GDPR (The EU General Data Protection Regulation)

Stay calm and work towards complying. It’s coming whether you like it or not!

The EU General Data Protection Regulation (GDPR) will come into force as of May 25th 2018. It replaces the current Data Protection Directive 95/46/EC and is designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy. Penalties for non-compliance can be severe, up to 4% of global turnover for the more reckless or negligent of acts.

And irrespective of Brexit this law will be applicable in the UK, as the UK Data Protection Directive, so there is no avoiding this – it is here to stay, and particularly if you do business with other EU / EEA countries.

GDPR requirements apply to each member state of the European Union, aiming to create more consistent protection of consumer and personal data across EU nations. Some of the key privacy and data protection requirements of the GDPR include:

  • Requiring the consent of subjects (EU Citizens) for data processing
  • Anonymizing collected data to protect privacy
  • Providing data breach notifications to the ICO
  • Safely handling the transfer of data across borders
  • Requiring certain companies to appoint a data protection officer to oversee GDPR compliance

Simply put, the GDPR mandates a baseline set of standards for companies that handle EU citizens’ data to better safeguard the processing and movement of citizens’ personal data.

'personal data' is any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

If you do not protect the Confidentiality, Integrity or Availability of personal data you will be in trouble.

Who is Subject to GDPR Compliance?

The purpose of the GDPR is to impose a uniform data security law on all EU members, so that each member state no longer needs to write its own data protection laws and laws are consistent across the entire EU. In addition to EU members, it is important to note that any company that markets goods or services to EU residents, regardless of its location, is subject to the regulation. As a result, GDPR will have an impact on data protection requirements globally.

All organisations should have finished an initial assessment phase in readiness. A gap analysis to determine where you need to focus your efforts to get on-track towards compliance. And we can help with that.

If you do not know your PIAs from your DPIAs, your PIMS from your ISMS, your DPO from your DPA, your BCRs from your SARs, your EDPB from your PECR (all confusing terms specified in the new regulation), then you really need to ask someone that does.

The Certified GDPR Practitioners at Octree are ideally placed to assist you with the complex and difficult to decipher world of Data Protection compliance.

But hurry - the clock is ticking towards 25th May 2018. If you’d like guidance about implementing your GDPR obligations call us on 01462 416400 or email

Octree provides cost effective GDPR and Cyber Security solutions for even the smallest of businesses.

Octree Cyber Essentials
Cyber security – don’t know where to start?
Talk to Octree, specialists in helping SMEs achieve Cyber Essentials status.
GDPR Survey


  1. Personal information shall be processed lawfully, fairly and in a transparent manner
  2. Personal information shall be collected for specified, explicit and legitimate purposes
  3. Personal information shall be adequate, relevant and limited to what is necessary
  4. Personal information shall be accurate and, where necessary, kept up to date
  5. Personal information shall be retained only for as long as necessary
  6. Personal information shall be processed in an appropriate manner to maintain security
More Detail