The aim of GDPR is to provide EU citizens with clear information on how their information is used, how to raise complaints, and how to remove their personal information from the data/information stores of any organisation- wherever in the world that organisation is based.

What is GDPR?

Launching in May 2018, the General Data Protection Regulation (GDPR) is a new EU regulation that organisations must follow in order to understand how they should handle and protect our personal data. It protects the privacy of European citizens.

Many of the new provisions are already implemented within the UK’s Data Protection Act. However, under GDPR, organisations must be able to show evidence of consent given, must inform customers where the data will be stored, how and why it’s being used and of course, the way in which it’s being protected. There must also be a process to allow customers to remove their data from the organisations data and information stores, and this process must be as easy for the customer to access as the process to collect the data. This applies to all personally identifiable information held and in the case of “Sensitive Data”, consent must be explicit.

It must be noted that personal data is defined as anything that can identify an individual – for example, an IP address, postcode, home address, photo in which individuals are identifiable, bank details, posts on social media etc.

When will it be implemented?

The GDPR will have to be implemented across the EU by 25th May 2018[1]. The implementation of GDPR is not affected by Brexit (as explained at the end of this article). Organisations must be able to assure that they are compliant with the requirements of GDRP as of this date.

Who does it apply to?

This regulation applies to any organisation which holds and/or processes personally identifiable data of any citizen based in the EU. The rules clearly outline obligations of any organisation, and require the citizen to be clearly informed on how their data is stored, used and processed, and how to remove their data from that organisations data and information stores.

This applies both to ‘controllers’- those who say how and why personal data is processed –  and to ‘processors’ – those who do it on their behalf.

Why should companies care?

Organisations not abiding by this regulation will face fines up to £17m (€20m) or 4% of global turnover. Compliance gives some assurance to individuals that their data is being well managed and securely stored, and that there are less chances of data being misused, or data breaches occurring.

Why should consumers care?

The protection of personally identifiable data is the main aim of GDPR. It is hoped that, by giving end service users and customers greater control and understanding of how organisations use their identifiable information, customers will be able to remain in control of the use of their personal information.

This means that consumers will be able to withdraw consent whenever they like, know exactly what they are consenting to, where their data is being stored, why it’s being used, who has accessibility to it etc. In short, consumers will have more control and power over their personal data. The removal of consent to store and process data must be as easy for an individual to access as the initial collection of the data.

The requirement for descriptions of all areas of data collection, processing, storage and consent removal to be in plain language further enhances the control individuals have over the use and management of their personal data.

Are businesses prepared?

According to a survey conducted by Imperva[2], only 51% of respondents understood that GDPR would have an impact on their companies, nearly one third stated that it would have no impact on their companies while 11% were unsure and 5% did not know what GDPR was.

Concerns continued to be highlighted as, in addition, among the IT professionals surveyed, it was found that only 43% of respondents confirmed that they are in the process of preparation for GDPR, 29% were not and 28% were unaware of specific preparations.[3]

We have found that several customers have been confused by the GDPR process. Some of our customers believe that this is about enhancing IT and information security to prevent hacks – forgetting the key aims of allowing the citizens more control over the use of their personal data.

How does Brexit effect GDPR?

 Contrary to popular belief amongst UK based companies, GDPR will still be in place after the UK officially completes its exit from the EU. The UK Data Protection Bill (2017) will update data protection laws to incorporate areas of GDPR not currently serviced by current data protection regulations. Therefore, all organisations need to be fully prepared.

The government has confirmed the implementation of the GDPR into UK law even after withdrawing from the EU, stating that it is “suitable for our new digital age, allowing citizens to better control their data.”[4]

How can Strategic Discourse help?

Our consultants are well versed in the requirements of GDPR and assist organisations in ensuring their policies, processes and procedures are updated to be compliant. Furthermore, our training and communications teams can help your business spread the message of GDPR internally, to ensure all staff are fully aware of their responsibilities.

Where technical solutions are required, we have a strong background in information and technology governance and, as we are supplier agnostic, our specialists will recommend the best solutions for your corporate needs.

Get in touch with us by phone (020 3291 3573) or email (, and one of our consultants will arrange a free consultation to help understand your particular requirements.


[2] “What is the current state of company preparedness for the European General Data Protection Regulation (GDRP)?” Available at: