Do the GDPR changes apply to us?
October 6, 2017

With GDPR creeping ever closer the internet is awash with information on what the changes are and when it’s happening, yet it looks as though many organisations simply don’t recognise their need to comply.

According to a Crown Records Management Censuswide survey of IT decision makers, a quarter of all UK organisations have abandoned plans to do anything about their compliance (due to Brexit), and almost 45% believe GDPR will cease to apply to them once the UK formally exits the EU. It appears then that an alarming number of businesses simply don’t know enough or what their status as a data controller or processer is.

Rather than risk a fine, it’s worth finding out what is considered personal data and whether or not you are a controller or processor of it.

This guide should help you identify your status and put you on the right path to compliance.

Brexit and GDPR compliance

First things first, we think it’s important to state that Brexit will have no effect on your need to comply with GDPR. The regulation clearly states that businesses that wish to engage with the EU must comply.

So regardless if Brexit is realised in its entirety, chances are as a UK based company you will be wanting to do business with a European organisation at some point, and so must comply.

Still not sure if that sounds like you?

Are you a data controller, a data processor or both?

The difference between data controllers and data processors[1]  may seem academic, but there is evidence to show there is confusion on the part of some organisations as to their respective roles and therefore their data protection responsibilities. The distinction can have significant consequences in the event of a data breach as the ICO will need to be able to determine where responsibility lies.

  • A ‘data controller’ is a person (persons or organisation) who “determines the purposes for which and the manner in which any personal data are, or are to be processed.”
  • A ‘data processor’ is a person (persons or organisation), other than a direct employee of the data controller, who “processes the data on behalf of the data controller.”

Example 1.
A call centre making calls on behalf of a telecoms provider is likely to be both a controller and a processor because they will be keeping personal data records of their employees (controller) , as well as processing personal data given to them by the organisations they are working for (processor).
Example 2.
Regardless of business purpose, if you are an employer that collects and uses information about people as part of a recruitment drive (controller), even to fill just one position, the Data Protection Act applies to your organisation.

Do we need to register with the Information Commissioners Office (ICO)?

Unless you work in a vacuum the chances are that you do need to comply with the regulation. Under the Data Protection Act individuals and organisations that process personal information need to register with the ICO, unless they are deemed to be exempt.

Are you exempt from registration? Do you store personal data digitally? Do you record CCTV footage for security purposes? Not sure?

The ICO has a great tool that helps you identify whether or not you need to register as a data processor with the ICO.

"Data means information which –
(a) is being processed by means of equipment operating automatically in response to instructions given for that purpose,
(b) is recorded with the intention that it should be processed by means of such equipment,
(c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system,
(d) does not fall within paragraph (a), (b) or (c) but forms part of an accessible record as defined by section 68, or
(e) is recorded information held by a public authority and does not fall within any of paragraphs (a) to (d)."

Data definition from

Train your staff

Achieving GDPR compliance begins with a comprehensive staff training and education programme.

Once you’ve established that you do indeed process personal data you’ll need to make sure your staff all understand the regulation changes. Ensuring they know how the regulation change affects their day to day work will help safeguard your organisation from data breaches, and potential fines.

Did you know that forwarding emails between colleagues could constitute a breach? Do your staff understand that a serious breach can carry penalties of up to 4% global turnover or €20 million, whichever is higher? Does your marketing department have explicit, double-opt-in consent to use personal data for email campaigns?

If your organisation processes personal data of any kind, including recording of CCTV footage it’s essential your staff know about the changes to the General Data Protection Regulations or you could be leaving yourself at risk of wilful non-compliance. 

Let this training checklist from the ICO be your guide.

Discover. Manage. Protect. Report

Once you have identified your need to comply and have embarked on a staff training programme, it’s time to organise an information audit to ‘discover’ and identify what data you hold.

You should map data flows and document the personal data your organisation possesses. Detail what it’s purpose is, where it came from and who you share it with. It is vital that you develop compliant processes, policies and systems for ‘managing’ data, that will ensure its accuracy, security (protection) and ‘reportability’.

Prioritising ‘privacy by design’, or an appropriate technical and organisational environment in this way will ensure your business is ready to action a compliant Data Protection Information Access request.

Learn more about the ICO’s Accountability and Governance guidelines here.

For more information on how you can get ready for the GDPR, or to arrange an Information Audit get in touch on 028 90 87 2222 or drop us an email using the form below.

 Security code



Return to blog

We're Hiring

Interested and want to know more?Send us an email