Home / GDPR Compliance
The European Union General Data Protection Regulation (EU GDPR) came into force in the United Kingdom in May 2018. This legislation replaced the old Data Protection Act 1998 with a new version e.g. the Data Protection Act 2018.
Following the UK’s exit from the European Union, the legislation effectively remained in place under the name of the UK General Data Protection Regulation.
Therefore, GDPR remains in force for all organisations that process personal identifiable information (PII) about individuals (e.g. a living person). Typically, for most organisations this means the data of their employees, customers, suppliers and prospects etc.
We provide a service that ensures your organisation is compliant with the legislation. We can fast track your compliance using our GDPR toolkit.
There are numerous benefits of being compliant.
The most obvious one is that it’s a legal requirement and you must comply or face significant fines.
The penalties in the UK are typically based upon the significance of the breach of GDPR and the organisations annual turnover.
The maximum fine is £17.5 million or 4% of the global turnover of the organisation or whichever is higher.
Details of the latest enforcement action can be found here.
Organisations that are classified as a Data Controller or Processor of personal data are required to have an up to date ROPA (Article 30)
All of the key principles of data protection must be adhered with (Article 5) e.g.
All of the processing of personal data has to have a documented legal basis aligning to one or more of the following (Article 6):
The rights of individuals (Data Subjects) must be complied with (Articles 12-23). These rights include:
Data Controllers are required to have a documented Incident Management Plan (Article 33).
The plan must have a compliant methodology for managing incidents. Incident reporting requirements must be followed e.g. the Information Regulator must be informed within 72 hours of becoming aware of a reportable incident.
All data processing must be kept safe to avoid any issues with the confidentiality, integrity and availability of personal data.
The legislation requires that the organisation does everything in its power to keep the data safe (Articles 5 and 32).
Basically this means doing whatever is technically and financially feasible for the organisation to do. However, there are a number of mandated requirements under this area of the legislation.
Data Controllers are required to check if they are legally bound to appoint a Data Protection Officer – DPO (Articles 37-39).
If so, they must appoint a DPO that is:
An organisations website must be compliant. (Articles 5, 6 and 32).
This requires it to be:
Where an organisation processes special categories of data they must conform to additional requirements (Article 9).
Special categories include:
Additional requirements include having the right legal basis and completing risk assessments.
All Data Controllers must document who their third-parties are who process personal data as a Data Processor (Articles 24-43).
Additional requirements around due-diligence and risk assessments are required to ensure that they do not present a risk to the processing.
The legislation requires that organisations identify where personal data resides and if transfers are made from the UK and EU.
Where this occurs, transfer risk assessments need to be undertaken to assess the risk and any additional measures that need to be undertaken e.g. Standard Contractual Clauses.
Articles 45-47 are quite onerous to comply with and the law is likely to change in this area at some point.
Article 35 requires that organisations identify where there are requirements for formal risk assessments relating to the processing of personal data.
These include the processing of Special Categories of data and processing that is considered high risk, such as the processing of a significant number of records.
Article 27 requires that organisations appoint UK and EU data protection representatives where there is a requirement to do so.
Those representatives must be based in the UK or EU and hold a record of the processing on behalf of the Data Controller.
Article 25 requires that organisations develop and manage a suitable plan for the ongoing management of data protection compliance.
The plan should demonstrate actions to improve the overall compliance of the organisation, especially where compliance issues have been identified in audits and monitoring activities.
Our professional consultants will review your current status with regards to GDPR compliance.
Once that assessment has been done, we will be able to give you an accurate estimate on the likely time required and the cost of the service.
We are available during UK office hours.
Call Us : +44 330 027 2161
We are open from Monday to Friday
9.00 AM - 5.00 PM
Cyber Security 4 you is a trading name of Cyber21 Limited, a UK registered Limited Company.
The company provides affordable and cost-effective cyber security and data protection services and solutions.
Cyber21 Limited © Copyright 2025
