General Data Protection Regulation (GDPR) – Is Your Business Compliant?

On 25th May 2018, in less than 11 weeks, the General Data Protection Regulation (GDPR) is set to supersede the 1995 Data Protection Directive in the EU. This regulation, once implemented will have large implications on how businesses store or process data of customers residing in EU. The rules are really complex, and businesses need to get advice from an expert to be compliant before the deadline.

GDPR Principles for Organisations

To summarise, the main principles for organisations would be-

1. Data capture and usage – The organisation must describe to the customer very clearly how their data will be processed. There should be no ambiguity in as to how their personal data will be used.


2. Legitimate use of data – The personal data captured from the customer should be used for legitimate purposes only and not be shared with any third party. Also without the customers prior and explicit consent, their data cannot be further processed.


3. Limitation on capturing data – An organisation should only capture and process minimum data of the customer. No extra information of the customer is supposed to be stored or processed.


4. Removal of data not required – Data of customers who are no longer required should be removed from their databases.

Penalty for non-compliance of GDPR

Any organisation that is found to be in breach of GDPR may be fined up to a maximum of 20 million Euros or 4% of its annual worldwide turnover. Earlier under the DPA, the maximum fine was £500,000. The penalties are based on a tier structure where penalties for less egregious breaches, the organisation may be fined for 2% of its annual global turnover or 10 million Euros. These breaches include being unable to design a system to ensure privacy, not appointing a Data Protection Officer (DPO), being unable to report a breach in security of data to the customer and other security related issues. The rules are applicable to both controllers and processors of data.

Consent from customers before accessing their personal data

Organisations should request consent from the customer in a clear, concise and intelligible manner without any ambiguity or full of legal terms and conditions. The language should be easy to understand for the person. Also the customer has the right to withdraw his/her consent and hence such a provision is also to be entertained by the organisation.

Notification to breach of data

The data processors are responsible for notifying their customers and data controllers for any breach in data security within the first 72 hours of first becoming aware of the breach.

Territorial Scope

The GDPR will be applicable to all organisations which process data of any consumer residing within the EU (even if the customer residing within the country is not a citizen). Even if the processing of data of the customer takes place outside of EU, the organisation will have to follow the protocols as laid down by GDPR.

Implication of GDPR on organisations

Organisations will have to appoint a Data Protection Officer and ensure all the security issues related to the data of the customer are well addressed.

Implications of GDPR on customer

This regulation puts the customer in the front seat as their data will be protected, secured and not shared with anyone else. It will also help those customers who unwillingly share their data and later regret it. They will now have the option to remove their personal data from the company’s database so that it cannot be further processed.

DNS has partnered with LawBite to help you understand your GDPR requirements and provide you with the necessary products and services to help your organisation become GDPR compliant.

All our readers get a free 15-minute consultation with a specialist GDPR lawyer at Lawbite. To book a consultation please submit your enquiry and an expert GDPR lawyer will contact you shortly.