GDPR Regulations


hand in monitor taking card from hand at keyboard



The General Data Protection Regulation (GDPR) will take effect in the UK in May 2018. It replaces the existing law on data protection (the Data Protection Act 1998) and gives individuals more rights and protection in how their personal data is used by organisations

The GDPR widens the definition of personal data
This means parts of IT that have been unaffected by data protection laws in the past will need attention from businesses to ensure they comply with the new rules.
The GDPR considers any data that can identify an individual as personal data. It includes such things as genetic, cultural, economic or social information.
There is very little personal data that will not fall under the GDPR, therefore most organisations will have to comply with its requirements.
The GDPR will also change the rules for obtaining consent to use personal data
Having the ability to prove consent for using personal information is a requirement of GDPR. Organisations will need to ensure they use simple language when asking for consent to collect personal data, they need to clearly inform how they will use the information, and crucially they will need to understand that silence or inactivity no longer constitutes receiving consent.
The GDPR requires organisations collecting personal data be able to prove clear consent to process that data, currently very few businesses or organisations will comply.
It will now be more important for organisations to explain exactly what personal data they are collecting and how it will be stored, processed and used. Without valid consent, any personal data processing activities will fall foul of the regulations.


USB memory sticks

Frequently Asked Questions about the incoming GDPR.

When is the GDPR coming into effect?

The GDPR was approved and adopted by the EU Parliament in April 2016. The regulation will take effect after a two-year transition period and, unlike a Directive it does not require any enabling legislation to be passed by government; meaning it will be in force May 2018.

Who does the GDPR affect?

The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.

What are the penalties for non-compliance?

Organisations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors -- meaning 'clouds' will not be exempt from GDPR enforcement.

What constitutes personal data?

Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

Does my business need to appoint a Data Protection Officer (DPO)?

DPOs must be appointed in the case of: (a) public authorities, (b) organisations that engage in large scale systematic monitoring, or (c) organisations that engage in large scale processing of sensitive personal data (Art. 37). If your organisation doesn’t fall into one of these categories, then you do not need to appoint a DPO.

How does the GDPR affect policy surrounding data breaches?

Proposed regulations surrounding data breaches primarily relate to the notification policies of companies that have been breached. Data breaches which may pose a risk to individuals must be notified to the DPA within 72 hours and to affected individuals without undue delay.

laptop, phone and book locked with chain

We are able to offer guidance, advice and procedural checklists to help you plan and prepare for the deadline

Contact us now to get guidance and assistance with these new regulations.

Mill Services Ltd, contacts, Telephone 01264 980228, Email

website design and maintenance by Mill Services Ltd. / Copyright © 2015 - 2018 Mill Services Ltd