5 things you should know about GDPR

Posted by Alex Pavlovic on Mon, Jan 29, 2018

GDPR: four letters that you'll hear more and more over the next few months. 

You probably know that the EU's General Data Protection Regulation constitutes a dramatic change to the way businesses must handle and process their data - and it comes into force on 25 May.

But beyond that, most people scratch their heads. Here are five things you should know.

eu gdpr security

1.  It's got three aims

At its core, GDPR is really quite simple. Its three aims are:

  • To unify and strengthen the protection of personal data for EU citizens
  • To give EU residents greater control of how their data is stored and used
  • To control how personal data is exported outside the EU

Everything about GDPR boils down to these three guiding principles. Understanding how your business can fulfill these aims is the first step to compliance.

Personal data can be anything from name and address to race, religion, social media posts or even genetic and biometric data. Making sure businesses use the personal data that they possess in the right way is the crux of GDPR.


2.  It's tougher than the rest

GDPR replaces older legislation like the EU's Data Protection Directive or the UK's Data Protection Act and goes beyond them in a few important ways:

  • Unlike a directive, it's directly binding - so if your business is based in the EU or deals with it, you will have to comply from 25 May
  • It harmonises various sets of legislation into a single framework
  • It includes export of personal data beyond, as well as within, the EU

In short, there's no way of avoiding it and it has potentially worldwide reach. On the flip side, a single legislative framework simplifies compliance: nail GDPR, and your business has a compliant data management system that will build customer trust, strengthen reputation and image, and dodge financial penalties. Which brings us to the third point...


3.  It's got teeth

GDPR packs a serious financial punch for businesses found to be in non-compliance after 25 May. Fines of up to €20m (£17.56m) or 4% of annual turnover, whichever is greater, can be slapped on companies not managing personal data properly. Personal data must be:

  • Processed transparently and lawfully
  • Collected for legitimate purposes
  • Relevant, pertinent and necessary
  • Up-to-date and accurate
  • Stored only if necessary
  • Secure and confidential

If your business isn't complying with any of this - plan how to change it before May!

Some key steps to take include:

  • Creating detailed records of your data processing
  • Documenting your data policies and procedures
  • Training and informing staff about GDPR

We know how it is. You want to focus on the long term, but those short-term tasks stack up, get in the way and take up time. Trust us: setting aside some time for creating and actioning a plan now is the best approach to avoid nasty surprises further down the line.


4.  It will affect your business... even after Brexit

Every business with ties to the EU will be affected by GDPR. Yes, that includes British businesses after the Brexit date of 29 March 2019. 

The Queen's Speech in June 2017 highlighted the fact that GDPR, or something broadly identical to it, will remain in force once the UK leaves the European Union - so complying with GDPR is just as important for British businesses as those on the continent. 

gdpr brexit uk eu

5.  It affects everyone

The data protection officer (DPO) will be the main gatekeeper of GDPR, with tasks like monitoring compliance, cooperating with data protection authorities, and informing and auditing colleagues. But responsibility for data and information security compliance in a business falls on everyone. Let's take a look:

  • Marketing teams must get consent from those receiving marketing information
  • IT teams must guarantee electronic data security - and inform the supervisory authority within 72 hours if there's a breach
  • Customer account teams must make sure customer data is secure and relevant
  • HR must safeguard employee information
  • And so on!

Data touches all parts of a business. So getting questions answered, gathering information and putting together an action plan for GDPR compliance is absolutely vital.

Working Hard-1.jpg


What you should do now

GDPR will be the biggest overhaul of data protection regulation in twenty years - so get prepared.

Download our free GDPR toolkit for more information and guidance.




Tags: European Data Regulation, EU GDPR

GDPR workshop: 23 February 2018

Posted by Alex Pavlovic on Tue, Jan 23, 2018

Qualsys will be hosting a full-day GDPR workshop at our Sheffield office on 23 February 2018.

Do you know your ARs from your IPRs? Can you conduct a PIA? Do you know who the data controller in your business is? If, like hundreds of businesses in the UK, you need more information about preparing for GDPR, don't panic. A Qualsys survey in November 2017 found that 87% of businesses don't feel ready

The General Data Protection Regulation constitutes the largest overhaul of data protection regulation in twenty years - and comes into force on 25 May 2018.

From that date, businesses found to be in breach of the regulation will be susceptible to fines of up to €20m (£17.56m) or 4% of their annual turnover, whichever is greater.

