Home » Uncategorized » GDPR doesn’t have to be GDP argh!!

GDPR doesn’t have to be GDP argh!!

The dust has settled but GDPR is very much with us now.

We’ve invited Data Protection expert, Karen Heaton, to give us an update on how GDPR is working in practice and what YOU might still want to put in place to make sure you are compliant.

In her first article, Karen summarises what happened and what you need to be thinking about.


We all know what happened on 26th May 2018…. the EU General Data Protection Regulation (GDPR) came into force across the EU.

What else happened?  Well, on the same day, the UK introduced the UK Data Protection Act 2018 (DPA) which replaced the previous Data Protection Act 1998, and you will be assured to know that the core of the EU GDPR remains within our new 2018 Act (together with other UK specific provisions).

Our focus is to help you check that your business is doing the right things for GDPR, so today we kick-start a series of practical and informative blogs to guide you through the recent changes and what these mean in pragmatic terms for your organisation.  Take a look at the topics we will be covering below.

Sitting comfortably?  Good.  Then let’s begin!

Key changes

  • Increased penalties – 2 – 4% of global annual turnover, cessation of processing or in severe cases, instigation of criminal proceedings. But you knew that already, right?  We will take a look at the key risks which may give rise to high penalties.
  • Consent – additional conditions for obtaining and maintaining consent are now in place. We all received sackfuls of emails from companies requesting our permission to remain on their marketing distribution list in the first half of 2018.  But was this necessary?   Well, that depends on your organisation and what data processing you undertake.  We will look at examples of where consent is obviously required and where possibly not.
  • Data Breach notifications – in certain instances, the relevant authority must be informed (in the UK this is the Information Commissioners Office). And within 72hours of becoming aware.  But what exactly constitutes a data breach that must be reported?  Whose responsibility is it to report it?  We will look at examples of breaches and discuss how to assess them.
  • Right to access (SAR) – a data subject can request a free copy of personal data relating to them that your practise or organisation holds. For medical practises, how does this compare with the Access to Medical Records Act 1988?   For other organisations, what can or can’t I disclose?  We will look at examples for both of these.
  • Accountability – there is now a requirement to be able to demonstrate how your organisation is compliant with GDPR and the DPA. This sounds simple, but what does it really mean?  If ever audited or investigated, what would you show them?  We will look at essential examples of what you should have in place to meet this requirement.
  • Data Protection Officers (DPO) – are you legally required to have a DPO? Probably not, unless you regularly and systematically monitor data subjects on a large scale.  Or are a local authority.  But you do still need someone in your organisation who is responsible for ensuring your business is compliant with GDPR and DPA.  We will look at the various activities and tasks your nominated person needs to take care of.


Today’s fact.  The ICO reported that there was a 31% increase in the number of Cyber security incidents reported in Jan – Mar 2018 compared to previous year.   => Make sure your internet security is up to date!

See you next week!