Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice


When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu

EU General Data Protection Regulation (GDPR) 101



The biggest news in privacy and data protection for a number of years now was the passing into European Union law of the General Data Protection Regulation in 2016. This represented a huge shake-up for privacy compliance and, given the wide reaching scope of it, many organizations are still catching up on its implications.


We thought we’d try to answer a few of the common questions about the EU GDPR in an easily-digestible form. But please note – we’re not lawyers here at CertiKit. This is our interpretation of the Regulation intended as an introduction. If you really need to know the full implications for you or your organization you will need to consult a suitably-qualified person (Phew, glad we got that out of the way).

So here goes…


Who does it affect?

Although it’s an EU law, it actually applies to anyone that holds or processes personal data about EU citizens, so if you thought you don’t need to know about it because you’re outside the EU (and remember the UK is now outside the EU), not (necessarily) so. It places responsibilities on both controllers (the ones collecting the data) and processors (who may process the data on the controller’s behalf).

What sort of data does it cover?

It’s all about “personal data” which is basically data about living people from which they can be identified. Anything from name and address through to religion or marital status. If the individual can’t be identified, either directly or indirectly, then it doesn’t apply so one of the things to consider is whether the data you hold need to be as specific as they are currently.

What are the main changes from previous legislation?

The GDPR holds the same basic principles as previous law but goes further in some areas.  The rules for obtaining consent to collect and hold personal data are stricter, you may need to appoint a Data Protection Officer, you’re expected to consider privacy from the very start of new projects, most data breaches must now be notified (and the fines have gone up) and you will need to be more careful about the countries you transfer the personal data you hold to.

What rights does a data subject have?

Quite a few, eight in fact. These are:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling.

Some of these will involve you reacting to a request from a data subject within a specified period of time (in many cases one month) so you’ll need to be ready.

Do we have to tell someone if we have a breach?

In the main, yes. You will need to tell the Supervisory Authority in your country (or an EU country if you’re outside the bloc) within 72 hours of becoming aware of a breach that is “likely to result in a risk to the rights and freedoms of individuals” and , depending on what’s happened, you may need to tell the data subjects affected as soon as possible too.

What are the penalties for not complying with the GDPR?

There is a range of fines increasing up to 4% of annual worldwide turnover or 20 million Euros (whichever is the higher). This is a lot more than previously and the actual amount will depend on the seriousness of the infringement.

Do we need a Data Protection Officer?

Yes if you are a public authority, you do large scale monitoring or you process particularly sensitive types of data on a large scale. Your DPO will need to have an appropriate level of knowledge but can either in-house or outsourced.

What is Privacy by Design?

When creating new systems or making big changes to existing ones, you will be expected to “design in” privacy controls from the very start. This will involve thinking about what data you need to hold (i.e. don’t hold more than you really need) and how you need to hold it (i.e. do individuals need to be identifiable). You’ll also need to conduct privacy impact assessments.

What is a Privacy Impact Assessment?

In many respects a PIA shares much common ground with a risk assessment and treatment process as required by the ISO/IEC 27001 standard. It involves assessing the risks to individuals of holding and processing their data and identifying ways to address these risks using controls.

What should we be doing now?

If you’re a new startup or you’re an existing company concerned about your compliance the first step will be to understand what the GDPR means for your organization and then to create a plan to work towards meeting the requirements. This will almost certainly involve reviewing the personal data you hold and how it is collected (e.g. consent issues), getting procedures in place to handle the types of requests you may receive (e.g. rectification and erasure requests) and checking that any data transfers you do to other countries are still be allowable under the GDPR rules. Will you need a Data Protection Officer?

You’ll also need to fully embrace the concept of privacy by design and ensure that your information security incident management procedures take account of the need to inform the relevant authority and possibly data subjects within the required timescales.

Last words

GDPR takes the protection of personal data to the next level and has sharp teeth in the form of heavy fines for infringements. It isn’t going away and the worst thing you could do is ignore your responsibilities under it. It moves information security up the agenda and makes a decision to implement standards such as ISO/IEC 27001 look even more sensible.

We’ve helped more than 4000 businesses with their compliance


Great library of documents that helped tremendously in the development of our respective systems. The organization and hierarchy of the documents were easy to follow.

GC&E Systems Group, Inc.

View all Testimonials