United Kingdom
Select regional store:

The EU General Data Protection Regulation (GDPR)

From 25 May 2018, the EU General Data Protection Regulation (GDPR) will affect every organisation that processes EU residents’ personally identifiable information (PII). This page provides a breakdown of the key provisions introduced by the new law, which every organisation must be aware of.

Need fast and cost-effective advice on preparing for the EU GDPR?

Get in touch with one of our specialist advisors now for guidance on preparing for the GDPR, and to undertake a detailed data protection audit and gap analysis.

Contact us today for expert advice on +44 (0)845 070 1750 or email us at servicecentre@itgovernance.co.uk.


About the GDPR

First proposed in January 2012 by the European Commission and formally approved by the European Parliament in April 2016, the GDPR will supersede national laws such as the UK DPA, unifying data protection and easing the flow of personal data across the 28 EU member states.

The final text of the GDPR can be read here >>

When the GDPR comes into force on 25 May 2018, all organisations that process the personally identifiable information of EU residents will be required to abide by a number of provisions – detailed below – or face significant penalties.



The Regulation mandates considerably tougher penalties than the DPA: breached organisations can expect fines of up to 4% of annual global turnover (NB turnover, not profit) or €20 million – whichever is greater.

Fines of this scale could very easily lead to business insolvency and, in some cases, closure. Data breaches are commonplace and increase in scale and severity every day. As Verizon’s 2016 Data Breach Investigations Report reaffirms, “no locale, industry or organization is bulletproof when it comes to the compromise of data”, so it is vital that all organisations are aware of their new obligations so that they can prepare accordingly.

For more information on GDPR penalties, click here >>


The key changes introduced by the Regulation

The GDPR introduces a number of key changes for organisations. Click the headers below for more details:

  1. If your business is not in the EU, you will still have to comply with the Regulation
  2. The definition of personal data is broader, bringing more data into the regulated perimeter
  3. Consent will be necessary to process children’s data
  4. Changes to the rules for obtaining valid consent
  5. The appointment of a data protection officer (DPO) will be mandatory for certain companies
  6. The introduction of mandatory privacy risk impact assessments
  7. New data breach notification requirements
  8. The right to be forgotten
  9. The international transfer of data
  10. Data processor responsibilities
  11. Data portability
  12. Privacy by design
  13. One-stop shop

How IT Governance can help

IT Governance has wide-ranging data protection expertise to help organisations adequately prepare for the GDPR. Our specialist and experienced privacy consultancy team are available to assist you with initial readiness assessments, gap analyses and data protection audits.

To help organisations achieve compliance to the GDPR, IT Governance will be running a series of webinars to shed light on the key provisions and implication of the EU GDPR.

Register for one of our free GDPR webinars.

We also offer a comprehensive suite of information resources, solutions and consultancy services to helping organisations comply with the GDPR, including:


  • Certified EU GDPR Foundation training course

    This comprehensive training course will offer a solid introduction to the GDPR, and provide a practical understanding of the implications and legal requirements of the regulation, culminating in an official certification from the International Board of IT Governance Qualifications (IBITGQ).

    All of our training courses are available in classroom and Live Online formats.


  • Certified EU GDPR Practitioner training course

    This course will enable delegates to fulfil the role of data protection officer (DPO) under the GDPR, and will cover the Regulation in depth, including implementation requirements, the necessary policies and processes, and important elements of effective data security management.

    All of our training courses are available in classroom and Live Online formats.


  • EU GDPR Documentation toolkit

    A full set of policies and procedures enabling your organisation to comply with the EU GDPR, these templates are fully customisable and significantly reduce the burden of developing the necessary documents to achieve legal compliance.


  • Privacy impact assessments training

    This one-day course is designed to provide delegates with the practical knowledge needed to perform a privacy impact assessment (PIA) and help their organisations identify the most effective way to fulfil their data protection obligations.

  • EU GDPR data flow audit

    Organisations should have a clear idea of the personal data being held, where it originated from, and who it can be shared with. A data audit is a key part of a data protection compliance regime.



  • EU GDPR pocket guide

    The perfect introduction to the principles of data privacy and the European Union General Data Protection Regulation, this guide is the ideal resource for anyone wanting a clear, concise primer on data protection.



Contact us today to discuss your compliance requirements with us by emailing servicecentre@itgovernance.co.uk or calling +44 (0)845 070 1750.


Latest news

The information below will help you keep abreast of the latest developments in the EU data protection reforms and remain updated about the implications for the UK’s Data Protection Act.

Click here to expand >>