This website uses cookies. View our cookie policy
United Kingdom
Select regional store:

The EU General Data Protection Regulation (GDPR)


Countdown to the GDPR

The GDPR will be enforced from 25 May 2018. UK organisations that process the personal data of EU residents have only a short time to ensure that they are compliant.

Introduced to keep pace with the modern digital landscape, the GDPR is more extensive in scope and application than the current Data Protection Act (DPA). The Regulation extends the data rights of individuals, and requires organisations to develop clear policies and procedures to protect personal data, and adopt appropriate technical and organisational measures.

Official Journal of the European Union: Final regulation text >>


The key changes introduced by the Regulation

The GDPR introduces a number of key changes for organisations. Click the headers below for more detail:

  1. If your business is not in the EU, you will still have to comply with the Regulation
  2. The definition of personal data is broader, bringing more data into the regulated perimeter
  3. Consent will be necessary for processing children’s data
  4. The rules for obtaining valid consent have been changed
  5. The appointment of a data protection officer (DPO) will be mandatory for certain companies
  6. Mandatory Data protection impact assessments have been introduced
  7. There are new requirements for data breach notifications
  8. Data subjects have the right to be forgotten
  9. There are new restrictions on international data transfers
  10. Data processors share responsibility for protecting personal data
  11. There are new requirements for data portability
  12. Processes must be built on the principle of privacy by design
  13. The GDPR is a one-stop shop

Penalties under the GDPR

The Regulation mandates considerably tougher penalties than the DPA: organisations found in breach of the Regulation can expect administrative fines of up to 4% of annual global turnover or €20 million – whichever is greater. Fines of this scale could very easily lead to business insolvency. Data breaches are commonplace and increase in scale and severity every day. As Verizon’s 2016 Data Breach Investigations Report reaffirms, “no locale, industry or organization is bulletproof when it comes to the compromise of data”, so it is vital that all organisations are aware of their new obligations so that they can prepare accordingly.

For more information on GDPR penalties, click here >>


The Brexit question

UK organisations handling personal data will still need to comply with the GDPR, regardless of Brexit. The GDPR will come into force before the UK leaves the European Union, and the government has confirmed that the Regulation will apply, a position that has been confirmed by the Information Commissioner.


How IT Governance can help

IT Governance has wide-ranging data protection expertise to help organisations prepare for the GDPR. We offer a comprehensive suite of information resources, solutions and consultancy services including:


Contact us today to discuss your compliance requirements by emailing or calling +44 (0)845 070 1750.