For those who have been hidden under a rock for the past two years, GDPR (General Data Protection Regulation) is a regulation in EU law on data protection and privacy for all individuals within the European Union, or who have data held within EU states. It replaces the out-dated Data Protection Directive and brings all of the policies and practices in line with the modern era of working. Much like Arsene Wenger replacing the drinking culture of Arsenal FC footballers with an athletic breed of training schedules, GDPR is there to help individuals take control of their data and be safeguarded within the digital age.

Since May 2016 the ICO has been gearing up to the 25th May 2018 for the GDPR regulation to come into effect. They’ve sent out advice and guidelines based around awareness, information you should hold, communicating your privacy policy, the rights of individuals, subject access requests, how to correctly process personal data, (now let’s take 2 seconds to breathe before you pass out at the end of the sentence!) what quantifies consent for individuals, what to do with data breaches, data protection impact assessments, establishing a company’s data protection officer and clarifying a company’s international borders.

Simply put, if you haven’t done this yet as a company you have a lot of catching up to do and a very short window to do it in. The ICO gave the 2-year preparation window to help companies get their data policies up to scratch; they don’t want to start punishing companies, they want everyone to be compliant. From now on they will be taking a hard line with organisations and individuals that don’t abide with GDPR; with potential fines up to €20 million or 4% of the company’s annual global turnover, this is something they are keen for everyone to follow.

There’s a bit of background on GDPR; the monster that has encroached on everyone’s lives in some way over the past 2 years. In the lead up to the date companies were mailing out consent / marketing emails to the majority of their database, trying to get consent to keep their data on file or consent to continue marketing to them. From my understanding, even if you didn’t reply at all, companies should put you on their opt out lists as they haven’t given consent to be opt in. If you didn’t reply they should probably start waving bye bye! Nice little rhyme that…!

So what’s next for GDPR?

From my point of view, it’s probably going to be like Y2K; all the leg work and scurrying around is over, now it’s just time to crack on and make sure the changes your company has made are sustained moving forward.

Mainly businesses should be thinking about their processes and how they can quickly share the data that they hold if requested by another individual or organisation. Companies will inevitably get more enquiries on the subject so it’s all about handling and triaging these enquiries in a compliant manner which meets the regulation. If someone asks for access to their data you can’t bury your head in the sand, you can’t try to palm them off and forget they exist, you’ve got to comply and make sure you (as a company or an individual) are acting in the correct way.

As well as making these changes within EU Law, us lucky lads and ladies in the UK have to think of life post-Brexit. Firstly, apologies for mentioning two buzzwords (GDPR and Brexit) in one article but it’s pretty important.

When we leave the EU, as part of the agreement we will be covered by EU law for 2 years; a sort of safety blanket if you will to help the transition. The UK Government now needs to create a law to cover everything within GDPR and the previous Data Protection Directive, to make sure we create something that is better, more secure, and more transparent than everything else. Then we, as a country, can freely exchange data with any country in the world.
In terms of GDPR casualties, I am sure many in the industry have opinions on which company will be the first to get a slap on the wrist from the ICO. I’m happy to start a sweepstake to accommodate this (but don’t worry your data will not be used for anything other than this!) but ultimately within the next few months, post-GDPR, I am sure there will be plenty of stories in the press of breaches and figuring out how much compliance there is with GDPR in general across different industries.

If, after reading this you feel like you still need to get up-todate with GDPR, then I highly recommend using the ICO and NCSC websites for information on what to do; they’ve got helpful guides and one-stop shops to show you how to become compliant. There are various companies who can help and offer some good advice (there are also some companies to avoid; I have heard horror stories where companies were advising the wrong date for GDPR…!) so feel free to reach out and I can make introductions.

Ultimately, GDPR is the biggest change to our data protection laws for quite some time. The move will help bring legislation into the new digital era and provide a bigger safeguard. If you arenot compliant you may have missed the deadline given, but it’s never too late to change for the better.

Author: Jonathan Stock

Jonathan Stock heads up the IT Security recruitment team at IntaPeople and works with companies of various sizes helping them to source talent across the UK. He is part of the South Wales Cyber Security Cluster, helps to put on events and also regularly contributes to online security magazines. He has a genuine interest in security and the effect it is having in our globalised world. LinkedIn – Twitter –


Other Magazines