How to engage your business with the GDPR

Posted by Kate Armitage on Thu, Apr 19, 2018

Responsible for getting your business ready for the EU's General Data Protection Regulation? This is not something you can tackle all on your own. You need every employee to understand what the GDPR is, identify information security risks and use their expert knowledge to spot opportunities to improve data management practices.   

However, a November 2017 survey found that buy-in, lack of interest, and engagement are among the main challenges GRC professionals face in preparing for the new regulation. 

GDPR survey


So how can you engage your leadership and your wider business with the GDPR? During a recent GDPR workshop,  I shared three tips.

I've included the tips and some example tools to help you below. 


GDPR - most significant change to data protection regulation


1) The cost of doing something vs nothing

The fastest way to get your leadership team interested and invested in complying with the General Data Protection Regulation is to mention the potential fines. Businesses who fail to comply with the regulation will face fines of up to €20 million or 4% of annual turnover. That's significantly higher than previously, and that is scary for leadership teams.   

 79 times higher breach


2) Assign roles and responsibilities

Your job is to oversee compliance. It's not to think for people and do everything for them. Developing your communication plan is key. For this, you need:

Top down engagement: Technology and data are now so important, that data protection and cyber security needs to be on the board's agenda. There’s no point expecting employees to follow new rules if leadership doesn’t know what’s required and why. Leaders need to lead by example, while working together to ensure the message is communicated effectively across the whole business. In our organisation, we knew sales and marketing processes and controls a large majority of our data, so our MD set the sales and marketing team the task of doing a research project and presenting the findings to the rest of the business about the regulation.

Implement a data protection policy: Processes and procedures regarding data and security should be outlined in a clear and concise policy, which all employees should read and sign. The document should include key dos and don’ts regarding handling sensitive information, customers rights, as well as password security and how to detect and report any data concerns or suspicious activity.


risk management software

Document control software

Communication, training and development: The new regulations provide a good excuse to host regular training on data protection and cyber security issues. Here are some quizzes and workshops you could use: 





Workshop scenarios GDPR

 Workshop example: Give the scenarios to your team to test their understanding of the regulation and discuss as a group.


roles and responsibilities gdpr

Roles workshop: Get your team to fill out their roles and responsibilities to test their understanding of why. 




3) Make it easy to be proactive 

Give every employee a central system to manage training records, policies, risks, suppliers etc to encourage Privacy by Design. Privacy by Design needs to be embedded into the design and architecture of the system and business practices. It is not bolted on as an add-on. 


 Privacy by design

 GDPR software: Privacy by Design example


What you should do now

Download our GDPR toolkit for more templates, quizzes, policy examples, tools, and tips. 



How to manage a data processing register for GDPR compliance

Posted by Chris Owen on Tue, Mar 27, 2018

Businesses control and process hundreds and thousands of different data types every day. It's often automatically collected, kept in various conditions, and retained indefinitely. Few have complete visibility of how the data is processed or controlled, or what risks they are exposed to. 

It's hardly surprising that only 1.64% of businesses are feeling fully ready for the General Data Protection Regulation. The General Data Protection Regulation requires you to maintain records on processing purposesdata sharing and retention. And if the ICO wants your records, you're going to have to make all records available on request (i.e. no more of this).

This level of control will be a big leap for most businesses.  

However, the General Data Protection Regulation does not prescribe exactly how you need to manage data, except that "most organisations will benefit from maintaining their records electronically." 

So what is the easiest, least painful way to create and maintain a comprehensive list of all the ways your business is processing data?

At our recent General Data Protection Regulation workshop, Kate Armitage, Product Quality Assurance Manager at Qualsys said that many businesses will instantly be turning to spreadsheets to manage their Data Processing Register. However, there are other options which you will want to be aware of. Kate said:

The issue with spreadsheets is that they don't integrate with your other business processes. It makes managing change extremely difficult. You don't just have to be compliant on May 25th, you need to be compliant with the General Data Protection Regulation every single day, or risk huge fines. You're going to need to establish robust processes that systematically enable you to manage risks. 

Join the next GDPR workshop here - to get actionable advice, network with peers, learn about the regulation.

So how else can you manage your data processing register to ensure you have a systematic process for collaborating and managing risk - without doubling your workload? 

In this article, we explain how our GDPR software tool will help you systematically plan your data processing register as well as manage risk and change. 

Equipment & Asset Manager

Your data processing register needs to have:

  • The name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer
  • The purposes of the processing
  • A description of the categories of data subjects and of the categories of personal data
  • The categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations
  • Where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfer), the documentation of suitable safeguards
  • Where possible, the envisaged time limits for erasure of the different categories of data

Note: The obligations referred to above shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data.

It can be helpful to start with an information asset register, including: 

  • Information held and processes
  • Where it is stored
  • How it moves
  • Who we share it with
  • What the data is
  • Assign a classification 
  • Level of protection reflecting its classification
  • Indicator of Integrity, Availability and Confidentiality

Rather than just using yet another spreadsheet which doesn't integrate with any of your other business processes, this can all be managed within our software module Equipment and Asset Manager. The software module provides a framework, and your Service Implementation Manager will help you configure and manage the system for long term success.  

Equipment Manager Asset register.png


Privacy by design using Change Manager

Privacy by design has existed for years now, but it is only just becoming part of a legal requirement with the GDPR. At its core, privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. 

The controller shall implement appropriate technical and organisational measures in an effective way in order to meet the requirements of this Regulation and protect the rights of data subjects. 

Change Manager enables you to embed privacy by design into all your operations. For example, your marketing team is recruiting a new agency. The agency will be processing your data. Change Manager provides the visibility, associated risks and collaboration required to ensure all of the appropriate documentation, policies and procedures have been followed. 

Privacy by design.png


Manage your data privacy impact assessment with Risk Manager

Data protection impact assessments (DPIAs) help organisations to identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy.  DPIAs can be an integral part of taking a privacy by design approach.

The GDPR sets out the circumstances in which a DPIA must be carried out.

PIA Process Map Simple.png

Image: Qualsys's PIA approach 

Risk management is a core requirement of the General Data Protection Regulation. Risk Manager enables you to categorise, identify, suggest, manage and report of risks. 

Rather than using clunky spreadsheets, all your risk data can be managed within a central framework. Risk suggestions can be raised within the system, so you don't need to guess or start from scratch. 



What you should do now

See our new GDPR software system in action. Request your demonstration here. 

 GDPR software demonstration


Tags: ISO 27001, EU GDPR

The GDPR more important than ever: Cambridge Analytica 'Big Data' Scandal

Posted by Michael Ord on Tue, Mar 20, 2018

Cambridge Analytica has provoked international uproar for exploiting the data of millions to manipulate the US 2016 presidential election and the UK Brexit referendum, using data harvested from Facebook's mobile application, "Thisisyourdigitallife".

Facebook knew about the misuse years ago, requested the deletion of the data by Cambridge Analytica yet didn’t blacklist until recently. Facebook have terms of use for third parties and developers but it has had minimum security checks and controls.

Both Facebook and Cambridge Analytica have denied any wrongdoing. 


From a compliance perspective, the app was launched in 2015, it is covered by the Data Protection Act (DPA). But if it were to be in use after 25 May of this year, then the General Data Protection Regulation (GDPR) would apply. Here's how both Cambridge Analytica and Facebook would be implicated. 

Big data.jpg

Online identifiers and profiling 

The DPA only covers personal data and sensitive data. But Cambridge Analytica used data to psychologically profile people and deliver a series of content to manipulate their beliefs and values. The GDPR will not allow businesses to profile people without their explicit permission. The regulation covers online identifiers, profiling data subjects, and other data you have. 


Explicit consent 

The application was developed by University of Cambridge academic Aleksandr Kogan who has no connections with Cambridge Analytica. As was common with apps and games in 2015, the application was designed to harvest not only the user data of the person taking part in the quiz, but also the data of their friends. 

Facebook has since changed the amount of data that developers can scrape in this way. However, the General Data Protection Regulation puts responsibility on both the controller and processor. In this case, Facebook would have a responsibility to protect the data subjects and be transparent and explicit about how the data is to be used.

controller vs processor.png

Want to learn more about GDPR? Join our upcoming workshop


Time it takes to report a breach

Cambridge Analytica has been withholding information. Under the DPA, breach notifications are not mandatory. The business can decide who and what they report to the ICO. However, under the GDPR, breach notifications are mandatory and must be made within 72 hours or face huge fines. Penalties for breaches of the GDPR are substantial - sharing personal information and using it beyond the stated purpose will incur a €20 million or 4% of global turnover fine


GDPR changes.png


Time to get your data policies up to the mark!

According to the Global GRC Survey 2018, 99% of governance, risk and compliance professionals feel their businesses aren't fully prepared for the General Data Protection Regulation. 

Prepare for the regulation, get template policies, and ask questions by joining our GDPR workshopClick here to learn more.

