You need to know for sure


In a nutshell, as far as IT systems are concerned, GDPR compliance means ticking all the boxes laid out by the new law in such a way as your systems support compliance now and into the future, not just as an added extra but as an integral, natural part of the way you do business.

It’s all about best practice, not just having the robust technology but using it correctly, ensuring you create and embed a culture where compliance matters and people’s privacy is paramount.


You’ll know you comply if you can tick all of these boxes:

  • You abide by GDPR if you are any company that collects and/or processes EU citizen’s personal data, wherever in the world your business is based
  • You have collected the right sort of active consent to store and use a person’s data and explained how it would be used
  • You have set a suitable protocol in place to deal with notifying the supervisory authority within 72 hours of discovering a security breach unless doing so results in risks to the rights and freedom of individuals
  • You must be set up to provide electronic copies of private records to people who ask for it, detailing what personal data you are processing, where the data is stored and why
  • Your Data Controller must be able to delete people’s personal data as well as stop sharing it with third parties, who must also stop processing it
  • You must let people give their data from one controller to another, which means you have to be able to hand over an individual’s personal data in a ‘commonly used and machine readable format.’
  • You must build data security into your products and processes from day one
  • Data controllers and data processors must appoint a DPO


It might sound alarming, but in fact, GDPR is simply a process, something that needs to be factored into every aspect of your business and adopted as the norm. If your IT system already lets you do all of the above, it’s probably doing a pretty good job. To be sure, though, it makes sense to get expert IT support to ensure everything’s working like clockwork. If your IT system doesn’t let you do one or more of the above, you need help to make it so.


Here are some detailed plain language posts about the GDPR:


You’ll need parental consent to process the personal data of children under 16. Some EU member states might ask for a lower age of consent, but it won’t go below 13

GDPR is a regulation, which means it’s legally binding. The previous legislation was a directive, less strict.

As long as they meet the new rules, existing consents should be OK. But when personal data is processed for direct marketing, they should be told explicitly about their right to object.
If someone hasn’t opted in, you can’t call them.
It means data protection has to be a core consideration when designing data systems, not just an added extra.
The EU says personal data is “Any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, your posts on social networking websites, your medical information, or your computer’s IP address.”
It’s a particular category of personal data that can uniquely identify a person, for example, biometric and genetic data.