BT Business Direct - PC Hardware, Components, Software, Digital Cameras, MP3 players
BT logo
Buy Products


In May 2018, the Data Protection Directive was replaced by the EU’s General Data Protection Regulation (GDPR). Although the UK is in the midst of BREXIT, these regulations are likely to be converted into British law. Now’s the perfect time to take a fresh look at your data security to make sure you’re compliant.

GDPR put simply

The aim of GDPR is to strengthen and unify data protection for all individuals within the European Union (EU). There are some significant changes you need to make to how you process and manage public data in order to comply with the new laws. With GDPR now in effect, here are the basics you need to know about this new EU regulation.

Who does it affect?

The new data-protection regulation like the current DP Directive, affects all industries and organisations that process personal data. It’s applicable to both public and private sectors.

What are the penalties?

In the event of a compliance breach, supervisory authorities can impose fines of up to 4% of an organisation’s worldwide annual turnover, or €20 million — whichever is higher.

When does it happen?

With its publication in the Official Journal of the EU, the regulation came into force on 25th May, 2018.

Who do I tell when I have a breach?

You’ll have to notify your supervisory authority within 72 hours of any data breach, and you may also have to notify your customers.

What type of data does the GDPR apply to?

GDPR applies to anyone who holds, processes, manages or deals with other peoples personal or sensitive data.

Personal data: any information relating to an individual; if you can identify a living person from the data you’re processing or obtaining, then GDPR applies to you. It might include; CCTV images, photos, databases, names, addresses and emails.

Sensitive data: any data that relates to someone’s religion, ethnicity, beliefs, health or relationship status. It can also include criminal records, court proceedings and court sentences.

The ICO’s guide to the 12 steps of GDPR readiness1:

  1. Awareness: Make sure decision makers and key people in the organisation are aware that the law is changing to the GDPR. You and they need to appreciate the impact this is likely to have.
  2. Information you hold: Document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.
  3. Communicating privacy information: Review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation. There are some additional things that you’ll have to tell people. You’ll need to explain your legal basis for processing the data, your data retention periods and that all individuals have a right to complain to the ICO if they think there is a problem with the way you’re handling their data. The GDPR requires that this information must be provided in concise, easy to understand language.
  4. Individuals rights: Check your procedures to ensure that they cover all the rights that individuals have under the GDPR, including how you would delete personal data or provide data electronically and in a commonly used format.
  5. Subject access requests: Update your procedures and plan how you’re going to handle requests and provide any additional information within the new timescales.
  6. Legal basis for processing personal data: Look at the various types of data processing you carry out. Identify your legal basis for carrying it out and document it.
  7. Consent: Review how you are seeking, obtaining and recording consent and determine whether you need to make any changes
  8. Children: Start thinking now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for data processing activity.
  9. Data breaches: Make sure you have the right procedures in place to detect, report and investigate a personal data breach.
  10. Data protection by design and data protection impact assessments: Familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments and work out how and when to implement them in your organisation.
  11. Data protection officers: Designate a data protection officer, if you don’t have one already. Someone to take responsibility for data protection compliance. Assess where this role will sit within your organisation’s structure and governance arrangements.
  12. International: If your organisation operates internationally, you need to determine which data protection supervisory authority you come under

View things you need to know

  1. download PDF

Verified by visa Mastercard secure Waste of Electrical and Electronic Equipment (WEEE) Directive