Cognatio Blog



The General Data Protection Regulation (GDPR) has been introduced for two main reasons, firstly to protect EU citizen’s data in the digital world. And secondly, to harmonise data privacy laws across all 28 members of the Union (the UK are still set to enforce the policy upon departing the EU). Taking effect from May 2018, all businesses will need to be prepared for its arrival and failure to comply will lead to significant consequences. We’ve outlined what this means for businesses and key information you need to be aware of.

What does GDPR mean for businesses?

GDPR will see tighter legislation on the information that can directly (or indirectly) reveal the identity of an individual. For example, name, email address, social media activity, date of birth, or any other personal data. Companies will need to follow strict cyber security guidance when collecting data. No longer will businesses be able to use a pre-ticked ‘I agree’ box when visitors fill out their data. Customers will need to give a higher level of consent in order for companies to be able to use it.

GDPR means data breaches could be disastrous for business. Currently 60% of small companies that suffer a cyber attach are out of business within six months. Therefore, many businesses are investing in Cyber Essentials, a certification scheme backed by the British government to help organisations prevent online data breaches. This will help with GDPR compliance as well as improving the security of your company, customers and partners.

GDPR will also mean individuals have an online ‘right to be forgotten’ therefore, businesses will need to have a method in place for doing this. This includes all tracking data such as IP addresses and tracking cookies.

Privacy from the ground up

One of the key premises of the GDPR is that privacy should be an overarching consideration in the design and development process for new activity that involves the collection of personal data. For example, the EU suggests that when new apps are created, IT security experts should work with different teams such as the marketing department. This will help determine how to create an app that meets business requirements in a secure way that also guarantees the safety of data. This may mean businesses need to recruit new employees or work with agencies to gain these skills.

Breaches must be reported

Since the GDPR has not yet been implemented it’s still unknown how the requirement to report data breaches will be interpreted.

If a data breach needs to be reported the report must be issued ‘without undue delay’ and should be made within a maximum of 72 hours unless there’s a good reason why it should take longer. The EU also mandates that the notification must inform the data subjects of the potential impact and highlight how they can mitigate it.

GDPR is going to affect all businesses therefore, it’s important companies of all sizes understand the precautions and actions they need to take in order to protect themselves. Companies will now be held far more accountable for data breaches. And businesses who suffer unintentional data breaches can expect severe ramifications including; financial loss, confidentiality breaches and damage to reputation.

The GDPR has avoided being prescriptive about how companies should implement the required level of privacy and associated cyber security. Therefore, giving organisations the onus to take measures that are relevant to their situation. If you have any questions regarding GDPR please get in touch by emailing and don’t forget to follow us on LinkedIn and Twitter.