Alternatively, download our GDPR toolkit



Tags: ISO 27001, EU GDPR

5 things you should know about GDPR

Posted by Alex Pavlovic on Mon, Jan 29, 2018

GDPR: four letters that you'll hear more and more over the next few months. 

You probably know that the EU's General Data Protection Regulation constitutes a dramatic change to the way businesses must handle and process their data - and it comes into force on 25 May.

But beyond that, most people scratch their heads. Here are five things you should know.

eu gdpr security

1.  It's got three aims

At its core, GDPR is really quite simple. Its three aims are:

  • To unify and strengthen the protection of personal data for EU citizens
  • To give EU residents greater control of how their data is stored and used
  • To control how personal data is exported outside the EU

Everything about GDPR boils down to these three guiding principles. Understanding how your business can fulfill these aims is the first step to compliance.

Personal data can be anything from name and address to race, religion, social media posts or even genetic and biometric data. Making sure businesses use the personal data that they possess in the right way is the crux of GDPR.


2.  It's tougher than the rest

GDPR replaces older legislation like the EU's Data Protection Directive or the UK's Data Protection Act and goes beyond them in a few important ways:

  • Unlike a directive, it's directly binding - so if your business is based in the EU or deals with it, you will have to comply from 25 May
  • It harmonises various sets of legislation into a single framework
  • It includes export of personal data beyond, as well as within, the EU

In short, there's no way of avoiding it and it has potentially worldwide reach. On the flip side, a single legislative framework simplifies compliance: nail GDPR, and your business has a compliant data management system that will build customer trust, strengthen reputation and image, and dodge financial penalties. Which brings us to the third point...


3.  It's got teeth

GDPR packs a serious financial punch for businesses found to be in non-compliance after 25 May. Fines of up to €20m (£17.56m) or 4% of annual turnover, whichever is greater, can be slapped on companies not managing personal data properly. Personal data must be:

  • Processed transparently and lawfully
  • Collected for legitimate purposes
  • Relevant, pertinent and necessary
  • Up-to-date and accurate
  • Stored only if necessary
  • Secure and confidential

If your business isn't complying with any of this - plan how to change it before May!

Some key steps to take include:

  • Creating detailed records of your data processing
  • Documenting your data policies and procedures
  • Training and informing staff about GDPR

We know how it is. You want to focus on the long term, but those short-term tasks stack up, get in the way and take up time. Trust us: setting aside some time for creating and actioning a plan now is the best approach to avoid nasty surprises further down the line.


4.  It will affect your business... even after Brexit

Every business with ties to the EU will be affected by GDPR. Yes, that includes British businesses after the Brexit date of 29 March 2019. 

The Queen's Speech in June 2017 highlighted the fact that GDPR, or something broadly identical to it, will remain in force once the UK leaves the European Union - so complying with GDPR is just as important for British businesses as those on the continent. 

gdpr brexit uk eu

5.  It affects everyone

The data protection officer (DPO) will be the main gatekeeper of GDPR, with tasks like monitoring compliance, cooperating with data protection authorities, and informing and auditing colleagues. But responsibility for data and information security compliance in a business falls on everyone. Let's take a look:

  • Marketing teams must get consent from those receiving marketing information
  • IT teams must guarantee electronic data security - and inform the supervisory authority within 72 hours if there's a breach
  • Customer account teams must make sure customer data is secure and relevant
  • HR must safeguard employee information
  • And so on!

Data touches all parts of a business. So getting questions answered, gathering information and putting together an action plan for GDPR compliance is absolutely vital.

Working Hard-1.jpg


What you should do now

GDPR will be the biggest overhaul of data protection regulation in twenty years - so get prepared.

Download our free GDPR toolkit for more information and guidance.




Tags: European Data Regulation, EU GDPR

GDPR workshop: 23 February 2018

Posted by Alex Pavlovic on Tue, Jan 23, 2018

Qualsys will be hosting a full-day GDPR workshop at our Sheffield office on 23 February 2018.

Do you know your ARs from your IPRs? Can you conduct a PIA? Do you know who the data controller in your business is? If, like hundreds of businesses in the UK, you need more information about preparing for GDPR, don't panic. A Qualsys survey in November 2017 found that 87% of businesses don't feel ready

The General Data Protection Regulation constitutes the largest overhaul of data protection regulation in twenty years - and comes into force on 25 May 2018.

From that date, businesses found to be in breach of the regulation will be susceptible to fines of up to €20m (£17.56m) or 4% of their annual turnover, whichever is greater.