It's not surprising that businesses are nervous and scrambling to prepare and adapt before the big day. There's confusion and uncertainty about what compliance means and what steps to take. 

Image result for gdpr

The Qualsys team will be offering expert support and guidance to businesses wanting to inform themselves about preparing for GDPR. Whether you're a Qualsys customer or not, our doors will be open on Friday 23 February for a full-day informative workshop in Sheffield.

Come join us and learn:

  • What GDPR means for your business
  • What to do before 25 May
  • How to conduct a PIA, manage risks, handle security breaches and prepare staff
  • How to manage assets, data types, customers and suppliers
  • Ten top tips from the Qualsys team

And much more. We will provide all delegates with a free information pack (and plenty of ideas!) to take away with them. To provide the most focused and valuable experience we can, places will be limited to ten delegates only on a first-come-first-served basis.

Get the knowledge you need to approach GDPR with confidence.

The workshop is priced as follows:

£399 (Qualsys customers)

£449 (non-customers)

GDPR workshop - Qualsys ltd (002).png

What you should do now

Sign up for the workshop here

Read how our software suite helps businesses prepare for GDPR here

Tags: Governance Risk and Compliance News, European Data Regulation, EU GDPR

GDPR explained (Part 4): 10 essential GDPR resources

Posted by Emily Hill on Tue, May 16, 2017


There's a lot of information out there about the new EU General Data Protection Regulation (GDPR). But where do you find the best information about what GDPR means for you? 

We asked Qualsys's Business Mentor, Mike Bendall, to recommend his 10 favourite GDPR resources. 

1)  EU General Data Protection Regulation

A good place to start is with the EU themselves, by familiarising yourself with their Data Protection Regulation requirements.

In this Official Journal of the European Union, you'll find:

  • Why the EU have introduced the regulation
  • Details of the requirements for each article
  • All the requirements in full


2) Guide to the General Data Protection Regulation

International law firm Bird & Bird have produced some excellent materials on GDPR, including this comprehensive guide to the new regulation. They've also divided the guide into downloadable sections, which you can access here.


3)  Preparing for GDPR - 12 steps to take now (ICO office)

The Information Commissioner's Office (ICO) is the UK's independent body set up to uphold information rights. They provide a lot of useful resources on data protection and other related subjects for organisations and members of the public.

They've produced a 12-step guide to preparing for the GDPR and a handy checklist that organisations can use to assess their compliance.


4)  GDPR toolkit - by Qualsys


Qualsys provides many free toolkits to help organisations manage their transition into new ISO and compliance standards. In the GDPR toolkit, you'll find: 

  • Step-by-step guides
  • Advice from industry experts 
  • Quiz to get your stakeholders engaged with GDPR 

Download the toolkit for free here


5) EU GDPR: A Pocket guide (Alan Calder, Founder & executive Chair at IT Governance)

Gain a clear understanding of GDPR with this essential pocket guide, which explains:

  • The definitions used within the regulation in simple terms
  • The key requirements of the regulation
  • Advice of how to comply with the regulation

Buy for under £10 here

6)  "The Missing Piece in the GDPR Puzzle" eBook

This eBook by Collibra details a best-practice approach to data governance: 

  • Why organisations need robust information management systems
  • How data governance is a vitamin for competitive advantage 
  • 3 building blocks of a data governance business case 

Read the eBook here

7)  "Why GDPR should be at the top of your agenda" – CIO Trends Report (Computer Weekly) 

Computer Weekly has produced a CIO Trends report, which details: 

  • Why GDPR should be at the top of your agenda
  • How to ensure you're compliant
  • Insights from thought-leaders 

Read the report here

More articles from Computer Weekly you may find useful: 

 8) How to manage risks and reputation in any data-driven company

GDPR Manage risks and reputation webinar.png

In this GDPR webinar, speaker Ronald van Loon discusses how to:

  • Maintain client trust with appropriate data management
  • Reduce risks and protect your reputation
  • Adopt a 'protection by design' approach to data 
  • Implement technical infrastructures to protect and govern client data
  • Utilise a data protection officer to define how data is collected and stored
  • Handle the various data streams

How to manage risks and reputation within any data-driven company

9)  Preparing for EU GDPR 

 This Slideshare by Alan Calder covers:

  • An overview of the regulatory landscape and territorial scope
  • Principles of the GDPR
  • Rules on breach notifications
  • Data subjects' rights
  • Changes to consent
  • Processor liabilities
  • Role of the Data Protection Officer

View "First steps to GDPR Compliance" here

10)  GDPR Stakeholder Workshop (Hans Demeyer, Data Protection Office) 

In this Slideshare, Hans Demeyer uses "Sophie's Privacy" as a case study to show examples of what can and can't be done under the new GDPR. There are some useful exercises you can run with your stakeholders to get them to understand their requirements. 

