The General Data Protection Regulation (GDPR) represents the most important data protection regulation change in 20 years. All companies processing and holding the personal data of subjects residing in the EU must comply once it comes into effect on 25 May 2018, regardless of location.

72 Hour Time Limit

To Report a Breach

Time limit from awareness of breach

Documented process must be available to prove your ability to comply.

Security By Design

Companies must prove that they are operating securely by default

Not Just An Afterthought

The GDPR highlights the need to operate with security as the default state. Forcing non-compliance to be identifiable and outside of normal operating procedures.

Subject Access Request

Individuals can request a copy of all the information held about them.

Portability of Data

Companies have 30 days to provide an individual with a copy of the data held about the requesting person including emails and personnel records.


We have provided some key questions which are regularly asked along with brief answers to help you just now.
For more detailed information please get in touch.

The GDPR is a new European Law and set of rules which are intended to give individuals more control over their personally identifiable information. This includes your name, address, credit card number, date of birth, religion and more. Any company who stores and/or uses this information for marketing, payroll or any other purpose has to comply with these rules.
Unless you have taken on specialist help in data protection there is a good chance that you will not be compliant with the GDPR.
The maximum fine will be €20 million or 4% of “worldwide turnover”
PII or Personally Identifiable Information is defined in the GDPR as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”
This is an important question you will be entitled to have an answer to from all of your suppliers. These storage locations will be subject to the same regulations as the companies who have requested or use your information.
The main implications of GDPR are policy, process and software based. Hardware will factor into this when newer, more secure, software has been released which the hardware cannot run. If that software patches vulnerabilities to your secure system or prevents the compromise of personal data your hardware could cost €20 million.

The full text of the GDPR can be found here.