GDPR (General Data Protection Regulation) is a European Union-driven regulation (specifically the European Parliament, the Council of the European Union and the European Commission) that will strengthen data protection laws throughout the EU. Notably, it will also make provisions for data that is sent outside the EU.

It takes effect from 25th May 2018 and aims to simplify and unify data protection legislation across member states, making it easier for organisations to comply when doing business internationally.

GDPR Timeline

  • 25th January 2012: GDPR was first proposed, with a goal of formal adoption in 2016.
  • 21st October 2013: Orientation vote held by the European Parliament Committee on Civil Liberties, Justice and Home Affairs.
  • 15th December 2015: A joint proposal results from negotiations between the European Parliament, Council and Commission.
  • 17th December 2015: European Parliament's LIBE Committee vote in favour of the GDPR proposal
  • 8th April 2016: The proposal was adopted by the council of the European Union.
  • 14th April 2016: The proposal was adopted by the European Parliament.
  • 4th May 2016: GDPR published in the EU Official Journal. 
  • 24th May 2016: The regulation comes into force (20 days after publication).
  • 25th May 2018: Two years after coming into force, GDPR takes full affect and its provisions will apply to all EU member states.

This grace period of two years allows businesses time to ensure that they comply with the new legislation.

12 Step Process For GDPR Compliance

<Intro> .

Source: Data Protection Commissioner

Step 1: Become Aware

Review and enhance your organisation's risk management processes - identify problem areas now.

Step 2: Become Accountable

Make an inventory of all personal data you hold. Why do you hold it? Do you still need it? Is it safe?

Step 3: Communicate With Staff And Service Users

Review all your data privacy notices and make sure you keep services users fully informed about how you use their data.

Step 4: Personal Privacy Rights

Ensure your procedures cover all the rights that individuals are entitled to including deletion and data portability. 

Step 5: How Will Access Requests Change?

Plan how you will handle requests within the new timeframes - requests must be dealt with within one month.

Step 6: Understand The Legal Basis For Holding Data

Are you relying on consent, legitimate interests or a legal enactment to collect and process the data? Do you meet the standards of the GDPR.

Step 7: Customer Consent

Review how you seek, obtain and record consent, and whether you need to make any changes to become GDPR-ready.

Step 8: Processing Children's Data

Do you have adequate systems in place to verify ages and gather consent from guardians?

Step 9: Report Data Breaches

Are you ready for mandatory breach reporting? Make sure you have the procedures in place to detect, report and investigate a data breach.

Step 10: Ensure Future Projects Are Compliant

Data privacy needs to be at the heart of all future projects. Use Data Protection Impact Assessments (DPIA) and Data Protection by Design and Default. 

Step 11: Data Protection Officers

Will you be required to designate a DPO? Make sure it's someone who has the knowledge, support and authority to do the job effectively.

Step 12: International Organisations

The GDPR includes a one-stop-shop provision which will assist those data controllers whose companies operate in many member states. Identify where your main establishment is located in the EU to designate your Lead Supervisory Authority.