View the Slideshare here



What you should do now

For more information about GDPR, download our GDPR Toolkit. 




GDPR explained (Part 2): How to prepare your employees for GDPR

Posted by Emily Hill on Fri, May 12, 2017

Chances are that if you ask your leadership, marketing, HR or IT director what they're doing to prepare for the new EU General Data Protection Regulation (GDPR), you'll open up a can of worms. 

Research shows:

  • 20% of IT decision-makers in the UK are still unaware that GDPR even exists. (Trendmicro).
  • Almost one-third (32%) of people surveyed believe the chief information officer is responsible for GDPR-related changes, 21% the chief information security officer, 14% the chief executive officer, and 10% the chief data officer. (Centre for Information Policy Leadership).
  • Only 56% of directors confirmed that they "have a formal cybersecurity strategy", let alone a GDPR strategy. (Institute of Directors).

Lack of awareness, transparency and clarity around GDPR is causing a lot of confusion.

Who's responsible for GDPR? Who does it impact? How should each employee approach the new requirements to stay compliant?  

GDPR series - how to prepare employees.png

GDPR and data privacy compliance are closely related to a company's data strategy, big data and analytics, and data-driven innovation. It's the responsibility of every employee. 


To help you develop a plan for engaging your employees, we've grouped your different stakeholders and set out their key requirements. Use this plan as a starting point, and develop it however you need to suit your own organisation.

Stakeholder group  How you're affected What you must do

Fail to conform to GDPR and you could be fined up to 4% of your annual turnover and face considerable damage to your brand.

Invest in training and providing the time and resources needed to make the changes.

If you have 250 or more employees, you must keep auditable records of how you process personal data.

Keep reliable records of all your data-processing activities.

IT teams    

All your processes and procedures for managing data must include data protection by design.

Secure and encrypt all data, and track who's allowed to use or create new copies of data records.

Data subjects are entitled to see any data you have saved about them.

Ensure you can make all information available in a format that's clear and understandable. If a customer wants to move to another company, you should be able to give them their data in a portable format.

If your systems are hacked, data subjects have the right to know whether their data has been stolen, and when this happened.

If there is a data breach, you must notify the supervisory authority (the main data protection regulator yet to be determined) no later than 72 hours after you became aware of the breach.

Data subjects have the "right to be forgotten" and their data deleted once it's no longer needed.

Implement a strong policy for how and when you'll delete data. You may need to consider what data you need to keep for archiving purposes.

Marketing teams You can no longer send marketing emails without the recipient first having opted in to receiving them.

Every one of your data subjects must acknowledge that they're willing to be marketed to. You cannot accept silence as consent, pre-ticked boxes are banned, and you need to specify cookies policies more clearly.

Data subjects have the "right to be forgotten" and their data deleted once it's no longer needed.

Avoid collecting data for unnecessary or frivolous reasons, and consider whether you really need to know phone numbers, income, job titles etc.

HR and customer
accounts teams
If you're a public authority, or a private company that regularly monitors or processes lots of sensitive data, you'll need to appoint a data protection officer.

Appoint a data protection officer to (1) advise on GDPR obligations; (2) monitor compliance; and (3) liaise with the data protection authority.


There are tighter restrictions on how you store and process data on your own employees, and employees can withdraw their consent to this processing at any time. Consider what data you store on your employees and how you obtain their consent, and have systems in place for employees to withdraw their consent.


What you should do now 

After your initial stakeholder meetings, we'd recommend using our GDPR quiz to test how well your stakeholders understand their requirements. Find the quiz in our toolkit at the link below.

Continue for Part 3 of our GDPR series, 'How to get started'. 




GDPR explained (Part 3): How to get started

Posted by Marc Gardner on Fri, May 12, 2017

The new EU General Data Protection Regulation (GDPR) includes some dramatic changes on how companies manage, process and delete data. It's no longer just about finding data and making sure it's secure. It’s about capturing the context of data and being able to prove everything's being done to protect the subject's data and the rights of the subject themselves.


In Part 3 of our GDPR series, Kate Armitage provides a simple and pragmatic guide to help you to get started. 



Step 1: Understanding the data you have

What is "personal data", exactly?

