EU General Data Protection Regulation (GDPR)

Insight. Knowledge.

EU General Data Protection Regulation (GDPR)

The EU General Data Protection Regulation (GDPR) impacts every business that handles the personal information of any EU resident. This significant regulatory change has been introduced across the Europe Union to catch-up with a rapidly growing digital economy and is by far the biggest overhaul in data protection law in 20 years.

GDPR: Overview

Like existing Data Protection regulations, GDPR is focused on the collection and use of 'personal data'. However, the GDPR definition of personal data is much broader than previous regulations, and includes a greater number of identifiers of personal information that are more tailored towards the digital world we live in today.

Essentially, GDPR defines a minimum standard for collecting, handling, sharing and securing the personal data of EU residents that all organisations and businesses across the European Union need to comply with. The intention is that all EU residents will have a consistent level of protection, more confidence in their privacy being maintained and more of a say in how their data is handled. As a result, organisations face tougher penalties for non-compliance and violations in maintaining the privacy of EU residents with these new, stringent regulations.

What are the key changes introduced by GDPR?

While many of concepts and principles in the new regulation are closely aligned to previous data protection regulations and privacy directives - the new regulation does introduce a number of key changes. The changes are intended to 'raise the bar' by ensuring organisations manage information more responsibly.

Some of the most significant changes include:

  • An increased territorial scope - even if your business is not based in the European Union, you will still need to comply with the new regulation if your business holds any information about residents of the EU.
  • Clear and affirmative consent must be given by the data subject to process their personal data and information, and it must be possible to withdraw consent easily.
  • Parental consent must be recorded for processing the personal data for children under the age of 16, although some Member States may lower this to 13 years of age.
  • The ‘right to erasure’ (also known as the ‘right to be forgotten’) has been introduced to allow individuals to have their personal data erased in specific circumstances, primarily when there is no compelling reason for it to be kept.
  • The definition of personal data is now much wider and broader than previous regulations with a larger number of factors. Organisations should adopt measures to reduce the amount of personal information they store and ensure they do not store data that is not necessary.
  • A ‘privacy by design’ approach is required to minimise privacy risks and build trust. Organisations must be able to demonstrate increased awareness of privacy and data protection across their estate by designing and building projects, processes, products or systems with robust privacy mechanisms and controls.
  • Privacy Impact Assessments (PIA) need to be conducted on a regular basis to minimise the risk of data breaches to protect the personal information of data subjects.
  • Organisations will be required to report any data breaches to their Data Protection Authority (the ICO in the United Kingdom) within 72 hours of organisation becoming aware of it, and in some cases to the individuals affected by the breach.
  • In certain circumstances, organisations must appoint and designate a Data Protection Officer (DPO) with expert knowledge of data protection law and practices to ensure compliance is maintained and risk is minimised as much as possible.

What does GDPR mean for my business?

Here at Prodera Group, we believe the new regulations present a new opportunity for businesses and a catalyst for change. As the technology world continues to rapidly evolve, organisations across the world continue to collect and handle vast amounts of data and information on their users, customers and employees. Cloud-based technologies have made this process more accessible and scalable in recent years, something that many businesses have harnessed to become more effective at what they do. GDPR doesn't remove that flexibility, but it does mean that organisations need to be much more aware of the personal data they collect, use and share.

Some of the components of GDPR will have a greater impact on some organisations more than others. For example, successfully implementing the 'right to be forgotten' or identifying and managing the data of children under 16 years of age could present some immediate challenges for many businesses. Therefore, it is imperative that UK organisations start to recognise and address the impact of GDPR now to be fully prepared for its arrival next year.

The UK Government has confirmed that the United Kingdom's impending exit from the European Union will not affect the commencement and enforcement of GDPR. More recently, the Government announced plans for a new UK Data Protection Bill that will effectively align UK law with the European Commissions’ GDPR legislation, further highlighting the need for businesses to prepare now.


GDPR: Plan, Prepare & Comply

Preparing for GDPR is a daunting prospect for most businesses; large or small. At the very least, it is important that organisations assess their current level of data protection maturity and identify any gaps or areas of non-compliance in their existing processes and systems. Only then will it possible to conduct a formal impact and readiness assessment to give a detailed picture of what action needs to be taken to be fully compliant with the new regulations.

How can Prodera Group help with GDPR?

Despite the complex nature of the new regulations, we encourage organisations to take a considered and proactive approach to address the potential challenges that GDPR may introduce within their ecosystem. Like any significant business change or any new regulatory compliance requirements, conducting a detailed discovery and developing a practical strategy and roadmap is a key enabler for getting ahead of these changes.

Looking forward, we see the new regulations as a great opportunity for businesses to transform, enhance and improve their data protection processes, technology and educate people for the better. This is where we can help.

Drawing on our in-house expertise, we offer a collection of consulting and advisory services tailored to addressing the technical, operational and business challenges of GDPR and take full advantage of this new opportunity. These services include:

  • GDPR Discovery and Readiness Assessments
  • GDPR Strategy and Roadmap Development
  • GDPR Framework Development
  • GDPR Compliance Audits
  • Information Management System (IMS) Design and Development

For more information on our GDRP services or to arrange a consultation, please contact us and one of our specialists will be happy to discuss your specific objectives with you.

GDPR Useful Information

To help understand the new EU General Data Protection Regulation (GDPR) in more detail, we have collected some useful information, resources and publications to give you and your team greater insight into the new regulations. Our team update this regularly, so please do check back for the last updates.

Official Journal of the European Union - Regulation (EU) 2016/679


Information Commissioners Office (ICO) - Data Protection Reform


Department for Culture, Media and Sport - UK Digital Strategy 2017


Department for Culture, Media and Sport - UK Data Protection Bill (Statement of Intent)

Related Services


Strategy and Architecture

Strategy and Architecture

Develop an innovative technology strategy to respond to ever-changing business demands.

 

Go to IT Strategy and Architecture

Cyber Security

Cyber Security

Understand, protect and safeguard your business from growing cyber security threats.

 

Go to Cyber Security

Project Delivery

Project Delivery

Professional delivery of transformation projects and business change programmes.

 

Go to Project Delivery

Get in touch with us today...

To find out how we can help your business with GDPR, please get in touch by sending us a message or call us on +44 (0) 845 154 3560 to discuss your requirements with a member of our team.


Technology. Delivered.