GDPR: ten easy steps all organisations should follow

Sara Degli-Esposti, Coventry University and Maureen Meadows, Coventry University

Data protection law hasn’t undergone a significant update since the EU brought in legislation in 1995 – just six years after the birth of the World Wide Web. But GDPR is about to shake things up.

Now, 23 years later, the new law – known as the General Data Protection Regulation – will replace that aged directive on May 25 in a move that, according to the UK’s Information Commissioner’s Office, signals an “evolution” rather than a “revolution” for data protection.

GDPR is intended to strengthen and unify data protection law in the digital age. It means that any organisation – large or small – processing or controlling data in the European Union must comply with the legislation, which will be transposed into the national laws of each member state. Brexit doesn’t change this reality.

Organisations that commit serious infringements – such as repeatedly failing to seek customer consent to process data – will face fines of up to €20m (£17.7m) or 4% of their worldwide annual revenue, whichever is higher.

But despite the alarmist tone about GDPR coming from opportunist salespeople, the best advice for many organisations is to keep calm and carry on. Most organisations are already dealing with EU citizen data, and are required to comply with the existing 1995 data protection directive. It means that the infrastructure to handle GDPR is largely in place already.

GDPR is an opportunity to carry out a quality audit to get rid of bad practices and inappropriate procedures.