Data protection laws in Europe are changing again, this is what you need to know.


Modern business relies on customer data – the better you know your clients, the better you can serve them. As a result, an awful lot of sensitive information is being held in company data stores.

Naturally customers are quite concerned about how this information is being protected. These concerns have led to a new piece of legislation intended to strengthen protections for consumers – the General Data Protection Regulation (GDPR).

What is GDPR?

Put together by the European Parliament; the GDPR is a regulation intended to standardise data protection for individuals across the European Union. The new regulation updates a previous directive published in 1995 which went on to form the basis of the UK’s own Data Protection Act 1998.

Coming into force in May 2018, the GDPR places some burdens on any organisation that collects and stores personal data.

What do you have to do?

We are currently in the second half of a two-year transition period, during which your business will need to strengthen existing protections. In future, you will need to:

Include data protection measures at the design phase of all business processes, products and services.

Set the default security for any application to “very high”.

Delete customer from your systems if they ask you to (under certain circumstances).

Provide an electronic copy of individual records for transfer to another service if requested.

There are other obligations for businesses who use sophisticated data processing algorithms for decision making (like insurers) and public authorities.

You must also obtain permission from every individual before storing and processing their data.

It is also important to note that any business holding data on EU citizens is bound by the GDPR. Even if you are based in the USA, Russia or China, you will still need to adhere to the regulation.

What if you break the rules?

In practice, the GDPR is quite similar to the existing Data Protection Act, so many of your existing security and privacy measures can stay in place. In the event of personal data being exposed, there are some possible outcomes:

Where the exposure is accidental, you may be issued a written warning.

Your business may be subject to periodic data protection audits to ensure your provisions are compliant.

A fine, potentially as high as €20,000,000 or 4% of your annual worldwide turnover – whichever is greater.

Which is a very big incentive to take personal data protection seriously.

We’re a B2B business, so this doesn’t apply to us?

Wrong! All personal data is covered by the GDPR – including personnel records and other information you hold on your workers.

But wait, what about Brexit?

With Britain leaving the EU, you might be tempted to assume that we’ll escape the GDPR. The UK government has already pledged that GDPR will be implemented even with Brexit.

And if your business deals with customers on the continent, you will need to adhere to GDPR anyway.

One year to go

The good news is that you still have until May 2018 to get your compliance plans in order. With such hefty penalties involved, every organisation (including yours) needs to assess their provisions to make sure they are compliant.

If you need help and advice or would like to know more about how G Suite by Kimbley IT can simplify compliance, please get in touch.