On the 25th May 2018, the General Data Protection Regulation (GDPR) will come in to force across the European Union. In the wake of some high-profile data breaches and court cases surrounding the way personal data is collected and held, this new legislation aims to reconcile the current data protection laws of member states whilst strengthening the individual privacy protections afforded to EU citizens surrounding their personal data.

Any organisations that hold information on individuals will have new responsibilities to take on regarding data protection and need to ensure that they are compliant by this date.

Does this apply to my business?

GDPR covers just about any personal details that a business may hold about individuals from the 28 member states, be it clients or staff. This could just be basic information like a name and address but also covers more sensitive information such as their IP address. If you store data on any individuals in the course of business, you will need to comply with GDPR.


To ensure you comply with GDPR there some questions to ask about the data you hold:

  • Do you have legal grounds to hold this data?
  • Why do you hold this data? Is it relevant to your business?
  • Is it properly secured?
  • Did you make it clear to the individual that you were going to collect and hold their data?
  • Are your staff aware and up to date with current Data Protection laws?

GDPR also enshrines several rights for individuals such as ‘the right to be forgotten’ and ‘the right to object to information held’. Individuals may request any information that your business holds on them, so you will need to be aware of these rights and respond within one month to any requests.


If you believe the personal data you hold has been compromised in any way, be it through hacking, theft or otherwise you must notify the authorities within 72 hours. Penalties for breaching the new rules can be as much as up to 4% of an organisation’s annual turnover and larger organisations may also be required to appoint a Data Protection Officer (DPO) to ensure they are compliant.


Some may wonder if this is really all necessary, given that the United Kingdom is scheduled to leave the European Union in the near future. At the time GDPR comes into force, the UK will still be a member of the EU so all UK businesses must comply with the new legislation. However, it is also possible that any future trade deal between the UK and the EU could stipulate compliance with GDPR, so consider it future-proofing for your business.