General Data Protection Regulations (GDPR), are new EU wide regulations which will make the current UK Data Protection regulations much stronger. The GDPR are in force from May 2018 and, if breached, can result in fines of up to 4% of turnover. This represents a significant and lasting change to the current Data Protection policy in the UK, irrespective of what happens to the UK’s longer term relationship with Europe.

Every organisation processing personal data must carry out safeguards against loss, theft and unauthorised access, and the definition of personal data has been extended and includes anything that could be used to identify an individual.  GDPR will require more than just the Cyber Essentials basic technical controls. It is essentially a governance system for management of the controls protecting all personal data. Our governance standard adds a number of topics to Cyber Essentials which will be required for GDPR compliance, such as assessing business risks, training staff, dealing with incidents and handling operational issues.

There is a useful guide put together by the Information Commissioners Office

The Guide to the GDPR explains the provisions of the GDPR to help organisations comply with its requirements. It is for those who have day-to-day responsibility for data protection.

This is a living document and the ICO are working to expand it in key areas. It includes links to relevant sections of the GDPR itself, to other ICO guidance and to guidance produced by the EU’s Article 29 Working Party. The Working Party includes representatives of the data protection authorities from each EU member state, and the ICO is the UK’s representative.

Alongside the Guide to the GDPR, there are a number of tools to help organisations to prepare for the GDPR.