GDPR: What? Why? When? Who? How?

You have more than likely landed on this page because you’re hearing a lot of noise about General Data Protection Regulation (GDPR) and the inevitable impact it will have on your business. Well, don’t worry, we’ve got all the information you could possibly need, and then some!

First things first, what even is GDPR when it’s at home?

GDPR is the replacement for the current Data Protection Act of 1998. A lot has changed since 1998, especially the digital landscape and the new regulations are aimed at bridging the gap to account for new technologies. The primary motive of the GDPR is to protect the privacy and security of data that’s collected by any organisation within the European Union.

The government has already confirmed that the UK’s decision to leave the EU will not affect our involvement in GDPR.

Why do we need GDPR in the UK?

Personal data in the digital world has become less and less… personal. With the increase in cloud and other technologies the nature of storage and processing of data has radically altered since 1998 and so must the regulations controlling this. GDPR is designed to give EU citizens more control over how their personal data is used. Organisations that fail to comply will incur “heavy financial penalties”* from which the threat of insolvency or potentially closure could be a very real risk.


When exactly does GDPR come into effect?

The date has been set at 25th May 2018, this is when the GDPR will automatically apply to all organisations. This gives us just short of 11 months to prepare and ensure we’ve got everything in order beforehand. For many businesses this will be an extremely busy time as there is a lot that needs to be done to become compliant before then.

Who does it apply to?

There are two categories of organisations who need to take notice; data controllers and data processors (some may find themselves in both camps).

Data controllers are organisations, such as private companies or governing bodies, who handle data. Data processors are organisations who physically process the data, this includes obtaining, recording or holding data, as well as carrying out any operation on said data or information.

It's the controller's responsibility to ensure their processor abides by data protection law and processors must abide by rules to maintain processing of records. If processors are involved in a data breach, they are far more liable under GDPR than they were under the Data Protection Act.

So, how on earth does your business get ready for GDPR?

There are many challenges to getting started, especially for small businesses who are limited by budget. It’s also advised that small businesses are ready six months ahead of the deadline to account for any stumbling blocks that may occur.

Here’s a brief guide of what to do and when…

1 - 4 months: If you have more than 250 employees you will need to appoint a data-protection officer (DPO). This should be one of your first steps as it’s essential that your DPO is involved in the journey from the start.

5 - 8 months: You need to work out where in your organisations new procedures need to be introduced, this includes things such as security and breach notification. Try to get these in place early so that you can communicate the changes effectively and test your new processes thoroughly.

9 - 11 months: Start conversations with suppliers and data processors to discover how they'll protect your information and respond to requests for data deletion.

Need some help?

Still unsure about GDPR? We can help. Workhouse can help you to put into place new processes and procedures, systems and content that you identify you need as you prepare for GDPR.

You can give us a call on 01254 878956 or email Alternatively, fill out the form below and we’ll get in contact with you ASAP.

Give us a shout

Give us a

See something you like?

Give us a call on 01254 878956
or fire us an email to
Pop your details into the form and we'll get back to you in a jiffy...
  • We'd love to send you emails with our latest news, offers and events. For full details read our Privacy Policy.