What is GDPR?

The General Data Protection Regulation, or 'GDPR', is the result of years of work by the EU to modernise data protection legislation.

Since the creation of the previous regulations, the Data Protection Act 1998, the way personal data is used by business has changed dramatically.

The volume of personal data captured by businesses and the sheer number of organisations that can be involved in the processing and gathering of data was not imagined 20 years ago and has left the public vulnerable.

Why is GDPR such a big deal?

GDPR represents the biggest change to data protection laws in twenty years.

The last twenty years of rapid technological change was not covered adequately by previous regulation, meaning companies were free to handle customer data however they wished, within reason.

This led in many cases to business misleading customers into providing data about themselves, without the customer understanding what data was being collected, stored, used and with who the data might be shared.

GDPR is designed to protect customers, whilst still giving organisations the opportunity to collect and use data to create and market products.

The key is simply that there needs to be a clear record of, and transparent process for recording customer consent and how their data is used.

Who does GDPR affect?

All customers and consumer facing businesses in the EU.

If you have control over customer data or process data on behalf of other organisations or individuals, GDPR will affect you.

What types of business are affected?

All businesses and organisations that hold personal data are affected by GDPR, no matter how big or small they may be.

That said, there are some differences for businesses depending on how many people they employ. If you employ fewer than 250 employees, you most likely will only need to hold internal records of how you process data, and what you have done with this data, if the data contains sensitive personal information that could be used to identify or discriminate against an individual.

If you employ more than 250 employees, you'll need to keep much more detailed records of how your organisation is handling and processing data.

These detailed records will likely need to the name and details of your organisation, your data protection officer, why you're processing the data, a description of the types of individual and categories of their personal data, as well as categories of recipients of this data.

There are however some occasions when smaller businesses will need to keep more detailed records. 

We'd suggest that businesses, both big and small, get some advice on exactly what will apply to them.

How will GDPR affect my business?

GDPR requires businesses to implement data protection "by design" and "by default".

Data protection by design and default

Data protection by design requires businesses to ensure that appropriate technical and organisational measures are taken to protect data, by default and without exception.

This means that you must protect data at all times and not just in response to a potential threat or breach.

Part of data protection by design is the provision of Privacy by design, which is an approach to projects designed to put privacy at the centre of systems and processes.

Privacy by design

This means that you have a legal obligation to integrate data protection measures into your information processing activities and projects.

For example, if you are developing a new IT system for storing and analysing customer data, you must ensure that privacy and data protection are key considerations from the start of your project and throughout the system's lifespan.

What happens if I don't comply with GDPR?

Major breaches

There's been some no shortage of headlines exaggerating the potential fines for firms who fall foul of GDPR, but for major breaches of the GDPR framework, you could be fined up to the larger of either:

  • 4% of annual worldwide turnover or
  • €20 million.

Other infringements

These could attract a fine of up to the larger of:

  • 2% of annual worldwide turnover or
  • €10 million.

How do I ensure my business is compliant with GDPR?

Whilst we have a number of articles looking at GDPR, from our GDPR glossary to a checklist to get you started, we'd suggest heading over to The Information Commissioner's Office (ICO) website and taking a look at their "Guide to General Data Protection Regulation (GDPR)" whitepaper.

Another option is to seek legal advice.

There are of course lots of solicitors and lawyers that can help you better understand how GDPR affects your business.

Or there are companies such as Lawbite that offer an online platform for securing legal advice.

Lawbite even has their own GDPR checklist, and are offering free GDPR advice to businesses and 10% of their GDPR products.

Learn more about entrepreneurship with our free online courses in partnership with the Open University.

Our free Learn with Start Up Loans courses include:

Plus free courses on finance and accounting, project management, and leadership.

Disclaimer: While we make reasonable efforts to keep the information on this page up to date, we do not guarantee or warrant (implied or otherwise) that it is current, accurate or complete. The information is intended for general information purposes only and does not take into account your personal situation, nor does it constitute legal, financial, tax or other professional advice. You should always consider whether the information is applicable to your particular circumstances and, where appropriate, seek professional or specialist advice or support.

Your previously read articles