Cookies Policy

A ‘session cookie’ is used in order to make sure your use of the site isn’t mixed up with anyone else’s. This cookie is used by the webserver, only to help the website function properly for you.

GDPR: Data security got a whole lot more serious

Posted on 19/4/2017 by Tom Holmes

On May 25, 2018, the EU’s General Data Protection Regulation (GDPR) comes into legislation, replacing the data protection directive. It is designed to protect the rights of EU citizens whose data is held by organisations.

The GDPR is the most serious piece of privacy legislation for the last 20 years. Fines for non-compliance can reach €20m or 4% of turnover, whichever is greater.

And, although it’s EU legislation, GDPR affects all companies that handle or process data for EU citizens. So, although the UK will be leaving the EU by the time GDPR becomes legislation, it will affect the vast majority of companies operating on these shores.

Worryingly, according to a report from Gartner, fewer than 50% of companies that GDPR applies to will be compliant by the end of 2018. If that’s you, or you think it might be, you will need to get your skates on.

What do I need to know?

The GDPR differs significantly from the current data protection directive. Here are some key points:

Increased scope

The regulatory landscape is the biggest change. The GDPR applies to all companies processing the personal data of data subjects residing in the EU, regardless of the company’s location. So, for example, a company operating in the US offering services to EU residents will fall under GDPR.

GDPR will also apply across an organisation’s network, meaning that the companies they do business with must also comply with GDPR.

Greater penalties

The penalties imposed by GDPR are potentially so big that they could put a company out of business. This is deliberate. Under the current directive, fines are not much of a deterrent for non-compliance. In some cases, it is easier and cheaper to pay the fine than it is to be compliant.

The new penalty system works on a tiered structure:

·      A written warning for first-time or unintentional non-compliance

·      Regular, periodic audits

·      Fines of €10m or 2% of annual worldwide turnover from the previous year, whichever is greater

·      Fines of €20m or 4% of annual worldwide turnover from the previous year, whichever is greater

 These penalties apply to both the holder of the data and party processing it so even clouds, for example, will not be exempt.

Consent

The conditions for consent to hold, store and distribute personal data have been strengthened. Companies seeking consent will no longer be able to use illegible terms and conditions full of legalease. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.

Data breaches

Under the GDPR, the Data Controller ( will be under a legal obligation to notify the Supervisory Authority without delay. The reporting of a data breach is not subject to any minimum standard and must be reported to the Supervisory Authority within 72 hours of the data breach. Individuals have to be notified if an adverse impact is determined.

Posted in Business, IT


Latest Blog Posts


Nutbourne wins three!
Read more

Finding those with the X Factor
Read more

Building a team: developing talent
Read more

Building a rapport
Read more