Governance, Risk and Compliance Blog

GDPR explained (Part 4): 10 essential GDPR resources

Posted by Emily Hill on Tue, May 16, 2017


There's a lot of information out there about the new EU General Data Protection Regulation (GDPR). But where do you find the best information about what GDPR means for you? 

We asked Qualsys's Business Mentor, Mike Bendall, to recommend his 10 favourite GDPR resources. 

1)  EU General Data Protection Regulation

A good place to start is with the EU themselves, by familiarising yourself with their Data Protection Regulation requirements.

In this Official Journal of the European Union, you'll find:

  • Why the EU have introduced the regulation
  • Details of the requirements for each article
  • All the requirements in full

2)  Guide to the General Data Protection Regulation (Bird & Bird)

International law firm Bird & Bird have produced some excellent materials on GDPR, including this comprehensive guide to the new regulation. They've also divided the guide into downloadable sections, which you can access here.

3)  Preparing for the GDPR – 12 Steps to Take Now (Information Commissioner's Office)

The Information Commissioner's Office (ICO) is the UK's independent body set up to uphold information rights. They provide a lot of useful resources on data protection and other related subjects for organisations and members of the public.

They've produced a 12-step guide to preparing for the GDPR and a handy checklist that organisations can use to assess their compliance.

4) GDPR Toolkit

Qualsys provides many free toolkits to help organisations manage their transition into new ISO and compliance standards. In the GDPR toolkit, you'll find: 

  • Step-by-step guides
  • Advice from industry experts 
  • Quiz to get your stakeholders engaged with GDPR 

Download the toolkit for free here

5)  "EU GDPR: A Pocket Guide" (Alan Calder, Founder & Executive Chair at IT Governance)

Gain a clear understanding of GDPR with this essential pocket guide, which explains:

  • The definitions used within the regulation in simple terms
  • The key requirements of the regulation
  • Advice of how to comply with the regulation

Buy for under £10 here

6)  "The Missing Piece in the GDPR Puzzle" eBook

This eBook by Collibra details a best-practice approach to data governance: 

  • Why organisations need robust information management systems
  • How data governance is a vitamin for competitive advantage 
  • 3 building blocks of a data governance business case 

Read the eBook here

7)  "Why GDPR should be at the top of your agenda" – CIO Trends Report (Computer Weekly) 

Computer Weekly has produced a CIO Trends report, which details: 

  • Why GDPR should be at the top of your agenda
  • How to ensure you're compliant
  • Insights from thought-leaders 

Read the report here

More articles from Computer Weekly you may find useful: 


8)  "How to manage risks and reputation within any data-driven company" – Brighttalk webinar (Ronald Van Loon)

GDPR Manage risks and reputation webinar.png

In this GDPR webinar, speaker Ronald van Loon discusses how to:

  • Maintain client trust with appropriate data management
  • Reduce risks and protect your reputation
  • Adopt a 'protection by design' approach to data 
  • Implement technical infrastructures to protect and govern client data
  • Utilise a data protection officer to define how data is collected and stored
  • Handle the various data streams

How to manage risks and reputation within any data-driven company

9)  "Preparing for EU GDPR" (Alan Calder, Founder & Executive Chair at IT Governance)

 This Slideshare by Alan Calder covers:

  • An overview of the regulatory landscape and territorial scope
  • Principles of the GDPR
  • Rules on breach notifications
  • Data subjects' rights
  • Changes to consent
  • Processor liabilities
  • Role of the Data Protection Officer

View "First steps to GDPR Compliance" here

10)  GDPR Stakeholder Workshop (Hans Demeyer, Data Protection Office) 

In this Slideshare, Hans Demeyer uses "Sophie's Privacy" as a case study to show examples of what can and can't be done under the new GDPR. There are some useful exercises you can run with your stakeholders to get them to understand their requirements. 

View the Slideshare here



What you should do now

For more information about GDPR, download our GDPR Toolkit. 




GDPR explained (Part 2): How to prepare your employees for GDPR

Posted by Emily Hill on Fri, May 12, 2017

Chances are that if you ask your leadership, marketing, HR or IT director what they're doing to prepare for the new EU General Data Protection Regulation (GDPR), you'll open up a can of worms. 

