GDPR | Are You Prepared? | Xuper IT | Latest News

GDPR – are you prepared?

There is now just over a week until the GDPR comes into force! After 2 years of preparation time, hopefully by now your organisation is at least meeting the minimum requirements to achieve compliance. We’ve put together a GDPR summary to make sure you’re completely aware of the changes coming on May 25th!

The GDPR Summary

The GDPR are the new data protection regulations set to replace the current UK Data Protection Act 1998 and will include a number of new rights, measures organisations need to adopt and mandatory data breach reporting.

Key elements for businesses

Under the GDPR, the data protection principles set out the main responsibilities for organisations. Article 5 of the GDPR requires that personal data shall be:

  • Data is processed lawfully, fairly, and transparently
  • Data must be collected, processed and stored for specific reasons and not used for reasons beyond its original purpose
  • Data must be accurate and remain accurate
  • Data must be kept in a form that allows individuals to be identified only as long as is necessary
  • It must be kept securely and protected from unlawful access, accidental loss or damage

Your personal rights

GDPR has strengthened the rights individuals have to access and control their personal data:

  • The right to be informed – Organisations must inform you of what data they are collecting, what they are using it for, how long they are keeping it and who they are sharing it with.
  • The right of access – You have the right to ask an organisation to provide what information they hold on you, why they hold it, what they’re using it for and who they share it with.
  • The right to rectification – The right to ensure information about you is correct, and for it to be corrected if it’s inaccurate.
  • The right to erasure – Aka the ‘right to be forgotten’, you can demand that information a company holds on you is deleted (in some circumstances this can be refused).
  • The right to restrict processing -The right to deny consent for an organisation to process your data, even if you have given consent for them to do so in the past (also can be refused in some circumstances).
  • The right to data portability – Allows you to take the data an organisation holds on you and extract it for use elsewhere.
  • The right to object – You can stop organisations using your data in ways you object to. e.g. direct marketing, or unwanted phone calls.
  • Rights in relation to automated decision making and profiling – Provides individuals with the right to object to or appeal against automated decisions that affect them.

What should you prioritise?

  • Make sure staff are educated on GDPR, Cyber Security & Data Protection.
  • Do you have all the appropriate cyber security measures in place?
  • Look at what personal information you hold – Where did it come from? Have you got permission to use it? Who do you share it with? Do you still need to hold it? And have you stored it securely?
  • Review your current privacy notices and make any necessary changes before GDPR.
  • Citizens will be able to request to see what information you hold on them, and request for it to be deleted. You’ll want to check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide the data electronically in a commonly used format if requested.
  • Review how you find, collect, store and manage consent and whether you need to make any changes. You may need to refresh existing consents now if they don’t meet GDPR standards. For example, if you have a marketing mailing list – did the way you gather that data meet GDPR standards? If not you will want to get consent/permission to keep contacting everyone on your list.
  • Make sure you have the right procedures in place to detect, report and investigate a personal data breach (companies will have 72 hours to inform regulators that a cyber attack or data breach has taken place).
  • If you hold data on children, you may need to put systems in place to verify individuals ages and obtain parental or guardian consent for any data processing.


Organisations found to be in breach of GDPR can be fined up to 4% of annual global turnover or €20 million (whichever is greater). However, this is the maximum fine that can be imposed for the most serious infringements (eg. not having sufficient customer consent to process their data, or violating the core of Privacy by Design concepts). For more information click here.