The Beginner’s Guide To General Data Protection Regulation (GDPR)

This is article contains information about legal frameworks and compliance related to personal data. Sexy, huh? Maybe not, yet it’s still crucial that you know this stuff.

On the 28th May 2018 the law will change, if you hold any personal information on people within your business, it will affect you. The General Data Protection Regulation (GDPR) is a new European Union regulation that aims to protect personal data, the countdown is on for compliance; will you be ready?

In this post we will explore the new regulations and aim to give you all the information you need within 22 digestible facts and tips.

The Basics

1. The GDPR applies to all organisations that serve the citizens of the EU. So even companies who are based outside of the European Union but have customers within it, are still expected to comply.

2. It doesn’t matter how big or small your business is, this law applies to everyone.

3. According to the GDPR personal data is defined as information that is private, professional or public. Examples include names, addresses, emails, bank details, medical information and an IP addresses. You might be surprised to learn that photographs and even social media posts are considered as personal data within the regulation.

4. Information from national security or law enforcement is not part of the personal data classification by the GDPR.

5. One of the intentions of the regulations is to stop companies making unfair decisions using algorithms. It has been argued in the past that algorithmic decision making are fairer because they are removed from human judgement. Of course along with judgement, compassion has also been removed and this process has been criticised for excessive discrimination.

6. Under the new regulations if decisions about EU citizens are made using algorithms, they can be legally challenged.

Deleting data

7. After May 18th 2018, people can request that companies delete their personal data.

8. All organisations will have to delete information when the purpose for its collection is no longer relevant.

9. All organisations will have to delete information that was collected without informed and clear consent.

10. All data that has been used illegally will also have to be deleted by law.

11. In some cases deleting data does not necessarily make it secure. Hackers can still access deleted files. The solution is to encrypt the documents and then delete the encryption key. This way the data is unreadable.

Rules and Penalties

12. Larger companies will be required to employ specific data protection officers.

13. If any organisation experiences a data breach, they must notify the supervisory authority for your area but just as importantly, the individuals whose data was stolen must also be informed.

14. Breaking the GDPR comes with tough financial penalties. Companies could be hit with a €10,000,000 fine or 2% of their annual turnover. For more serious cases the penalty could be as much as €20,000,000 or 4% turnover.

Next Steps

15. The first thing to do is to complete an audit using the GDPR legal framework as a guide. This way you will identify if your business is already adhering to regulations and if not then in what areas.

16. If you operate globally, specifically identify data from EU citizens

17. Identify other businesses and organisations that are controlling, processing or storing this information for you?

18. Identify who has access to the personal data you hold.

19. Look at your procedures for protecting the data currently. Do you use psuedonymization, encryption or tokenization? If you need to take steps to ensure greater protection is put in place, then this needs to be done before May.

20. Remember to also check any data that you back up; this too needs to be protected.

21. From the audit onwards, keep a record of everything you do to protect data. If you are ever investigated by the GDPR Supervisory Authority, you need evidence that you are taking action.

22. Put into place practices so that as you obtain new data it is automatically protected. This is what the GDPR describes as “data protection by design and by default.”

You are not alone

If all this talk of data, legal frameworks, fines and compliance is making your head spin don’t worry, you are not alone. There are millions of organisations affected by this and everyone is scrabbling to make sure they don’t fall short. Knowing that you are not alone is very powerful in business, reach out to your business network, share your concerns and you will be surprised by the practical support you will receive in return.

If you need more help with this, get in touch with me at