Stay calm and comply. It’s coming whether you like it or not !

The EU General Data Protection Regulation (GDPR) will come into force as of May 25th 2018. It replaces the current Data Protection Directive 95/46/EC and is designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy. Penalties for non-compliance can be severe, up to 4% of global turnover for the more reckless or negligent of acts.

All organisations should have finished an initial assessment phase by now, designed to help you understand where the compliance gaps are. And a potential banana-skin is your supply chain, and ensuring that your suppliers are also heading towards compliance.

Arguably it is a victory for red tape bureaucracy, and regulation and legislation over common sense. Nonetheless it will affect everyone processing the personal information of any EU citizen, irrespective of where that processing may occur.

Article 4 of the regulation defines 'personal data' as any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.


The regulation is based on six core principles as follows, and we will look at these in more detail on our GDPR dedicated website, currently under development.

1.   Personal information shall be processed lawfully, fairly and in a transparent manner

Jargon deciphered, principle one specifically nods toward the concept of clear consent. In any situation where personal information is collected, it should have the demonstrable consent of the data subject. Opt-in tick boxes are still permitted but the regulation explicitly prohibits consent by non-action or opt-out boxes. The death of those confusing subscription choices at the bottom of forms is on the horizon.

2.   Personal information shall be collected for specified, explicit and legitimate purposes

Where personal information is collected, it must be communicated to the data subject what the purpose for its collection is and the subsequent processing. Organisations will need to become much clearer with data subjects about what their personal information will be used for.

3.   Personal information shall be adequate, relevant and limited to what is necessary

When collecting personal information, the data controller must only collect personal information which is absolutely mandatory for the specified purpose. For example, if personal information is collected to send me a magazine subscription, there is no requirement for my date of birth.

4.   Personal information shall be accurate and, where necessary, kept up to date

It is now the obligation of the data controller to ensure, to the best of their abilities, that the information collected is correct. This may seem difficult and even trivial, however what the regulation is trying to address, are situations whereby processing incorrect personal information may cause distress or harm to data subjects.

5.   Personal information shall be retained only for as long as necessary

Marketing teams wince at this principle as though it is the sourest grapes on the vine. All personal information must now have an expiration date applied, appropriate to its collected purpose. Indefinite retention is unlikely to ever entertain the patience of the supervisory authority.

6.   Personal information shall be processed in an appropriate manner to maintain security

The principle which has attracted much focus requires data controllers and processors to ensure their systems maintain the confidentiality, integrity and availability of data processing systems.

If you do not know your PIAs from your DPIAs, your PIMS from your ISMS, your DPO from your DPA, your BCRs from your SARs, your EDPB from your PECR, then you really need to ask someone that does. With Certified GDPR Practitioners in house Octree is ideally placed to assist you with any DP compliance project.

But hurry - the clock is ticking. Call now or email

Octree Cyber Essentials
Cyber security – don’t know where to start?
Talk to Octree, specialists in helping SMEs achieve Cyber Essentials status.

Is your business at risk of ransomware and cybercrime? Find out now - take our 5 minute health-check