To talk further call us: 0161 667 3390 or email

The key stipulations of GDPR are:

  • Firms of over 250 employees must employ a Data Protection Officer (DPO). This person is responsible for ensuring that a business collects and secures personal data responsibly.
  • GDPR will also apply to small businesses under 250 employees if the processing carried out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as defined in GDPR Article 9.
  • Breaches in data security must be reported immediately to data protection authorities such as the Information Commissioner’s Office (ICO) in the UK. Ideally, breaches should be reported within 24 hours if possible but at least within 72 hours.
  • Individuals have more rights dictating how businesses use their personal data. In particular, they have the ‘right to be forgotten’ if they either withdraw their consent to the use of their personal data or if keeping that data is no longer required.
  • Failure to comply with the GDPR will lead to heavier punishments than ever before. Under current rules, the UK’s Information Commissioner’s Office (ICO) can fine up to £500,000 for malpractice but the GDPR will be able to fine up to €20 million or 4 per cent of annual turnover (whichever is higher).

If you’re unsure of whether or not GDPR applies to you, consider how regularly you deal with personal data – and that includes present and past employees and suppliers, not just customer data. If it’s a routine occurrence, then you should abide by the GDPR. The ICO has also stated that any businesses affected by the DPA will also fall under the GDPR. But the key difference between the DPA and the GPDR is that the latter will be much more strict in what is defined as personal data.

Understanding the type of data that will be affected under the GPDR is one thing, but having to search for where that data is held and who is responsible for it is another issue entirely and, unfortunately, without the right tools I can see many smaller business running into trouble.

In a perfect world all data would be stored securely and processes would be in place to ensure personal data is kept separately under a security framework.

But in my experience, that’s just not the reality. Across the businesses we have worked with there is an average of 10GB of unstructured data per employee, and 9 per cent of that data contains personally identifiable information.

So what can you do to get a handle on your data? Well, better management of your data has to begin with discovery. GDPR will mean that every piece of personal information held by your business needs to be identified – even if it’s on a mobile device or in the cloud.

It’s a complex task for sure, but one that needs to be carried out to ensure efficient handling of data in the future. Some businesses may think they can achieve compliance by using a complicated spreadsheet. But this won’t help you find the data that you don’t know you have.