The general data protection regulation

The general data protection regulation

The Data Protection Act 1998 is old news. Taking over is the General Data Protection Regulation. The Regulation will harmonise data privacy laws across Europe. It will protect EU citizens’ data privacy and empower citizens to have rights to the data you hold about them.

The GDPR came in force over two years but time has been given to companies to comply, so you have until 25 May 2018. This may sound far off but there is a fair amount of work to be done to make sure you will comply.

An interesting aspect of GDPR is that it doesn’t just apply to organisations within Europe. It applies worldwide to all companies processing and holding data about European subjects living in the European Union, regardless of whether the company itself is located on the EU or not. Such organisations may well be your overseas suppliers or business partners. If you are passing data to them about your European-based customers, you will need to check whether they comply with GDPR.

Brexit will offer no respite. The UK Government has said it intends to implement an equivalent or similar legal mechanism to the GDPR.

Should you wish to flout the law, the penalty for a breach will be up to 4% of annual turnover or €20 million. It is expected, though, unless you are knowingly in serious breach of the Regulation, such a high fine would not be levied.

I know a few companies that have already started reviewing the data they hold to ensure that, by May 2018, they will comply with the GDPR. If you have not yet started a project, my advice is to get going sooner rather than later. As with all resource intensive projects, it is always much better to have more time available rather than less.

If you have not yet started a project, here are some steps you might take:

  1. Learn about the GDPR. The Information Commissioner’s Office website has some good bedtime reading.
  2. GDPR is not just an IT project. You will need get everyone on board. Keep staff and management regularly updated as the project progresses.
  3. Across all departments of your organisation, you will need to discover all the personal data that you hold. You will need to know what it is, where it is and how it is used. This will all need to be recorded and records will need to be kept up to date.
  4. You will need to know about the whole data chain. It will be your responsibility to make sure your suppliers know about GDPR and will be taking similar action to you. Get in touch with them and find out what they are doing about complying with GDPR.
  5. You may need to update privacy policies, ensuring they are clear, concise and that consent functions are thoroughly tested.
  6. You will want to develop and test procedures for handling the following:
  • Subject access requests (the right of people to see the data you hold about them)
  • Subject access rectifications (correcting inaccurate data)
  • Subject access portability (providing data in a format that can be passed on)
  • Actioning all right to be forgotten requests (removing people’s data and proving that this has been done). Bear in mind this will also need to be done for third parties to whom you are passing personal data.

Yes, GDPR compliance is going to take time but don’t ignore it. It’s got to be done, so best to get going.

Tagged .

Paul Richer is Senior Partner of Genesys, a management consultancy specialising in providing advice on technology for the travel, tourism and hospitality industries. Genesys has built a worldwide reputation for its knowledge and experience of new system procurement, online technology and strategies including website audits and online booking systems, reviewing and formulating companies’ IT strategies and more. Clients include many of the best known names in travel. Paul has co-authored several reports examining the impact of technology on the distribution of travel, including “Distribution Technology in the Travel Industry” originally published by Financial Times Retail and “Marketing Destinations Online – Strategies for the Information Age” published by the World Tourism Organisation. He has presented at and chaired many online travel conferences, is regularly quoted in the press and has also been invited to make several appearances on television to debate the subject. Prior to founding Genesys in 1994, Paul was Business Development Director of Finite Group plc and Head of the Group’s IT strategy consultancy. He holds an MBA from Cranfield School of Management, is a Fellow of the Institute of Travel & Tourism and Member of the Chartered Institute of Marketing. More information at

Leave a Comment

Your email address will not be published. Required fields are marked *