Getting Ready for GDPR – What Will Change And How to Prepare

Admin Globaldots
image 7 Min read

The EU General Data Protection Regulation or GDPR for short is the most important change in data privacy regulation in the last 20 years. This change is set to drastically switch how businesses in the EU (and external businesses that deal with data of EU citizens) look at data in general.

The deadline for complying with these new laws is May 25th, 2018 which is the date when GDPR will start harmonising data privacy laws across the European Union and forever change how companies collect, store, delete, alter and otherwise process the personal data of EU citizens.

The official document is a lengthy one that may confuse even the most experienced data specialists. That’s why we’ve made sure to emphasise the most important points in this article to make sure you’re ready for the era of GDPR which is upon us.

Image Source

Who Will GDPR Affect?

The GDPR replaces the previous Data Protection Directive from 1995 and other than the new laws it lays out it expands them by making sure it is applied by all companies, regardless of the company’s location, who are controlling the personal data of data subjects in the EU.

GDPR is also aimed at companies that have more than 250 employees but it is also applicable to companies that have fewer than 250 employees but their data processing impacts the rights and freedoms of data subjects or includes sensitive personal data. This generally means GDPR affects almost all companies which can be seen in this survey that states 92% of US companies are considering GDPR as a top data protection priority.

To factually understand who specifically GDPR affects it is important to know what is the difference between a data controller and a data processor.

Data controller:

The data controller is a company or person that determines the purposes for which, and the way in which personal data is processed and they are the ones highly affected by GDPR which means they are subject to a number of requirements under the EU law. Data controllers have their own data processors.

Data processor:

Data processor is a company or person that processes personal data on behalf of the data controller. It is important to know that this excludes all the data controllers employees. A good example of a data processor is a data analytics provider because it is a separate business that controls the data of their users (data controllers). Data processors are also affected by GDPR but not as much as data controllers since a lot of regulations are already set in motion by the so called ‘data processing agreements’.

The same organization can be both the data processor and the data controller and two separate organizations can be the processors of the same data.

GDPR covers both personal and sensitive personal data. Personal data translates to a piece of information that can be used to identify a person (examples: name, address, IP address etc.). Sensitive personal data encompasses religious and political views, sexual orientation, genetic data and more.

What Will Change

Many of the GDPR’s main concepts and principles are included or are similar to the ones in the DPA (Data Protection Act) which means that if companies are already complying with the DPA laws they have a very solid foundation to build upon.

The main driver of how awareness of data security in companies will change is the short timelines that are being put into place. GDPR requires companies to send a notification to each of the countries representatives within 3 days of a data breach with the accompanying full report that contains the correct data of citizens that were impacted by that breach. Previously, it would take at least 2 months to get to the bottom of a typical breach.

Companies also need to allow their data to be portable which means that their users or clients can have their data erased or moved to another company.

Security teams are going to be drastically influenced by GDPR since there will be a need to reengineer new processes. These new processes are in most cases going to have to include DPOs (data processing officers). DPO will be responsible for everything related to data and this person will be the main point of contact between the company and country officials.

In a recent survey by Ovum it is very apparent businesses are getting seriously concerned about the data privacy regulatory landscape. Here are some of the most important findings:

  • Two-thirds of businesses expect to have to change in their global business strategies to accommodate new data privacy regulations
  • Over half of businesses think they will be fined due to the pending General Data Protection Regulation (GDPR) in Europe
  • More than 70% of businesses expect budgets to rise to meet new data sovereignty regulations
  • The U.S. is the least trusted country for respecting privacy rights, lagging behind China and Russia

The Fines

One of the most worrying factors of GDPR is the increase in the level of monetary penalties. This, coupled with the Ovum report, means that these fines are not to be taken lightly.

Smaller offences will result in fines up to €10 million or 2% of a firm’s global turnover (whichever is greater). Companies with more serious consequences will be fined up to €20 million or 4% of a firm’s global turnover (again, whichever is greater).

An article by The Register states that 2016’s ICO fines in UK would have been 79 times higher under the GDPR. Meaning 2016’s £880,500 in fines would have been GDPRs equivalent of £69 million.

