07 Nov 2016

GDPR – The ICO Announces That The UK Is Going Ahead With The Reform Of Data Protection Rules In May 2018

Positive news was announced on the 31st October by the ICO which provides clarity on the direction the UK is taking when it comes to the new data protection regulations. The Information Commissioner announced what many of us have been suspecting, that the UK is still effecting the new GDPR regulations in May 2018 as originally planned.

The General Data Protection Regulation (GDPR) has been designed to toughen the protection of individual’s data and maintain consistent standards across all countries within the EU. This also extends to any non-EU companies who are doing business within the EU.

Maintaining the implementation of this regulation is a good move for the UK. We all need to be more aware about protecting our information, especially with the growth of cybercrime. All businesses hold much more electronic data now and with this is a greater risk of having that data stolen, lost or generally misused. The GDPR provides clear laws and safeguards to help protect individuals with the aim to elevate and promote accountability and governance. By putting the recommended measures in place, organisations should be able to minimise the risk of a breach, improve the security of data and minimise the risk of reputational and financial damage.

The intention behind this regulation is a good one, but we recognise that that the notion of the change required is overwhelming for many businesses that are unsure of where to start.

Protecting your data

When people think of cybercrime and personal information being stolen, passwords and bank details come to mind. However, it is much broader than this and includes all data that falls under the categories of personal data and sensitive personal data. Businesses big and small hold information of this nature. Every company holds HR records, customer lists and contact details for customers, suppliers and employees. Any data that you hold which can be used to identify a person is classed as personal data. Sensitive personal data relates to a person’s racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health, sexual life, or any legal offences. It is up to each business to make sure any data is managed and held correctly and that good practice is followed.

There are 4 starting points you need to consider moving forward:


This doesn’t just lie with IT; it is with everyone in the company if you are going to successfully implement change.


It is the company’s responsibility to build employee awareness about the changes being made and why it is important. The new mindset needs to start from the top, down.


Any business first needs to understand what its risks are, the level of risk and where they lie. These can then be addressed by deploying policies, processes and technology to support the new requirements and new ways of working. 


Every business needs to understand where its critical information is held and who has access to it, from where? By having a clear picture, controls can be implemented.

Managing change

May 2018 really isn’t that far away. The priority right now is to understand what you are going to need to change.  If you gain a clear picture now, you can make the changes in a manageable time scale and best handle any costs associated with this. Plus, it takes time to transform the mindset of employees to new ways of working and you need to allow for this.

The regulation asks that each company implements proportionate measures of the following:

  • Implement appropriate technical and organisational measures that ensure and demonstrate that you comply. This may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies.
  • Maintain relevant documentation on processing activities.
  • Where appropriate, appoint a data protection officer.
  • Implement measures that meet the principles of ‘data protection by design’ and ‘data protection by default’. Measures could include:
    • Data minimisation
    • Pseudonymisation
    • Transparency
    • Allowing individuals to monitor processing
    • Creating and improving security features on an ongoing basis
  • Use data protection impact assessments where appropriate.

None of this is guarantees that you won’t suffer a breach, but it should minimise the risk of it happening and level of impact. You need to make sure you have plans in place to identify breaches and to best manage a breach.  There are mandatory reporting requirements in the new regulation which includes actions such as notifying clients and any other business relationships of the breach and serious fines of up to 4% of your annual global turnover – a serious hit for any organisation.

The ICO’s 12 steps for preparation now

There is a lot to consider. The ICO is being very proactive in supporting the change and has already provided a check list of what you should be implementing now.  Here is a quick summary:

  1. Building Awareness – speak to key management and decision makers within the business to make sure they are aware of the GDPR and ensure they speak to their teams to start building awareness in the company
  2. Review/Audit – understand what you do and don’t have in place such as privacy notices and security policies – are they up to date?
  3. Communication – how do you communicate policies and procedures with employees and how regularly do you remind everyone of these?
  4. Individual Rights – how do you manage their information and ultimately, how do you delete or destroy it?
  5. Change Management – put a plan in place for managing change during this transition period and how you will manage any new requests or issues
  6. Legal Position – understand and clarify your legal position on the data you manage and hold and why you are doing this – keep and maintain this recorded for future reference.
  7. Gaining Consent – have you a procedure in place for gaining consent from individuals for holding their data?
  8. Legal Consent – how do you make sure that the information you gather is from individuals of a legal age or has the approval of their legal guardian?
  9. Data breach – don’t assume you won’t get targeted. Make sure you have plans and processes in place to make sure you can detect and best manage a breach.
  10. Data Protection Impact Assessments – the ICO has prepared a guide for impact assessments. Download these now and build the implementation of these into your plans.
  11. Nominate a Data Protection Officer – every business should have a nominated person who is responsible for the compliance. Everyone in the business should be aware of who this person is.
  12. International Impact – make sure you consider the data protection laws for each country you have representation in or have clients/suppliers in as you will come under the laws of that country.

Since the original announcement in May, even after the Brexit vote in June, we have been stressing that businesses still need to prepare for the new regulation as it or something similar would still be enforced.

Now that it has been officially announced, we are hoping that more businesses make it their focus and give themselves time to implement the necessary changes. We are already 5 months into the 18-month preparation stage and we suspect many companies haven’t done anything about this yet. Don’t leave it too late, at least be aware of how much change you are going to have to make.

If you would like to talk to someone about compliance and what this means for your business, please do get in touch and call us on 01727 843888 or email us at