It's not surprising that businesses are nervous and scrambling to prepare and adapt before the big day. There's confusion and uncertainty about what compliance means and what steps to take. 

Image result for gdpr

The Qualsys team will be offering expert support and guidance to businesses wanting to inform themselves about preparing for GDPR. Whether you're a Qualsys customer or not, our doors will be open on Friday 23 February for a full-day informative workshop in Sheffield.

Come join us and learn:

  • What GDPR means for your business
  • What to do before 25 May
  • How to conduct a PIA, manage risks, handle security breaches and prepare staff
  • How to manage assets, data types, customers and suppliers
  • Ten top tips from the Qualsys team

And much more. We will provide all delegates with a free information pack (and plenty of ideas!) to take away with them. To provide the most focused and valuable experience we can, places will be limited to ten delegates only on a first-come-first-served basis.

Get the knowledge you need to approach GDPR with confidence.

The workshop is priced as follows:

£399 (Qualsys customers)

£449 (non-customers)

GDPR workshop - Qualsys ltd (002).png

What you should do now

Sign up for the workshop here

Read how our software suite helps businesses prepare for GDPR here

Tags: Governance Risk and Compliance News, European Data Regulation, EU GDPR

GDPR explained (Part 4): 10 essential GDPR resources

Posted by Emily Hill on Tue, May 16, 2017


There's a lot of information out there about the new EU General Data Protection Regulation (GDPR). But where do you find the best information about what GDPR means for you? 

We asked Qualsys's Business Mentor, Mike Bendall, to recommend his 10 favourite GDPR resources. 

1)  EU General Data Protection Regulation

A good place to start is with the EU themselves, by familiarising yourself with their Data Protection Regulation requirements.

In this Official Journal of the European Union, you'll find:

  • Why the EU have introduced the regulation
  • Details of the requirements for each article
  • All the requirements in full


2) Guide to the General Data Protection Regulation

International law firm Bird & Bird have produced some excellent materials on GDPR, including this comprehensive guide to the new regulation. They've also divided the guide into downloadable sections, which you can access here.


3)  Preparing for GDPR - 12 steps to take now (ICO office)

The Information Commissioner's Office (ICO) is the UK's independent body set up to uphold information rights. They provide a lot of useful resources on data protection and other related subjects for organisations and members of the public.

They've produced a 12-step guide to preparing for the GDPR and a handy checklist that organisations can use to assess their compliance.


4)  GDPR toolkit - by Qualsys


Qualsys provides many free toolkits to help organisations manage their transition into new ISO and compliance standards. In the GDPR toolkit, you'll find: 

  • Step-by-step guides
  • Advice from industry experts 
  • Quiz to get your stakeholders engaged with GDPR 

Download the toolkit for free here


5) EU GDPR: A Pocket guide (Alan Calder, Founder & executive Chair at IT Governance)

Gain a clear understanding of GDPR with this essential pocket guide, which explains:

  • The definitions used within the regulation in simple terms
  • The key requirements of the regulation
  • Advice of how to comply with the regulation

Buy for under £10 here

6)  "The Missing Piece in the GDPR Puzzle" eBook

This eBook by Collibra details a best-practice approach to data governance: 

  • Why organisations need robust information management systems
  • How data governance is a vitamin for competitive advantage 
  • 3 building blocks of a data governance business case 

Read the eBook here

7)  "Why GDPR should be at the top of your agenda" – CIO Trends Report (Computer Weekly) 

Computer Weekly has produced a CIO Trends report, which details: 

  • Why GDPR should be at the top of your agenda
  • How to ensure you're compliant
  • Insights from thought-leaders 

Read the report here

More articles from Computer Weekly you may find useful: 

 8) How to manage risks and reputation in any data-driven company

GDPR Manage risks and reputation webinar.png

In this GDPR webinar, speaker Ronald van Loon discusses how to:

  • Maintain client trust with appropriate data management
  • Reduce risks and protect your reputation
  • Adopt a 'protection by design' approach to data 
  • Implement technical infrastructures to protect and govern client data
  • Utilise a data protection officer to define how data is collected and stored
  • Handle the various data streams

How to manage risks and reputation within any data-driven company

9)  Preparing for EU GDPR 

 This Slideshare by Alan Calder covers:

  • An overview of the regulatory landscape and territorial scope
  • Principles of the GDPR
  • Rules on breach notifications
  • Data subjects' rights
  • Changes to consent
  • Processor liabilities
  • Role of the Data Protection Officer

View "First steps to GDPR Compliance" here

10)  GDPR Stakeholder Workshop (Hans Demeyer, Data Protection Office) 

In this Slideshare, Hans Demeyer uses "Sophie's Privacy" as a case study to show examples of what can and can't be done under the new GDPR. There are some useful exercises you can run with your stakeholders to get them to understand their requirements. 