How to Prepare

The Information Commissioners Office (ICO) has prepared a guide with 12 steps every company should take to comply with the GDPR laws. Here’s a shorter version:

1) Awareness

The decision makers and key people in any organization should be aware that the law is changing to the GDPR. This will help evade last minute preparations before May 25th, 2018.

2) Information you hold

Every piece of personal data held by a company should be documented. This includes its location, where it came from and who you share it with and why.

3) Communicating privacy information

All privacy notices should be reviewed. When collecting personal data a company should provide notice to the people it comes in contact with, and privacy notices requirements will change under GDPR.

4) Individuals’ rights

Companies should check their procedures to ensure that they cover all the rights individuals have, the GDPR includes the following rights:

  • The right to be informed
  • The right to access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • The right not to be subjected to automated decision making including profiling

5) Subject access requests

Companies should update their procedures on handling access requests. If an organization handles a large number of access requests they should consider the logistical implications of having to deal with requests more quickly.

6) Lawful basis for handling personal data

Companies should identify their lawful basis for their processing activities in the GDPR, document it and update their privacy notice to explain it.

7) Consent

Companies should record how they seek, record and manage consent and whether they need to make any changes. Read this detailed guidance to learn more about consent.

8) Children

Companies should start thinking about whether they need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.

9) Data breaches

Companies should make sure they have the right procedures in place to detect, report and investigate a personal data breach in time. Failure to report a data breach in time will result in a fine.

10) Data protection by design and data protection impact assessments

Previously it was just a good practice to adopt a privacy by design approach and to carry out a Privacy Impact Assessment (PIA) as a part of it. In GDPR, however, privacy by design is now becoming a legal requirement and is referred to as Data Protection Impact Assessments or DPIAs for short.

11) Data protection officers (DPOs)

Most companies should hire a DPO as a someone that takes responsibility for data protection compliance. Companies must hire a DPO if they’re:

  • A public authority
  • An organization that carries out the regular and systematic monitoring of individuals on a large scale
  • An organization that carries out the large scale processing of special categories of data, such as health records, or information about criminal convictions

12) International

If an organization operates in more than one EU member state it should be determined what is their lead data protection supervisory authority and this should be documented.


GDPR is coming soon and the impact of this change will be big. In this time of change there’s a lot going on – currently there’s information that a lot of companies in digital media are trying to switch responsibility from one to another – clients want agencies to assume risks, agencies insist publishers assume them, and publishers do the same to tech vendors.

The businesses that are most liable for fines are the data controllers as they are the source of consumer data. Some examples of data controllers are publishers and advertisers that operate websites.

If you’re having issues with getting ready for the GDPR or you would like someone to do it for you our team at GlobalDots speacializes in data security and GDPR compliance – feel free to contact us and request a free consultation!



There’s more to see

slider item
Your Innovation Feed

eBook: Don’t Fortify, Amplify: The New Cloud Security Stack

Steven Puddephatt 25.11.21

2021’s Security leaders deal with everything from cloud-native insider threats to staying one step ahead of the unknown. While the cloud is made to amplify and speed up core business processes, the pressure to fortify cloud-borne assets from possible cyber threats painfully slows things down.  GlobalDots harnessed its 17-year cloud security experience to rethink cloud […]

Read more
slider item
Identity & Access Management (IAM)

How IT can Breeze through Onboardings without Additional Hirings

Dror Arie

Which IT Nuisance Would You Automate First? Employee onboarding is one of the heaviest, most complex operations on a company’s IT. This is especially true in fast-growing companies that may see multiple onboardings per day. And, of course, the wider a company’s software tools array, the more accounts to create and permissions to manage. In […]

Read more
slider item
Cloud Workload Protection

GlobalDots Partners with CWP Innovator Lacework

Li-Or Amir 23.11.21

In its constant endeavor to enrich its cloud security offering with the latest innovation, GlobalDots has recently introduced security unicorn Lacework to its vendor portfolio. Founded in 2015, Lacework offers a cloud security monitoring platform which brings together some of today’s top needs: Workload protection, container & K8s security, compliance monitoring. Last weekend (Nov. 18th, […]

Read more

Unlock Your Cloud Potential

Schedule a call with our experts. Discover new technology and get recommendations to improve your performance.
Contact us
figure figure figure figure figure