The Blog

GDPR’s here, what now?

In the lead up to May 25, you couldn’t open your inbox without being asked to read an updated privacy policy or give permission for companies to contact you once the General Data Protection Regulation (GDPR) had kicked in.

GDPR came into force on May 25 and the build up to its introduction generated a flurry of activity among businesses, all wanting to make sure they’re compliant with the new legislation.

Widely reported as being the most important change in data privacy regulation in 20 years, GDPR is aimed at putting individuals’ privacy first and has replaced the existing Data Protection Regulation 95/46/EC.

Surprisingly, despite there being widespread global speculation and debate about GDPR in the lead up to its introduction, it would appear that now it’s here, very little’s being said about it. And, now that the influx of GDPR-related emails has died down, you could be mistaken for forgetting that it’s even in place.

But it is. So, what does this mean for businesses?

Well, if you haven’t already done so, it’s important that you’re fully up to speed with GDPR and what you need to do in order to maintain compliance. Failure to do so can result in companies being significantly penalised. They can either receive a standard penalty of €10m or 2% of their annual global turnover, up to a maximum of 4% of their annual global turnover, or €20m, whichever is greater.

At the very least, you should have invited your database to opt-in to your future communications, updated your privacy policy and made sure that any personal data you do store, is being kept securely, which is particularly pertinent following the recent Cambridge Analytica-Facebook data scandal. Consumers now have the right to access and remove any data you may hold about them, so it’s important you have the appropriate systems and processes in place to be to effectively handle these requests too.

GDPR stipulates that personal data must be used fairly, legally and transparently. It must also be collected for specific purposes – and used only for those specified purposes. All data must be deleted when it’s no longer being used for its initial, intended purpose. Your existing CRM or other systems may be able to help you fulfil these document compliance requirements or it may be that you need to invest in an alternative to ensure you prioritise customer needs, treat online data respectfully, and effectively manage customer information.

Complying with GPDR can be daunting for businesses, especially smaller companies, and given the fact there’s been widespread confusion regarding the specifics of the new rules and what the requirements actually mean on a practical level. But that doesn’t mean it should be ignored.

The Supervisory Authorities enforcing the new regulations recognise there may be a bit of a learning curve involved, particularly for SMEs. The important thing is to take action straight away and show that your business is striving to understand its personal data, data usage and accountability requirements sooner, rather than later.

For more information about GDPR, check out our blog, ‘The GDPR countdown is on: The essential Q&A for businesses.’

The GDPR countdown is on: The essential Q&A for businesses

Do you keep and use personal data relating to your clients or customers as part of your business activity?

Then you need to listen up.

If you haven’t already heard about it, the General Data Protection Regulation (GDPR) is on its way and time is running out for companies to make sure their systems and processes comply with it.

The GDPR has been billed as the ‘most important change in data privacy regulation in 20 years’ and is due to come into force on May 25 this year. However, despite its wide-reaching impact and the fact it’s been talked about for the last two years, it’s believed not all businesses have taken the necessary action. Awareness of the GDPR is high among global businesses, but only two in five are confident about knowing where their data’s stored (NetApp).

Time is clearly of the essence here and the advice to businesses, who haven’t yet investigated how the GDPR is going to impact them, is to act fast – ideally now. We’ve put this Q&A together to help bring you up to speed on all things GDPR.

Q. ‘What is the GDPR?’

A. It’s new legislation that was approved by the EU parliament two years ago. This new EU regulation will replace the existing Data Protection Regulation 95/46/EC. It’s designed to set the new standard for consumer rights in relation to their data.

Q. ‘Why’s it happening?’

A. The GDPR is aimed at setting the new standard for consumer rights in relation to their data. It’s envisaged it will harmonise data privacy laws and strengthen the protection of data across Europe.

Q. ‘Does it apply to my business?’

A. If you use and handle personal data, then yes. The GDPR applies to all businesses that are in the EU that use and store personal data as part of their operations.

Q. ‘I’ve heard it doesn’t apply to small businesses. Is this true?

A. No, it’s not true. The GDPR applies to all businesses (regardless of their size) that handle private data.

Q. ‘My data processing takes place outside of the EU, what now?

A. If you’re an EU company and your data is processed outside of the EU, the GDPR still applies to you so you’ll need to make sure you’re fully prepared for it. If you’re in any doubt, get expert advice as soon as you can.

Q. Which type of data do I need to be concerned about?

A. The GDPR relates to personal data and sensitive personal data.

Personal data – includes any information from which a person can be directly or indirectly identified. For example, their name, email address, bank details, photo, medical information or computer IP address.

Sensitive personal data – relates to ‘special categories’ of data, including genetic and biometric data used to identify individuals.

Q. What are the main changes I need to worry about?

A. It’s essential you explore the impact the GDPR is going to have on your business and, if you’re not sure how to go about doing this, speak to a GDPR specialist.

One of the main changes that’s going to be brought about by the GDPR relates to the issue of consent. Companies must provide clear requests for consent, using a format that’s easy for people to understand and access. It’s crucial that the process of withdrawing consent is as easy as granting it.

Q. There’s been a data breach, what happens now?

A. Under the GDPR, if a data breach occurs and it’s likely to ‘result in a risk of the rights and freedoms of individuals’ then notification must be given within 72 hours of the breach taking place. This is a new legislative requirement in which data processors must notify customers and controllers of a data breach ‘without undue delay.’

Q. What’s a ‘data processor’ and what’s a ‘data controller?’

A. If you’ve started to familarise yourself with the GDPR, then you’ll no doubt have come across these two phrases. Data controllers determine the purpose, condition and means of the processing of personal data, while data processors process the personal data on behalf of data controllers.

Q. Do I have to give people access to their data?

A. Yes you will. From May 25, people will have the right to find out if their personal data’s being processed, where it’s being processed and for what purpose. They’ll also have the right to receive an electronic copy of their personal data from you.

Q. Can people ask to have their data deleted?

A. Yes, they can. Individuals will have the right to be forgotten by asking the data controller (the organisation that has their data) to delete it from their files.

Q. What happens with children’s data?

A. You’ll need to obtain parental consent to be able to process the data of children who are under the age of 16 for online services. If in doubt, always double check.

Q.Other businesses have appointed a Data Protector Officer (DPO). Do I need one?

A. DPOs are for public authorities and organisations that are involved in 1) larger-scale systematic monitoring and 2) the processing of sensitive personal data. If you fall into either of these two categories, then you’ll need to appoint one.

Q. What happens if I don’t maintain compliance?

A. All businesses that fail to comply run the risk of being significantly penalised. Organisations found to be in breach of the GDPR could be fined a standard penalty of €10m or 2% of their annual global turnover, up to a maximum of 4% of their annual global turnover, or €20m, whichever is greater.

Q. What should I do now?

A. You need to make sure your systems meet the GDPR requirements and that your data is protected in accordance with the current guidance by May 25. Carrying out an audit of your current procedures and data is a thorough and effective way of determining the work’s that required. As with all projects of this nature, we recommend that you seek expert advice.

We hope you’ve found this Q&A useful and that it’s provided you with a clear understanding of the GDPR. For more details, including 12 steps to take now, visit

By continuing to use the Ormerod Rutter site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.