The General Data Protection Regulation: make sure you're prepared

Considering the changes to data protection rules.

Recently published research has suggested that two thirds of businesses are ‘unprepared’ for the upcoming introduction of the General Data Protection Regulation (GDPR). With this in mind, we take a look at the key principles of the new Regulation, and highlight strategies to help business owners comply with the new rules.

The GDPR: an overview

The GDPR is set to take effect from 25 May 2018, and will apply to all businesses in the UK, regardless of size or structure. It will require organisations to protect the personal information they process, and to have verified proof of such protection.

The Regulation places great emphasis on transparency and accountability, and will hold businesses accountable for safeguarding the collection, usage and storage of individuals’ personal data. It applies to organisations operating within the EU, and also to those offering goods or services to individuals who reside in the EU. The UK’s decision to leave the bloc will not affect the introduction of the GDPR, so ensuring that your business is prepared is vital.

What are the penalties for non-compliance?

Businesses who fail to comply with the new Regulation will be subject to stringent financial penalties, with fines costing up to €20 million, or up to 4% of total annual worldwide revenue, whichever is the greater.  

What does it mean for my business?

Many businesses may already be compliant with regulations outlined by the Data Protection Act (DPA). However, whilst the new GDPR builds on existing rights imposed by the DPA, it also requires firms to provide documentary evidence of their compliance, and identify a ‘lawful basis’ for processing personal data.

Reviewing privacy notices

Businesses are urged to review any privacy notices they have and, where necessary, ensure that these are amended ahead of the introduction of the GDPR. The new rules require businesses to not only inform clients of their identity, but also explain their lawful basis for processing the information. Under the Regulation, data retention periods must also be outlined.

Allocating a sufficient budget

Businesses are urged to consider the financial impacts associated with GDPR compliance. Firms will need to review their current data protection practices, and align these to the new rules.  

Doing so may prove costly. Those companies that process sensitive personal information, for example, will be required to implement more stringent procedures. The business’s size must also be taken into account when budgeting for the GDPR: for large businesses, assessing and altering data protection regulations might mean costs rise quickly.

Allocating a sufficient budget to GDPR compliance will help to mitigate the risks your firm faces. 

Appointing a Data Protection Officer

Businesses may wish to designate a Data Protection Officer (DPO), who will be responsible for ensuring that the business is complying with the GDPR.

For most businesses, the appointment of a DPO is not compulsory. However, under the new rules, some types of businesses are required by law to designate a DPO. These include:

  • public authorities
  • organisations that carry out regular or systematic monitoring of individuals on a large scale; and
  • organisations that process special categories of data on a large scale, such as health or criminal records.

Implementing adequate procedures for preventing data breaches

Ahead of the implementation of the Regulation, firms are advised to ensure that they have adequate procedures in place for detecting, reporting and investigating a personal data breach. The GDPR will introduce a new duty whereby firms will be required to report certain types of data breach to the Information Commissioner’s Office (ICO).   

Businesses are urged to assess the types of personal data they hold: larger firms may wish to create new policies for handling data breaches, and communicate these with their employees.

The introduction of the GDPR will undoubtedly change the way in which businesses operate. Here, we have outlined just some of the measures that you should consider implementing into your business plan to ensure compliance with the GDPR. Further guidance can be found on the ICO’s website.


Why not register to receive our Monthly Newswire? Once a month we'll send you an email packed full of essential business news and handy tax tips to help save you money.

Sign up today »

Quick Links

Home | Contact us | Accessibility | Disclaimer | Help | Site map |

© 2018 Blue Spire Limited. All rights reserved.

We use cookies on this website, you can find more information about cookies here.

Contact Chichester Office

Tel: +44 (0)1243 781234
Fax: +44 (0)1243 791770

Contact Brighton Office

Tel: +44 (0)1273 739533
Fax: +44 (0)1273 732844

Chichester Address
Cawley Priory, South Pallant, Chichester, West Sussex PO19 1SY

Brighton Address
5th Floor Intergen House, 65-67 Western Road, Hove, East Sussex BN3 2JQ

Blue Spire Limited is Registered to carry out audit work in the UK and Ireland and regulated for a range of investment business activities by the Institute of Chartered Accountants in England and Wales C004152645. Professional indemnity insurance is provided by Royal & Sun Alliance Insurance Plc 9th Floor, One Plantation Place, 30 Fenchurch Street, London, EC3M 3BD and its territorial coverage is worldwide (excluding United States/Canada).
Blue Spire Financial Planning Limited is authorised and regulated by the Financial Conduct Authority. FSA register reference 566257. This guidance and/or advice contained within this website is subject to the UK regulatory regime, and is therefore targeted at customers based in the UK