The GDPR states:

“The [controller] business/organisation shall be responsible for, and be able to demonstrate compliance with, paragraph 1 [the other data protection principles]”

What is GDPR?

GDPR is the European Union’s General Data Protection Regulation which comes into force on 25 May 2018.


Why is GDPR significant?

In GDPR, the EU is leading the globe in the shake up in Data Protection.  For citizens, the regulation is a good thing.  For businesses and organisations that manage personal data, compliance will take time and effort.


The regulation is applicable for any EU citizen on the planet regardless of where they live.  Thus, if a US company has customers in the United Kingdom the management of the customers data must be in accordance with the EU’s General Data Protection Regulation even though the United States is not located in Europe.  Furthermore, if a US citizen is living and/or working in the United Kingdom their data must also be managed in accordance with GDPR.


How will Brexit affect GDPR?

The General Data Protection Regulation comes into effect before the United Kingdom leaves the EU.  The UK Government have demonstrated their commitment to establishing it in to UK law post brexit with their Data Protection Bill.


Do I have to comply with GDPR?

As an EU Regulation GDPR compliance is mandatory.  Significant financial penalties exist for those organisations that fail to adequately protect the data they hold, and report any data breaches within 72hrs.  Should a breach occur, the organisation may be further vulnerable to affected parties seeking financial compensation, as well as the strategic threat to reputation and trust.


What about the Data Protection Act?

The GDPR replaces the Data Protection Act and changes significantly the controls and processes governing how data of employees, customers, suppliers, donors and volunteers must be managed and protected.


What has changed?

Right to erasure – The right to be forgotten

Subject access requests

Establishment of Data Protection Officer role.


But I am only a small business, do I need to comply with GDPR?

Any business or organisation that holds and/or uses the personal data of a UK and/or EU citizen must comply with GDPR.


But I am a sports club/organisation and not a business, do I need to comply with GDPR?

The GDPR considers in terms of the Data Controller.  Therefore, if you manage and use (process) personal data as described at this link, then you are a Data Controller.  If a Data Controller is present then your business, organisation, club, charity or group is subject to the GDPR.


What is the Data Protection fee?  Will my business have to pay?

The ICO has introduced the Data Protection fee to assist with the regulation of GDPR and the UK Data Protection Bill.  There are 3 tiers of data protection fees.  The fees vary between £40 to £2900 depending on:


  • How many members of staff you have,
  • Your annual turnover,
  • Whether you are a public authority,
  • Whether you are a charity,
  • Whether you are a small occupational pension scheme.


Not all business may have to pay a fee, and many can rely on an exemption.  Find out whether you may be exempt here.


How do I ensure that I comply with GDPR?

The Information Commissioners Office has set out the 12 step control framework for achieving GDPR compliance.  Click on each of the tabs below to learn more about each control.

Helpful, but what does that mean?

Accountability means you have to be be able to show and prove how you protect your customers and clients personal data