Research shows:

  • 20% of IT decision-makers in the UK are still unaware that GDPR even exists. (Trendmicro).
  • Almost one-third (32%) of people surveyed believe the chief information officer is responsible for GDPR-related changes, 21% the chief information security officer, 14% the chief executive officer, and 10% the chief data officer. (Centre for Information Policy Leadership).
  • Only 56% of directors confirmed that they "have a formal cybersecurity strategy", let alone a GDPR strategy. (Institute of Directors).

Lack of awareness, transparency and clarity around GDPR is causing a lot of confusion.

Who's responsible for GDPR? Who does it impact? How should each employee approach the new requirements to stay compliant?  

GDPR series - how to prepare employees.png

GDPR and data privacy compliance are closely related to a company's data strategy, big data and analytics, and data-driven innovation. It's the responsibility of every employee. 


To help you develop a plan for engaging your employees, we've grouped your different stakeholders and set out their key requirements. Use this plan as a starting point, and develop it however you need to suit your own organisation.

Stakeholder group  How you're affected What you must do

Fail to conform to GDPR and you could be fined up to 4% of your annual turnover and face considerable damage to your brand.

Invest in training and providing the time and resources needed to make the changes.

If you have 250 or more employees, you must keep auditable records of how you process personal data.

Keep reliable records of all your data-processing activities.

IT teams    

All your processes and procedures for managing data must include data protection by design.

Secure and encrypt all data, and track who's allowed to use or create new copies of data records.

Data subjects are entitled to see any data you have saved about them.

Ensure you can make all information available in a format that's clear and understandable. If a customer wants to move to another company, you should be able to give them their data in a portable format.

If your systems are hacked, data subjects have the right to know whether their data has been stolen, and when this happened.

If there is a data breach, you must notify the supervisory authority (the main data protection regulator yet to be determined) no later than 72 hours after you became aware of the breach.

Data subjects have the "right to be forgotten" and their data deleted once it's no longer needed.

Implement a strong policy for how and when you'll delete data. You may need to consider what data you need to keep for archiving purposes.

Marketing teams You can no longer send marketing emails without the recipient first having opted in to receiving them.

Every one of your data subjects must acknowledge that they're willing to be marketed to. You cannot accept silence as consent, pre-ticked boxes are banned, and you need to specify cookies policies more clearly.

Data subjects have the "right to be forgotten" and their data deleted once it's no longer needed.

Avoid collecting data for unnecessary or frivolous reasons, and consider whether you really need to know phone numbers, income, job titles etc.

HR and customer
accounts teams
If you're a public authority, or a private company that regularly monitors or processes lots of sensitive data, you'll need to appoint a data protection officer.

Appoint a data protection officer to (1) advise on GDPR obligations; (2) monitor compliance; and (3) liaise with the data protection authority.


There are tighter restrictions on how you store and process data on your own employees, and employees can withdraw their consent to this processing at any time. Consider what data you store on your employees and how you obtain their consent, and have systems in place for employees to withdraw their consent.


What you should do now 

After your initial stakeholder meetings, we'd recommend using our GDPR quiz to test how well your stakeholders understand their requirements. Find the quiz in our toolkit at the link below.

Continue for Part 3 of our GDPR series, 'How to get started'. 




GDPR explained (Part 3): How to get started

Posted by Marc Gardner on Fri, May 12, 2017

The new EU General Data Protection Regulation (GDPR) includes some dramatic changes on how companies manage, process and delete data. It's no longer just about finding data and making sure it's secure. It’s about capturing the context of data and being able to prove everything's being done to protect the subject's data and the rights of the subject themselves.


In Part 3 of our GDPR series, Kate Armitage provides a simple and pragmatic guide to help you to get started. 



Step 1: Understanding the data you have

What is "personal data", exactly?

The world of data collection has changed dramatically over recent years. We can collect and process huge amounts of data at the click of a button. This also means we're constantly on the brink of making a mistake. GDPR gives organisations an opportunity to get their data protection policies into shape. 

This starts with knowing exactly what data you have. Under GDPR, whatever information you hold that can be used to personally identify an individual (or individuals) must be managed and controlled.

