This website uses cookies. View our cookie policy
United Kingdom
Select regional store:

The EU General Data Protection Regulation (GDPR)

The EU’s General Data Protection Regulation (GDPR) will apply from 25 May 2018, when it supersedes EU member state implementations of the 1995 Data Protection Directive (DPD). The UK Data Protection Act 1998 (DPA) will be superseded by a new DPA that enacts the GDPR’s requirements.

The new law marks a wide-reaching and significant shift in the way that organisations must protect personal data.

It grants data subjects a number of new rights, including the right to judicial remedy against organisations that have infringed their rights, and requires organisations to adopt “appropriate technical and organisational measures” to protect personal data. It also introduces mandatory data breach reporting.

Gain an overview of the key areas of change introduced by the Regulation, and the critical areas organisations need to be aware of when preparing for compliance, with our free paper, EU General Data Protection Regulation – A Compliance Guide.


Countdown to the GDPR



The key changes introduced by the Regulation

The GDPR introduces a number of key changes for organisations. Click the headers below for more detail:

  1. If your business is not in the EU, you will still have to comply with the Regulation.
  2. The definition of personal data is broader, bringing more data into the regulated perimeter.
  3. Consent will be necessary for processing children’s data.
  4. The rules for obtaining valid consent have changed.
  5. The appointment of a data protection officer (DPO) will be mandatory for certain companies.
  6. Mandatory data protection impact assessments have been introduced.
  7. There are new requirements for data breach notifications.
  8. Data subjects have the right to be forgotten.
  9. There are new restrictions on international data transfers.
  10. Data processors share responsibility for protecting personal data.
  11. There are new requirements for data portability.
  12. Processes must be built on the principle of privacy by design.
  13. The GDPR is a one-stop shop.

You can read the Regulation’s final text in the Official Journal of the European Union.


Penalties under the GDPR

The Regulation mandates considerably tougher penalties than the DPA: organisations found in breach of the Regulation can expect administrative fines of up to 4% of annual global turnover or €20 million – whichever is greater. Fines of this scale could very easily lead to business insolvency. Data breaches are commonplace and increase in scale and severity every day. As Verizon’s 2016 Data Breach Investigations Report reaffirms, “no locale, industry or organization is bulletproof when it comes to the compromise of data”, so it is vital that all organisations are aware of their new obligations so that they can prepare accordingly.

For more information on GDPR penalties, click here >>


The Brexit question

UK organisations handling personal data will still need to comply with the General Data Protection Regulation (GDPR), regardless of Brexit. The GDPR will come into force before the UK leaves the EU, and the government has confirmed that the Regulation will apply, a position that has been confirmed by the Information Commissioner.


The Data Protection Bill

The new Data Protection Bill going through Parliament is designed to modernise the UK’s data protection laws for the digital age. The Bill will align UK law with the EU's forthcoming GDPR and replace the existing Data Protection Act.

The Bill is a complete data protection system. As well as aligning personal data legislation with the GDPR, it includes requirements for all other general data, law enforcement data and national security data. The Bill also includes a number of agreed modifications to the GDPR in areas such as academic research, financial services and child protection.

The Bill adopts GDPR requirements for all general data in the UK. Until the UK leaves the EU, the GDPR will operate in tandem with the Bill. Thereafter, the UK will restore a domestic basis to data protection laws, with the Bill allowing the continued use of the GDPR requirements.


How IT Governance can help

IT Governance has wide-ranging data protection expertise to help organisations prepare for the GDPR. We offer a comprehensive suite of information resources, solutions and consultancy services including:


Contact us today to discuss your compliance requirements by emailing or calling +44 (0)333 800 7000.