View the Slideshare here



What you should do now

For more information about GDPR, download our GDPR Toolkit. 




GDPR explained (Part 2): How to prepare your employees for GDPR

Posted by Emily Hill on Fri, May 12, 2017

Chances are that if you ask your leadership, marketing, HR or IT director what they're doing to prepare for the new EU General Data Protection Regulation (GDPR), you'll open up a can of worms. 

Research shows:

  • 20% of IT decision-makers in the UK are still unaware that GDPR even exists. (Trendmicro).
  • Almost one-third (32%) of people surveyed believe the chief information officer is responsible for GDPR-related changes, 21% the chief information security officer, 14% the chief executive officer, and 10% the chief data officer. (Centre for Information Policy Leadership).
  • Only 56% of directors confirmed that they "have a formal cybersecurity strategy", let alone a GDPR strategy. (Institute of Directors).

Lack of awareness, transparency and clarity around GDPR is causing a lot of confusion.

Who's responsible for GDPR? Who does it impact? How should each employee approach the new requirements to stay compliant?  

GDPR series - how to prepare employees.png

GDPR and data privacy compliance are closely related to a company's data strategy, big data and analytics, and data-driven innovation. It's the responsibility of every employee. 


To help you develop a plan for engaging your employees, we've grouped your different stakeholders and set out their key requirements. Use this plan as a starting point, and develop it however you need to suit your own organisation.

Stakeholder group  How you're affected What you must do

Fail to conform to GDPR and you could be fined up to 4% of your annual turnover and face considerable damage to your brand.

Invest in training and providing the time and resources needed to make the changes.

If you have 250 or more employees, you must keep auditable records of how you process personal data.

Keep reliable records of all your data-processing activities.

IT teams    

All your processes and procedures for managing data must include data protection by design.

Secure and encrypt all data, and track who's allowed to use or create new copies of data records.

Data subjects are entitled to see any data you have saved about them.

Ensure you can make all information available in a format that's clear and understandable. If a customer wants to move to another company, you should be able to give them their data in a portable format.

If your systems are hacked, data subjects have the right to know whether their data has been stolen, and when this happened.

If there is a data breach, you must notify the supervisory authority (the main data protection regulator yet to be determined) no later than 72 hours after you became aware of the breach.

Data subjects have the "right to be forgotten" and their data deleted once it's no longer needed.

Implement a strong policy for how and when you'll delete data. You may need to consider what data you need to keep for archiving purposes.

Marketing teams You can no longer send marketing emails without the recipient first having opted in to receiving them.

Every one of your data subjects must acknowledge that they're willing to be marketed to. You cannot accept silence as consent, pre-ticked boxes are banned, and you need to specify cookies policies more clearly.

Data subjects have the "right to be forgotten" and their data deleted once it's no longer needed.

Avoid collecting data for unnecessary or frivolous reasons, and consider whether you really need to know phone numbers, income, job titles etc.

HR and customer
accounts teams
If you're a public authority, or a private company that regularly monitors or processes lots of sensitive data, you'll need to appoint a data protection officer.

Appoint a data protection officer to (1) advise on GDPR obligations; (2) monitor compliance; and (3) liaise with the data protection authority.


There are tighter restrictions on how you store and process data on your own employees, and employees can withdraw their consent to this processing at any time. Consider what data you store on your employees and how you obtain their consent, and have systems in place for employees to withdraw their consent.


What you should do now 

After your initial stakeholder meetings, we'd recommend using our GDPR quiz to test how well your stakeholders understand their requirements. Find the quiz in our toolkit at the link below.

Continue for Part 3 of our GDPR series, 'How to get started'. 




GDPR explained (Part 3): How to get started

Posted by Marc Gardner on Fri, May 12, 2017

The new EU General Data Protection Regulation (GDPR) includes some dramatic changes on how companies manage, process and delete data. It's no longer just about finding data and making sure it's secure. It’s about capturing the context of data and being able to prove everything's being done to protect the subject's data and the rights of the subject themselves.


In Part 3 of our GDPR series, Kate Armitage provides a simple and pragmatic guide to help you to get started. 



Step 1: Understanding the data you have

What is "personal data", exactly?

