around GDPR and what happens on the UK’s withdrawal from the European Union, the UK government has stated that the decision to leave the EU will not affect the adoption and enforcement of GDPR.

The scope of GDPR means that any company or organisation with customers who are EU citizens will need to abide by its regulations, no matter where in the world the company is based.

Further resources

Our team have created a number of animated GIFs for you to share with your staff to highlight key pieces of information relating to GDPR.

These can also be embedded on your website by using the embed code provided.

See animated GIFs
GDPR Summary

How to prepare for GDPR

Preparing your business for the arrival of GDPR can seem daunting, but there are simple ways you can improve your everyday cyber security and personal data handling to make sure that your business is compliant.

An Introduction to Cyber Security

An Introduction to Cyber Security

Making sure your staff are confident of their duties and responsibilities is one of the most important things you can do. Increasing awareness of viruses and phishing scams, improving email etiquette, and keeping their physical working spaces clear and secure.

Find out more
Data Protection at Work

Data Protection at Work

Along with increasing everyday cyber security measures, your staff will need to be confident of how to handle personal data. This includes how and why you hold personal data, determining if it’s necessary and that it’s held for an appropriate amount of time.

Find out more
Confidentiality in the Workplace

Confidentiality in the Workplace

Confidentiality of information is enforced on the 'need to know' principle, which forms the cornerstone of information security in today's corporate world. The 'confidentiality bubble' restricts information flows, with both positive and negative consequences.

Find out more
CPD
Investors
ISO 9001:2015
Microsoft

Click to chat

Login

We are currently transitioning to a new system. To help us direct you to the correct login please choose an option below.

LMS