0151 355 4555

The General Data Protection Regulation

The GDPR is a legal framework that sets guidelines for the collection and processing of personal information
of individuals within the European Union (EU). It was introduced in May 2016 and comes into effect in May


What's Changing?

Consumer Rights
Consumers will have more rights which must be adhered to by organisations:

Right to rectification: have personal data amended if it is believed to be incorrect

Proof of consent for processing data. Permission needed for data of under 13s.

Data Portability: moving data from one company to another.

Right to object to processing of personal data at any time.

Right to erasure: have personal data deleted without undue delay.


  • Privacy by design. Organisations must consider how their data processing impacts privacy. Risks need to be recorded and steps taken to mitigate them.
  • A Data Protection Officer (DPO) must be appointed if the organisation:
    • Is a public authority processing data.
    • Has core activities that require regular monitoring of data.
    • Processes certain types of personal data, e.g. relating to a criminal conviction.

Enforcement & Liability
Previously, data controllers were liable under the Data Protection Act 1998, however data processors now share the liability. In the event of non-compliance, there are two levels of fines depending on the incident:

  • a maximum fine up to €10 million or 2% of global turnover, whichever is higher.
  • a maximum fine up to €20 million or 4% of global turnover, whichever is higher.

Data Security
In the event of a data breach, an organisation must alert their national data protection authority no later than 72 hours after the breach, unless there is no risk to the rights and freedoms of individuals.
If a personal data breach is likely to put the rights and freedoms of an individual at high risk, then the organisation must alert the data subject affected without undue delay.

What details will need to be reported?

  • The number of data subjects who are at risk
  • Categories of data
  • The consequences of the breach
  • Data protection officer details/other point of contact
  • Mitigation proposals

When must organisations delete personal data?

  • If kept longer than necessary for the purpose it was collected.
  • Withdrawn consent.
  • Objection to the data processing.
  • Unlawfully processed data.

Companies are best to prepare for the GDPR as early as they can. The ICO has provided a plethora of information and whitepapers to help companies understand the new regulation and you can download their whitepaper with twelve steps to prepare for the GDPR here.


Where to start?

So what do you need to do to start preparing? It helps to know the standard of your data already using a free data quality report!

How's your data performing?

Part of the GDPR is to ensure your data is opted in and high quality - check how marketable yours is for free!

GDPR Blogs

How will Brexit affect the GDPR? Our blogs answers this and delves further into the new regulation.

When does the GDPR come into effect?

25th May 2018 - make sure you're prepared!

26% are not prepared for the GDPR

What does the DMA have to say about it?

Ring me back!

Need information or help? Let us know..