Preparing your business for the new GDPR

The General Data Protection Regulation (GDPR) is a new piece of EU regulation intended to strengthen and unify data protection. It introduces new requirements for those processing personal data, as well as tougher penalties for data breaches.

Any business which controls or processes personal data needs to be aware of the changes and prepare before it replaces current data laws.

Similar to the Data Protection Act (DPA), the GDPR places significantly more legal liability on those maintaining records of personal data and processing activities if they are responsible for a breach.

The law will apply in the UK from 25 May 2018. It will be implemented here despite Britain’s exit from the EU, as we will not have departed by the time it applies, and any future policies may well be based on it.

A snapshot of the changes:

  • Maximum fines for serious breaches could rise to as much as €20m or 4% of worldwide annual turnover, whichever is greater
  • A requirement to report data breaches to the ICO within 72 hours
  • A wider definition of personal data to reflect evolving technology
  • Mandatory appointment of a Data Protection Officer for some companies

The Information Commissioner’s Office recommends 12 steps your business can take now…

1. Awareness

Make sure key decision makers in your organisation are aware of the changing law.

2. Information you hold

 Document what personal data you hold, where it came from and who it is shared with.

3. Communicating privacy information

 Review your current privacy notes and plan a timeframe to make any necessary changes.

4. Individuals’ rights

Check your procedures to ensure they cover all the rights individuals have, e.g. how you would delete personal data or provide data electronically.

5. Subject access requests

Plan how you will handle requests within the new timescales.

6. Legal basis for processing personal data

Identify your legal basis for carrying out any data processing you do.

7. Consent

Review how you currently seek, obtain and record consent.

8. Children

Think about putting systems in place to verify individuals’ ages and gather parental/guardian consent for data processing

9. Data breaches

Make sure all staff are aware of the correct procedures to detect, report and investigate a data breach

10. Data Protection by Design and Data Protection Impact Assessments

Familiarise yourself with the guidance the ICO has produced on Privacy Impact Assessments.

11. Data Protection officers

Somebody should be designated to take responsibility for data protection compliance. This may mean formally designate someone as your data protection officer (DPO). Most SMEs will not require a DPO, but it would be worth checking.

12. International

If you operate in more than one EU state, then you should choose the lead authority – namely where your main establishment is.


The new General Data Protection Regulations are follow the same concepts and principles as the Data Protection Act, with a few additions accounting for the significant changes in data over the past 20 years. However, if you currently comply with the Data Protection Regulations, as long as you follow these steps then you should find that you will be complying with the new regulations also.

If you would like to talk to an insurance adviser about ways to protect your liability, or for products that may assist you in the event of a breach, then call Fiveways today on 01952 812380 or email