The world of data collection has changed dramatically over recent years. We can collect and process huge amounts of data at the click of a button. This also means we're constantly on the brink of making a mistake. GDPR gives organisations an opportunity to get their data protection policies into shape. 

This starts with knowing exactly what data you have. Under GDPR, whatever information you hold that can be used to personally identify an individual (or individuals) must be managed and controlled.

This includes data you keep on employees, customers, journalists and any other third-party contacts, and can include (but isn't limited to) their:

  • Name, address and unique identifying numbers
  • Demographics – such as age, gender, income or sexual preference
  • Behavioural data –  web searches, purchase history, website cookies and more
  • Social data – who your friends are, your emails etc.
  • Sensor data – biometrics, health tracking devices
  • User-generated content –  videos, photos, blogs or comments.

Step 2: Understanding how to collect and process that data

Consent is one of the fundamental aspects of GDPR. One of the key changes is that you can no longer assume that keeping someone's personal information is OK until they opt out. Instead, you need to ask that person for permission to keep their data.

You'll need to:

  • Have a record for each contact, specifying what information they've requested and how 
  • Make sure your policies are clear and up-to-date 
  • Identify, assess and manage the potential risk associated with collecting, processing and managing the data
  • Respect that your contacts have a "right to be forgotten" and the right to ask for a record of their information at any time

Step 3: Understanding who's responsible for managing the data

You then need to work out what your different stakeholders are responsible for doing. Back in Part 2 of our GDPR series, we explain how to prepare your employees for GDPR, and provide a simple guide to keeping them engaged. 


What you should do now

Part 4 of our GDPR series directs you to 10 essential resources on the new regulation.



GDPR explained (Part 1): What GDPR means for your business

Posted by Marc Gardner on Fri, May 12, 2017

We've had many regulatory and quality managers contact us Qualsys recently about the new EU General Data Protection Regulation (GDPR), what it means for them, and how they can use EQMS to manage the changes.

This article is the first in a series we hope will help you prepare for GDPR with confidence. We've answered four GDPR FAQs. 

1)  Why the new regulation?

GDPR replaces the Data Protection Directive 95/46/EC, which determines how personal data should be processed and used within the EU. It's been designed to:

  • Combine all data protection laws across Europe
  • Strengthen data protection for all EU citizens
  • Reshape the way EU organisations approach data protection

The regulation aims to protect all EU citizens from privacy and data breaches in an increasingly digital, data-driven world – one that's vastly different from the time in which the 1995 directive was established.

GDPR will be enforced across the EU from 25 May 2018, regardless of what happens with Brexit. The changes will take many organisations a long time to implement, so we recommend that you get started right away!

2)  What happens if we get it wrong?

There's a lot at stake – fail to comply and you could be fined up to 4% of your global annual turnover.

The fine you face will depend on the type of breach and any mitigating factors. But know that they're meant to penalise your disregard for the regulation!

3) What does GDPR cover? 

GDPR covers the data subject, the data controller and the data processor.

Data subject

Your customer, employee, user or any EU citizen who's entrusted you with their personal data.

Personal data means any information relating to an identified or identifiable individual – for example, their name, address, social data, history.

Data controller

Who data subjects entrust with their data. And the responsible party in deciding what happens to the data, what it's used for, and how it's handled.

GDPR extends the requirements for data controllers.

Data processor

Any entity that handles personal data on the data controller's behalf.

If your organisation was considered a controller under the old directive, it'll most likely also be under GDPR.

Although the definitions of "controller" and "processor" haven't changed, their responsibilities have been extended. So where the old directive made the controller mainly responsible for data protection, GDPR will give the processor that responsibility as well.

4)  Who in my organisation does GDPR affect?

These privacy agreements herald a new era in terms of how EU citizens' data are handled. With new obligations relating to:

  • data subjects' consent
  • making data anonymous
  • notifying the relevant people when data protection is breached
  • data transfers across borders, and
  • appointing data protection officers

GDPR forces companies who handle EU citizens' data to reform their operations in a major way.

Getting to grips with the regulation can be more challenging if you're a global business. GDPR doesn't only cover organisations located in the EU, but the use of personal data relating to EU citizens by anyone in the world. If your organisation stores information about an EU citizen, you need to comply, regardless of local laws, or you could be prevented from trading with the EU. 

Most organisations will need to make lots of changes to policies, processes, strategies and even systems to ensure they comply with GDPR. This poses many challenges for quality and compliance professionals.


What you should do now

Read Part 2 of our series, in which we explain how to prepare your employees for GDPR.