GDPR and DPA 2018 Compliance


The GDPR stands for General Data Protection Regulation, this is a mandatory policy that came into force on the 25th May 2018. This regulation aims to consolidate the many different data protection regulations which are spread across all EU member countries.  The UK has updated its Data Protection Act (DPA) from the 1998 version to the newer 2018 edition, which allows the DPA to fall closely inline with the GDPR.

Complying with GDPR

Compliance towards the DPA 2018 and the GDPR is a mandatory legal requirement from the 25th May 2018 for all businesses that either interact with EU residents or are based within the UK. Businesses will no longer be able to use personal data for their own competitive advantage; and must follow a clear set of rules to ensure data is processed in a fair and consistent manner.

Compliance towards the GDPR and the Data Protection Act (DPA) 2018 will help you eliminate unnecessary data flows, streamline operations and get your staff cyber-aware. Your business brand, reputation and profitability will naturally be protected by a robust set of data protection controls.  The cost and effort of putting your company through GDPR compliance is negligible compared to the cost of a data breach.

Heavy sanctions are proposed for continual non-compliance and/or large scale data breaches, up to 4% of annual worldwide turnover, or €20m, whichever is greater. With this in mind alone, GDPR compliance must be taken very seriously.

Benefits of Compliance

  • It is a mandatory requirement from May 2018 – if your business has a heavy reliance on the processing of personal data, steps must be taken now
  • Show commitment to security – demonstrate to your business partners, regulators and suppliers that you take data protection seriously
  • To win public sector work – independently verified DPA 2018 / GDPR compliance is likely to become mandatory for public sector suppliers. Proper evidence will be required, you will no longer be able just to tick a box
  • Competitive advantage – in comparison to rivals that are not DPA 2018 / GDPR-ready
  • Safeguard commercially sensitive data – Cyber criminals actively target companies with high value data. Streamlining data flows, removing legacy data and putting into place security awareness and policy controls will go a long way to reducing your company’s exposure to data thieves
  • Professional advice from a cyber security consultancy – Gain an expert oversight of your data protection controls
  • Gain independent verification – from data protection experts
  • Protect your business profits and reputation – by avoiding the financial disaster and negative publicity associated with a data breach

Data Protection is changing, be prepared for GDPR

The GDPR focuses on a key set of controls, which will protect your data from criminal, unauthorised and accidental use. Focus is very much on an individual’s right to privacy and the elimination of unnecessary data storage. We work in conjunction with Data Protection professionals who can guide you with the specifics your company is required to meet.

Undertaking the Cyber Essentials scheme with TeraByte will help you with a route to compliance with the DPA 2018 and the GDPR, as well as ensuring that your business is reducing its risk against cyber attacks.

To work towards the DPA 2018 and the GDPR compliance we recommend that the following steps are followed:


Responsibility and Accountability

Data Controller and Data Protection Officer roles should be assigned, and the business given clear direction as to how it handles data, from the top down. Greater emphasis will be needed for public authorities and entities that carry out large scale data processing. Clear and effective incident response plans should be adopted, so that the relevant authorities can be notified within 72 hours of a data breach as per the new legislation.

Scope and Data Flow Analysis

A thorough analysis of all data flows throughout your business must be carried out. This applies to both legacy and current processes; and also processes that have been outsourced to third parties. Where data is no longer needed, it must be securely deleted.

Third Parties

Careful attention must be paid where data is being handled by third parties on your behalf. Contracts should be reviewed and amended; and third party data flows also documented.

Risk Assessment

Once data flows and any third party interactions are established, risk assessments should be carried out on each type of data flow, to identify areas that need further attention.

Privacy by Design

Data processing systems may need redesign, to ensure privacy by design and by default. If no clear consent exists for the storage of personal data, it has to go. Systems that impose mandatory data collection fields, for example web forms, will need redesign. A Privacy Impact Assessment should be carried out for all new systems or processes that involve the handling of personal data.

Data Classification

Personal data must be protectively marked; and data subjects must be able to change or delete personal data upon request. Specific permission needs to be sought should personal data leave the European Economic Area.

Internal Security Awareness

The importance of data protection should be stressed to all employees, and included in employment contracts. Suitable policies and procedures should be developed, so that each member of staff is aware of their responsibilities for data protection. Staff that handle sensitive data must be subject to regular criminal records checks.

Information Security Management

GDPR Compliance is not a one-off task. Data must be securely managed throughout its life-cycle, and the best way to achieve this is through implementing an information security management system (ISMS), based on a standard that is appropriate to the size of your organisation. Secure data processing must be embedded into the heart of your organisation’s culture and demonstrable to both auditors and regulators.

Request a callback

Please leave your details and a member of our team will call you back as soon as possible.