GDPR (General Data Protection Regulations) are new EU regulations which will make the current Data Protection regulations much stronger.  GDPR comes into force in May 2018 and, if breached, could result in a fine of up to 4% of global turnover.

Respect for privacy, security of data and awareness of breaches will be key.  Organisations have a duty to report a breach within 72 hours.  If that breach is potentially of high privacy risk, then affected individuals should also be advised of the data breach. This is a significant change to the current Data Protection regime in the UK.

The definition of personal data has been extended and includes anything that could be used to identify an individual. This includes, for example, genetic data and even IP addresses. The GDPR will be more robust in its protection of data than anything we have previously seen and businesses will be more accountable.

More detailed information can be found on the Information Commissioners Office website 

Will GDPR still apply post Brexit?

The regulations will still affect UK organisations despite Brexit.  The UK government and the Information Commissioners Office (ICO) have indicated that, even if they don’t continue with GDPR after Brexit, they will be looking for something equally as robust.  Similarly, if you are processing the information of EU nationals or trading across the EU, then you will need to abide by its regulations.

Will my organisation be affected?

Every organisation processing personal data must carry out safeguards against loss, theft and unauthorised access.  This applies to all organisations from Corporates and SMEs, to charities, healthcare providers and councils.


Key steps to GDPR Compliance

Cyber Essentials Certification is a great first step.  It can mitigate ICO fines if a company suffers a breach and provides evidence that you have carried out basic steps towards protecting your business and your data from internet based cyber attacks.  However, GDPR requires more than just having baseline IT security controls in place.


The IASME (Information Assurance for Small & Medium Enterprises) Governance is the only standard recognised by the UK Government as evidence that you have prepared for the introduction of GDPR.

It incorporates three key elements:

  1. Cyber Essentials Certification – included as standard, this demonstrates  you have the baseline cyber security measures in place
  2. Information Assurance  – many of these are required for GDPR compliance; such as assessing business risks, training staff, dealing with incidents and handling operational issues.
  3. A specific GDPR question set – demonstrating that your organisation has a wider governance system for management of the controls protecting personal data and is “GDPR Ready”


When you achieve IASME Governance Certification, you receive a badge that can be used on your website and email signature that shows you have robust Information Assurance measures in place.

In our capacity as an IASME  Governance Certification Body, we offer  IASME Governance Packages  from just £400.

Act now to avoid leaving your organisation exposed when the new legislation comes into force.