Why your business should care about GDPR and what you can do about it

The EU Parliament on 14 April 2016, after four years of preparation and debate finally approved the General Data Protection Regulation of which enforcement starts on 25th May 2018.

The goal of this regulation is to strengthen and unify data protection for all individuals within the European Union (EU) by addressing the export of personal data outside the EU. It gives control back to citizens and residents over their personal data. This regulation is designed to harmonize data privacy laws across Europe.

While key principles of data privacy still hold true to the previous directive, many changes have been proposed to the regulatory policies. This regulation is applicable to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location.

Gartner predicts that by the end of 2018, more than 50 percent of companies affected by the GDPR will not be in full compliance with its requirements.

Under GDPR, organizations in breach can be fined up to 4% of their annual global turnover or €20 Million (whichever is greater).

A company can be fined 2% for not having their records in order (article 28), and not notifying the supervising authority and data subjects about a breach or not conducting impact assessments.

These rules apply to both data controllers and data processors and even ‘clouds’ are not exempt from GDPR enforcement.

The issue of data privacy isn’t a new thing but it is something that even many tech titans have overlooked and when security breaches occur like they’ve done recently and in the past, sensitive information about people like social security details, credit card details etc end up being exposed on the open web or on the dark web.

Previously, companies were able to get away with the issue of consent by using long wordy terms  and conditions pages where people would have no alternative but to click accept to proceed. This did nothing to protect people from security breaches and exposing of personal data.

Under this new regulation companies will need to have data privacy, right to be forgotten, right to access, data portability in their solution designs. They also need to appoint a data protection officer and report breaches within a certain period.

These requirements will require a change in culture, operating procedure and strategy to many small and large businesses interacting with data of EU subjects, whether in the EU or outside of the EU.

Our Approach

ASE consulting ltd specialises in system risk mapping and management for business and technological systems.

What we can do for you is to do the following:

  • Conduct an impact assessment to determine the level of exposure or non conformity towards the GDPR regulation.
  • Work with you to deliver corresponding data standards & guidelines
  • Work with you to redesign your business processes and solutions architecture to ensure conformity with the regulations.

The impact that this would have will be compliance in the following points in the regulation:

  • Breach Notification
  • Right to Access
  • Right to be Forgotten
  • Data Portability
  • Data Protection Officers


What you can do next is to reach out to our GDPR team customerservices@ase.co.uk or call us on+44 (0)208 618 2246 and we can discuss the next steps.