What Is GDPR?
The General Data Protection Regulation (GDPR) is a comprehensive data protection law adopted by the European Union that will come into effect on 25 May 2018. It replaces the existing Data Protection Directive from 1995 and represents the most significant change to data privacy regulation in over two decades.
The GDPR applies to all organisations that process the personal data of individuals within the EU, regardless of where the organisation itself is based. For UK businesses, compliance is not optional — it is a legal requirement. The UK government has confirmed that the GDPR will be incorporated into UK law, meaning that Brexit does not diminish the need for compliance.
What Counts as Personal Data?
Under the GDPR, personal data is defined broadly. It encompasses any information relating to an identified or identifiable natural person. This includes obvious identifiers such as names, email addresses, and phone numbers, but also extends to:
- IP addresses and cookie identifiers
- Location data
- Online behaviour and browsing patterns
- Financial information
- Health data
- Biometric data
- Any information that, combined with other data, could identify an individual
Most businesses process significantly more personal data than they initially realise. Understanding the full scope of personal data within your organisation is a critical first step in GDPR preparation.
Why It Matters
The GDPR introduces substantially higher standards for how organisations collect, store, process, and share personal data. It strengthens the rights of individuals over their data and imposes significant penalties for non-compliance.
The Penalties
Supervisory authorities will have the power to issue fines at two tiers:
- Up to 10 million euros or 2% of annual global turnover (whichever is greater) for infringements related to technical and organisational measures
- Up to 20 million euros or 4% of annual global turnover (whichever is greater) for infringements of the core data processing principles, conditions for consent, or data subject rights
Beyond the financial penalties, a data protection failure can cause severe reputational damage. In an era where consumers are increasingly aware of and concerned about how their data is used, a publicised breach or regulatory action can erode customer trust in ways that are difficult to recover from.
Key Principles to Understand
Lawful Basis for Processing
Under the GDPR, organisations must have a clear legal basis for processing personal data. There are six lawful bases:
- Consent — the individual has given clear, affirmative consent for their data to be processed for a specific purpose
- Contract — processing is necessary to fulfil or enter into a contract with the individual
- Legal obligation — processing is necessary to comply with the law
- Vital interests — processing is necessary to protect someone's life
- Public task — processing is necessary to perform a task in the public interest
- Legitimate interests — processing is necessary for your legitimate interests, provided those interests are not overridden by the individual's rights
Where consent is relied upon, it must be freely given, specific, informed, and unambiguous. Pre-ticked boxes and implied consent will no longer be sufficient. Consent must also be as easy to withdraw as it is to give.
Data Subject Rights
The GDPR grants individuals a comprehensive range of rights over their personal data:
- Right of access — individuals can request a copy of the personal data you hold about them
- Right to rectification — individuals can request that inaccurate data be corrected
- Right to erasure — often referred to as the "right to be forgotten," individuals can request deletion of their data in certain circumstances
- Right to restrict processing — individuals can request that you limit how their data is used
- Right to data portability — individuals can request their data in a structured, machine-readable format for transfer to another provider
- Right to object — individuals can object to processing based on legitimate interests or for direct marketing purposes
Organisations must be prepared to respond to these requests within one month. Having clear processes in place before the GDPR takes effect is essential.
Privacy by Design and by Default
Data protection considerations must be embedded into the design of systems and processes from the outset, rather than bolted on afterwards. This principle, known as privacy by design, requires that:
- Data protection is considered at the initial design stages of any project or system
- Default settings favour privacy — only the minimum amount of personal data necessary for a given purpose should be collected
- Data is pseudonymised or anonymised where possible
- Individuals are given maximum control over their data
Data Breach Notification
Organisations must notify the relevant supervisory authority of a personal data breach within 72 hours of becoming aware of it, where the breach is likely to result in a risk to individuals' rights and freedoms. In cases where the breach is likely to result in a high risk to individuals, affected persons must also be notified directly.
This requires organisations to have:
- Robust breach detection capabilities
- Clear internal escalation and assessment procedures
- Pre-prepared notification templates and communication plans
- A designated point of contact for supervisory authority communications
Practical Steps for Preparation
With May 2018 approaching, businesses should be taking concrete steps now. The following provides a practical roadmap for GDPR preparation.
Conduct a Data Audit
Understand what personal data your organisation holds, where it came from, who it is shared with, and why it is being processed. This data mapping exercise is the essential foundation for GDPR compliance. For each category of personal data, document:
- What data is collected
- The lawful basis for processing
- Where the data is stored
- Who has access to it
- How long it is retained
- Whether it is shared with third parties
Review Your Privacy Notices
Ensure that your privacy notices are clear, transparent, and provide all the information required by the GDPR. This includes:
- Your identity and contact details
- The purposes and lawful basis for processing
- Data retention periods
- Individuals' rights and how to exercise them
- Details of any international data transfers
- The right to lodge a complaint with the supervisory authority
Privacy notices should be written in clear, plain language — not legal jargon.
Assess Your Consent Mechanisms
If you rely on consent as your legal basis for processing, review how consent is obtained and recorded. Ensure it meets the higher standard required by the GDPR. Existing consents that do not meet the new standard will need to be refreshed before May 2018.
Update Your Contracts
Review agreements with third-party data processors to ensure they include the appropriate GDPR-compliant data processing terms. Under the GDPR, both controllers and processors have direct obligations, and your contracts must reflect this.
Plan for Data Subject Requests
Establish processes for handling requests from individuals exercising their rights under the GDPR. Ensure your team knows how to recognise a data subject request, how to verify the identity of the requester, and how to respond within the required timeframe.
Do Not Delay
May 2018 may seem distant, but the scale of preparation required should not be underestimated. Organisations that leave their GDPR preparations to the last minute risk being non-compliant when the regulation takes effect, with all the financial and reputational consequences that entails.
At GRDJ Technology, we are helping our clients review their websites, applications, and data handling practices to ensure they are ready for GDPR. From updating consent mechanisms and privacy notices to implementing technical measures that support data protection by design, we can guide you through the process with confidence and practical expertise.