This includes data you keep on employees, customers, journalists and any other third-party contacts, and can include (but isn't limited to) their:

  • Name, address and unique identifying numbers
  • Demographics – such as age, gender, income or sexual preference
  • Behavioural data –  web searches, purchase history, website cookies and more
  • Social data – who your friends are, your emails etc.
  • Sensor data – biometrics, health tracking devices
  • User-generated content –  videos, photos, blogs or comments.

Step 2: Understanding how to collect and process that data

Consent is one of the fundamental aspects of GDPR. One of the key changes is that you can no longer assume that keeping someone's personal information is OK until they opt out. Instead, you need to ask that person for permission to keep their data.

You'll need to:

  • Have a record for each contact, specifying what information they've requested and how 
  • Make sure your policies are clear and up-to-date 
  • Identify, assess and manage the potential risk associated with collecting, processing and managing the data
  • Respect that your contacts have a "right to be forgotten" and the right to ask for a record of their information at any time

Step 3: Understanding who's responsible for managing the data

You then need to work out what your different stakeholders are responsible for doing. Back in Part 2 of our GDPR series, we explain how to prepare your employees for GDPR, and provide a simple guide to keeping them engaged. 


What you should do now

Part 4 of our GDPR series directs you to 10 essential resources on the new regulation.



GDPR explained (Part 1): What GDPR means for your business

Posted by Marc Gardner on Fri, May 12, 2017

We've had many regulatory and quality managers contact us Qualsys recently about the new EU General Data Protection Regulation (GDPR), what it means for them, and how they can use EQMS to manage the changes.

This article is the first in a series we hope will help you prepare for GDPR with confidence. We've answered four GDPR FAQs. 

1)  Why the new regulation?

GDPR replaces the Data Protection Directive 95/46/EC, which determines how personal data should be processed and used within the EU. It's been designed to:

  • Combine all data protection laws across Europe
  • Strengthen data protection for all EU citizens
  • Reshape the way EU organisations approach data protection

The regulation aims to protect all EU citizens from privacy and data breaches in an increasingly digital, data-driven world – one that's vastly different from the time in which the 1995 directive was established.

GDPR will be enforced across the EU from 25 May 2018, regardless of what happens with Brexit. The changes will take many organisations a long time to implement, so we recommend that you get started right away!

2)  What happens if we get it wrong?

There's a lot at stake – fail to comply and you could be fined up to 4% of your global annual turnover.

The fine you face will depend on the type of breach and any mitigating factors. But know that they're meant to penalise your disregard for the regulation!

3) What does GDPR cover? 

GDPR covers the data subject, the data controller and the data processor.

Data subject

Your customer, employee, user or any EU citizen who's entrusted you with their personal data.

Personal data means any information relating to an identified or identifiable individual – for example, their name, address, social data, history.

Data controller

Who data subjects entrust with their data. And the responsible party in deciding what happens to the data, what it's used for, and how it's handled.

GDPR extends the requirements for data controllers.

Data processor

Any entity that handles personal data on the data controller's behalf.

If your organisation was considered a controller under the old directive, it'll most likely also be under GDPR.

Although the definitions of "controller" and "processor" haven't changed, their responsibilities have been extended. So where the old directive made the controller mainly responsible for data protection, GDPR will give the processor that responsibility as well.

4)  Who in my organisation does GDPR affect?

These privacy agreements herald a new era in terms of how EU citizens' data are handled. With new obligations relating to:

  • data subjects' consent
  • making data anonymous
  • notifying the relevant people when data protection is breached
  • data transfers across borders, and
  • appointing data protection officers

GDPR forces companies who handle EU citizens' data to reform their operations in a major way.

Getting to grips with the regulation can be more challenging if you're a global business. GDPR doesn't only cover organisations located in the EU, but the use of personal data relating to EU citizens by anyone in the world. If your organisation stores information about an EU citizen, you need to comply, regardless of local laws, or you could be prevented from trading with the EU. 

Most organisations will need to make lots of changes to policies, processes, strategies and even systems to ensure they comply with GDPR. This poses many challenges for quality and compliance professionals.


What you should do now

Read Part 2 of our series, in which we explain how to prepare your employees for GDPR.