Running a business

What is GDPR (General Data Protection Regulation)?


    GDPR stands for ‘General Data Protection Regulation’. It’s the result of four years of EU work to bring data protection legislation up to date. It came into force on May 25th 2018, and with the risk of large fines, GDPR is a term that all businesses, large or small should be aware of.

    We’ve pulled together the facts and information that you need to know to ensure you don’t fall foul of the rules.

    Why was GDPR introduced?

    Data is used in multiple ways that weren’t envisaged in the 90s, so the Data Protection Act 1998 was no longer fit for purpose. There’ was vulnerability in the previous legislation and the general public expect their information to be protected.

    GDPR applies across all EU member states and individual EU country data protection laws will disappear.

    When did GDPR come into force?

    On 25th May 2018, although the GDPR rules were actually passed even earlier. The approved text was published in March to April of 2016 with it coming into force in May of that year.

    There was a two year grace period to give organisations time to ensure they were fully GDPR compliant, the actual enforcement date in the UK (in the form of the Data Protection Bill 2018) was May 25th 2018.

    What types of business does GDPR affect?

    All businesses and organisations that hold personal data are affected by GDPR, no matter what their size or structure. However, there are some differences depending on the number of employees you have.

    If you have fewer than 250 employees, GDPR means you need to hold internal records of your processing activities, where the data being processed could risk somebody’s rights and freedoms, or where that data relates to criminal convictions and offences.

    Those with more than 250 employees must keep more detailed records; for example the name and details of your organisation, your data protection officer, why you’re processing the data, a description of the types of individual and categories of their personal data, as well as categories of recipients of this data.

    You might still need to record extra facets like these if you’re a smaller business though. In fact, you’re only exempt from these extra record-keeping duties if you only process personal data of EU residents occasionally. It’s best to get some advice on exactly what will apply to you here.

    How do I know if my business is affected by GDPR?

    All businesses are affected in some capacity and it’s important to understand how, and what you’ll need to do to ensure your business is compliant.

    GDPR requires businesses to implement data protection “by design” and “by default”.

    Data Protection By Design

    Simply put, privacy by design is an approach to projects, systems, and data records that promote privacy and data protection compliance from the start – for example when building new IT systems for storing or accessing personal data, you should ensure that privacy and data protection is a key consideration in the early stages of any project and then throughout its lifecycle.

    Data Protection By Default

    Data protection by default, on the other hand, refers to the activation of such safeguards as a default setting. As a business, you have a general obligation to implement technical and organisational measures to show that you have considered and integrated data protection into your processing activities.

    What happens to businesses that don’t comply with the new GDPR rules?

    Major GDPR breaches

    There was some scaremongering in the media before the implementation and there have already been some high profile cases. Fines for major breaches of GDPR could reach up to the larger of:

    • 4% of annual worldwide turnover or
    • €20 million (Euros).

    Other GDPR infringements

    These could attract a fine of up to the larger of:

    • 2% of annual worldwide turnover or
    • Up to €10 million (Euros).

    Will GDPR still apply after Brexit?

    UK businesses currently have to comply with GDPR, as the new law came into effect before the two year period for Brexit ended.

    In addition, the law is consumer-friendly and is, therefore, unlikely to be unravelled by the UK Government.

    Finally, if we want to continue to trade as freely as possible with the EU this will undoubtedly be one of those laws we have to continue to comply with, especially given that UK websites will be accessible by EU citizens, for example.

    How do I make sure my business is compliant with GDPR?

    The Information Commissioner’s Office (ICO) has a huge amount of information on GDPR and what actions business need to take on their ICO website.

    We’d hate for your business to get caught out, so if you need specialist advice you could speak to our legal partner Lawbite, they also offer Crunch clients free legal consultations to help businesses identify exactly what they need to do for GDPR compliance. You can book your consultation via our Legal support webpage, or speak to your client managers.

    What is Crunch doing to ensure my data is protected?

    At Crunch, we take GDPR really seriously and we have a range of safeguards and initiatives to ensure we’re fully compliant with GDPR. Our privacy policy confirms that we manage data according to GDPR, so that’s a tick in the box for you if you’re a Crunch Client.