Understanding the new General Data Protection Regulations

The new General Data Protection Regulations (GDPR), due to come into force in May 2018, are about to make cyber security a very serious business.

GDPR significantly increases the data privacy rights of individuals and the requirements on all organisations to protect individuals data and their identities.

Irrespective of the size of your business, GDPR will apply.

But it doesn’t mean that all companies have to approach GDPR in the same way or have the same compliance requirements.

Not all organisations are equal

The GDPR, like the current Data Protection Act, protects personal data which is defined as “any information relating to an identified or identifiable natural person”. That includes the standard name and address type of information but also extends to IP addresses (the unique internet identifier of a computer or mobile).


GDPR is risk focused and assigns specific responsibilities to those organisations that have high risk processing activities. High risk isn’t precisely defined but covers activities where a breach is likely to result in “a high risk to the rights and freedoms of natural persons”. High risk is understood to refer breaches where there are significant detrimental consequences for individuals.

So for a business making widgets who store and process personnel data on their staff, the GDPR applies little more than the current Data Protection Act.

But if processing personal data is core to your organisation’s activities, (ie law practices, property management, financial services or housing associations), GDPR introduces extensive requirements around lawful processing and consent of the individual, rights of the individual, security of processing and breach notification.

It’s up to you to show how you’re compliant

GDPR also introduces the accountability requirements. It states explicitly that you need to be able to demonstrate how you comply with the regulations, that it is your responsibility.

You need to be able to show the basis for making decisions from whether your processing relates to high risk to whether you need to appoint a Data Protection Officer.

Unlike the Data Protection Act which only applied to data controllers, data processors now have legal obligations under GDPR. So if you process individuals personal data on behalf of another organisation you’ll have your own responsibilities for compliance under GDPR. Client and supplier contracts will need to be reviewed and amended.

Data sharing with other organisations will become much more heavily regulated. If you share data with other organisations you’ll need a GDPR-compliant data sharing agreement between you.

Elizabeth Denham, the Information Commissioner, commented about this in a speech in January 2017:

“Last year we issued more than one million pounds in fines for breaches of the Data Protection Act, so it’s not a power we’re afraid to use. If a business can’t show that good data protection is a cornerstone of their practices, they’re leaving themselves open to a fine or other enforcement action that could damage bank balance or business reputation.

The onus is on you to show you have consent

Lawful processing and consent form the basis for the legal justification for you to process an individuals personal data. They were called conditions for lawful processing under the DPA.

One of these conditions is consent of the individual which is much stricter under GDPR. Regulators (ie the ICO in the UK) have the power to stop processing of personal data by an organisation which is not compliant with the regulations.

An individuals consent needs to be freely given, easily accessible, clearly distinguishable and capable of withdrawal. Consent must be obtained for each processing activity so getting consent during completion of a tenancy for instance can’t be used for an unrelated purpose such as promoting landlord insurance.

Strengthened Individuals Rights

The right to be informed: This extends obligations that already exist under the DPA. GDPR extends the information you need to supply but you’re likely to have much of the core elements in place already.

The right to be informed: This extends obligations that already exist under the DPA. GDPR extends the information you need to supply but you’re likely to have much of the core elements in place already.

The right to rectification: inaccurate or incomplete data must be rectified. You need to respond to individuals within one month and inform any third parties you’ve shared data with.

The right to restrict processing: the right to ‘block’ or suppress processing of personal data is similar to the DPA right. Third parties who you share data with must be informed of the restriction.

The right to object: individuals have the right to object to processing of personal data in certain circumstance. If you process for marketing purposes you must stop immediately – there are no grounds to refuse. Otherwise there are legitimate claims to object.

The right of access: this right allows individuals to be aware of and to verify the lawfulness of the processing. You can’t charge a fee (change from the DPA) unless the request is unfounded or repetitive.

The right to erasure: the DPA threshold that processing must cause unwarranted and substantial damage or distress for personal data to be erased no longer exists. Third parties who you share data with must be informed.

The right of access: this right allows individuals to be aware of and to verify the lawfulness of the processing. You can’t charge a fee (change from the DPA) unless the request is unfounded or repetitive.

The right to data portability: allows the transfer of personal data to other services. Data must be in machine readable format and supplied within one month. Applies to data supplied by the individual processed automatically.

Automatic decision making: if your processes include automated decisions that produce a legal or similarly significant effect you should review your processes against the requirements of the GDPR.

Strong cyber security is no longer an option

GDPR requires you to implement a level of security appropriate to the risk.

In the case of the widget maker processing staff data, low risk so standard levels of security would suffice.

Whereas in the case of a law firm, property management company or housing association the risk is high.

Higher levels of security including data encryption, continuous monitoring and breach detection to protect personal data against cyber security vulnerabilities, including cyber-attacks and cybercrime, the ability to restore data quickly in the event of an incident and processes for regularly testing, assessing and evaluating the effectiveness of your security.

You also need to be able to detect and respond to any breach of security or breach of personal data swiftly and effectively.

Compliance Simplified

Hexagoncloud Cyber Defence System (CDS) has been specifically designed to provide security, continuous breach detection, fast data restoration, regular security testing and assessment and the ability to quickly respond to security or data breaches.

CDS has been designed and independently assessed to provide the appropriate level of cyber security for high risk processing. We’ve also designed in options for fast data restoration, encryption of data, continuous monitoring and breach detection as well as regular security testing and assessments.

CDS meets the cyber security, monitoring, breach detection and response and on-going confidentiality, integrity, availability and resilience requirements in through a fully managed service.

With CDS you won’t just be meeting GDPR requirements or SRA or FSA or other regulatory compliance.

Competitive Advantage

Your business will be based on a highly secure, stable and scalable IT platform setting you apart from your competitors and giving you a major advantage in markets where customers are worried about the security of their data.

And if you’re a data processor, you’ll be able to show your customers that contracting with you is future proofed and will protect their reputation.




Let’s begin with a short phone call to discuss how we can help protect your client data and your firm’s reputation as well as protecting you against the legal, financial and regulatory consequences of a data breach.

Simply click on Schedule Phone Call below to arrange a time convenient to you.