The world of data collection has changed dramatically over recent years. We can collect and process huge amounts of data at the click of a button. This also means we're constantly on the brink of making a mistake. GDPR gives organisations an opportunity to get their data protection policies into shape. 

This starts with knowing exactly what data you have. Under GDPR, whatever information you hold that can be used to personally identify an individual (or individuals) must be managed and controlled.

This includes data you keep on employees, customers, journalists and any other third-party contacts, and can include (but isn't limited to) their:

  • Name, address and unique identifying numbers
  • Demographics – such as age, gender, income or sexual preference
  • Behavioural data –  web searches, purchase history, website cookies and more
  • Social data – who your friends are, your emails etc.
  • Sensor data – biometrics, health tracking devices
  • User-generated content –  videos, photos, blogs or comments.

Step 2: Understanding how to collect and process that data

Consent is one of the fundamental aspects of GDPR. One of the key changes is that you can no longer assume that keeping someone's personal information is OK until they opt out. Instead, you need to ask that person for permission to keep their data.

You'll need to:

  • Have a record for each contact, specifying what information they've requested and how 
  • Make sure your policies are clear and up-to-date 
  • Identify, assess and manage the potential risk associated with collecting, processing and managing the data
  • Respect that your contacts have a "right to be forgotten" and the right to ask for a record of their information at any time

Step 3: Understanding who's responsible for managing the data

You then need to work out what your different stakeholders are responsible for doing. Back in Part 2 of our GDPR series, we explain how to prepare your employees for GDPR, and provide a simple guide to keeping them engaged. 


What you should do now

Part 4 of our GDPR series directs you to 10 essential resources on the new regulation.



GDPR explained (Part 1): What GDPR means for your business

Posted by Marc Gardner on Fri, May 12, 2017

We've had many regulatory and quality managers contact us Qualsys recently about the new EU General Data Protection Regulation (GDPR), what it means for them, and how they can use EQMS to manage the changes.

This article is the first in a series we hope will help you prepare for GDPR with confidence. We've answered four GDPR FAQs. 

1)  Why the new regulation?

GDPR replaces the Data Protection Directive 95/46/EC, which determines how personal data should be processed and used within the EU. It's been designed to:

  • Combine all data protection laws across Europe
  • Strengthen data protection for all EU citizens
  • Reshape the way EU organisations approach data protection

The regulation aims to protect all EU citizens from privacy and data breaches in an increasingly digital, data-driven world – one that's vastly different from the time in which the 1995 directive was established.

GDPR will be enforced across the EU from 25 May 2018, regardless of what happens with Brexit. The changes will take many organisations a long time to implement, so we recommend that you get started right away!

2)  What happens if we get it wrong?

There's a lot at stake – fail to comply and you could be fined up to 4% of your global annual turnover.

The fine you face will depend on the type of breach and any mitigating factors. But know that they're meant to penalise your disregard for the regulation!

3) What does GDPR cover? 

GDPR covers the data subject, the data controller and the data processor.

Data subject

Your customer, employee, user or any EU citizen who's entrusted you with their personal data.

Personal data means any information relating to an identified or identifiable individual – for example, their name, address, social data, history.

Data controller

Who data subjects entrust with their data. And the responsible party in deciding what happens to the data, what it's used for, and how it's handled.

GDPR extends the requirements for data controllers.

Data processor

Any entity that handles personal data on the data controller's behalf.

If your organisation was considered a controller under the old directive, it'll most likely also be under GDPR.

Although the definitions of "controller" and "processor" haven't changed, their responsibilities have been extended. So where the old directive made the controller mainly responsible for data protection, GDPR will give the processor that responsibility as well.

4)  Who in my organisation does GDPR affect?

These privacy agreements herald a new era in terms of how EU citizens' data are handled. With new obligations relating to:

  • data subjects' consent
  • making data anonymous
  • notifying the relevant people when data protection is breached
  • data transfers across borders, and
  • appointing data protection officers

GDPR forces companies who handle EU citizens' data to reform their operations in a major way.

Getting to grips with the regulation can be more challenging if you're a global business. GDPR doesn't only cover organisations located in the EU, but the use of personal data relating to EU citizens by anyone in the world. If your organisation stores information about an EU citizen, you need to comply, regardless of local laws, or you could be prevented from trading with the EU. 

Most organisations will need to make lots of changes to policies, processes, strategies and even systems to ensure they comply with GDPR. This poses many challenges for quality and compliance professionals.


What you should do now

Read Part 2 of our series, in which we explain how to prepare your employees for GDPR.