What is GDPR?

The European General Data Protection Regulation (GDPR) replaced the Data Protection Directive (DPD) and came into force with immediate effect in May 2018.

This regulation applies to data controllers or data processors keeping or processing information about living people referred to as data subjects.

The GDPR enhances the rights and principles already defined in the DPD and contains some significant changes such as:

  • A mandatory requirement for appointment of a DPO (Data Protection Officer)
  • Awareness of and provision for data subjects enhanced rights.
  • Supervisory authorities to be notified of breaches within 72 hours of DPO becoming aware.
  • In case of elevated risk cases – data subjects to also be made aware.
  • Internal breach register to be maintained.
  • Fines to be administered in the event of a breach – the higher of either €10 Million or 2% of global turnover at the lower threshold and €20 Million or           4% at the higher end.
  • Data Protection Impact Assessments (DPIA’s) will become a mandatory prerequisite in respect of any processing where high-risk processing                                is contemplated.
  • Organisations need to ensure that data privacy is a priority by design and default.
  • A higher bar for consent means an active opt-in is required.



If your business handles information belonging to a live person you should by now have:

  • Embraced privacy by design now.
  • Know what information you possess and where you have it stored so you may  find it if required.
  • Appointed a Data Protection Officer.
  • Taken Security Awareness Training for you and your team.
  • Considered an IT Security and IT Policy Audit.
  • Recorded all actions undertaken in relation to data security.
  • Demonstrated your regulation compliance with evidence of controls, process and technology.




Share This