Who needs GDPR?

Who needs GDPR?


21st November 2019

Understand the basics of GDPR covering who is impacted, what powers the legislation has and what your small businesses needs to do to remain compliant. Sponsored article by iCaaS. 

There’s no denying that technology has transformed our lives dramatically over the past 25 years. Previous data protection rules across Europe were first created during the 1990s, so a robust review of the rules governing how organisations process and handle data was needed to keep up with the changing digital landscape.

Europe is now covered by the world’s strongest data protection rules, the General Data Protection Regulation (GDPR). The sweeping EU data privacy law affects any organisation that collects data on EU citizens. Crucially, it’s important for organisations to be aware that not complying with the regulations could lead to massive fines, lawsuits and reputational damage.

Many organisations are unclear on how at risk they are from GDPR-related sanctions. After four years of preparation and debate the GDPR was finally approved by the EU Parliament on 14th April 2016. It was enforced on 25th May 2018 and replaces the previous 1995 Data Protection Directive which was adopted at a time of the early stages of the internet. The two-year preparation period gave businesses and public bodies covered by the regulation time to prepare for the changes.

Who is affected?

GDPR applies to all organisations in the UK that process and hold personal data, regardless of whether we leave the EU or not. The GDPR affects every organisation in Europe but those affected the most are those that hold and process large amounts of consumer data such as technology firms.


Both personal data and sensitive personal data are covered by the GDPR.

Personal data broadly describes a piece of information that can be used to identify a person. This can be a name, address, IP address, website, national insurance details, photograph, medical details etc. Sensitive personal data includes genetic data, information about religious and political views, sexual orientation etc.

What powers does the GDPR have?

The UK’s Information Commissioner’s Office (ICO) is the independent regulatory office in charge of upholding information rights in the interest of the public.

The ICO imposed large fines recently on Marriot and British Airways, as a result of data breach-related incidents. Fines of £99.2 million for Marriot and £183.4 million for British Airways, showed the seriousness with which the ICO treats such breaches. One of the crucial elements of the GDPR has been the ability for regulators to fine businesses that fail to comply.

Smaller organisations are also being fined by the ICO. In July this year, the ICO issued an £80,000 fine to an estate agency who failed to keep their tenant and landlord data safe.

Organisations are even being fined up to £4,000 for not paying the required data protection fee that they have to pay to the ICO. The names of companies who were issued a penalty notice have now been listed on the ICO website. Bad publicity resulting from fines can also be damaging for smaller organisations and they may not recover from their reputations being tainted.

What do I need to do?

Most people realise they need to have a privacy policy in place but it’s important to remember you need several policies and documents in order to become and maintain GDPR compliance. These include evidence of compliance, data retention policies, data protection policies and more.

It’s safe to say that the GDPR is the most important change in data privacy regulation in 20 years and is designed to harmonise data privacy laws across Europe and reshape the way organisations across the region approach data privacy.

Subject Access Request (SAR)

The GDPR also gives individuals a lot more power to access the information that’s held about them. A Subject Access Request (SAR) allows an individual the ability to ask a company or organisation to provide data about them.  Not adhering to the SAR guidelines could result in fines. Remember you only have one calendar month to respond to a SAR and they can be made to your organisation by phone, email, letters and via your organisation’s social media channels.


Generally, exemptions exist where there is a national or public interest that is greater than the interests of the individual.

All organisations  – regardless of their size – are required to comply with GDPR if they offer free or paid goods or services to EU residents. Complete exemptions are those organisations that can store certain data types that are so important, they cannot be provided to other parties. Articles 6 and 23 of the EU’s GDPR allows member-states to grant exemptions in order to secure individual rights and national security.

It’s worth remembering that data and uses that fall outside the scope of GDPR are not exemptions. Currently, the exemptions under the GDPR include areas such as: acts of Parliament, immigration and legal professional privilege.

What next?

More fines are being handed out to organisations of all sizes, so it’s important to get houses in order and make sure that GDPR compliancy is taken seriously. It’s important to have all the relevant policies and documents needed for compliancy taken care of. This includes making sure that you have a ‘body of evidence’ as proof of your GDPR compliance, that you know how to deal with subject access requests and that you know how to deal with and report data breaches.