Businesses of all sizes need to understand and prepare for the GDPR. To help we provide answers to some of the most frequently asked questions:


  1. Who does the GDPR apply to?  ‘Date Controllers’ and ‘Data Processors’ need to abide by the GDPR if they manage the data of EU citizens.
  2. What about Brexit?  The UK leaves the EU in March 2019, so the GDPR will apply, and will continue to apply to those that sell goods or services to people in EU countries.
  3. Who does the GDPR affect?  Businesses and organisations within the EU, as well as those outside of the EU that offer goods or services to, or monitor the behaviour of EU individuals/data subjects.
  4. What is the difference between a regulation and a directive?  GDPR is a regulation – a binding legislative act. It must be applied in its entirety across the EU. A directive is a legislative act that sets out a goal for achievement.
  5. Will the fines really be enforced?  Yes. Each Member State will have individual discretion on criminal sanctions for GDPR infringements.
  6. What constitutes personal data?  Any information relating to a natural person or ‘data subject’ that directly or indirectly identifies that person. It can be anything from a name, email address, bank details, medical information, or a computer IP address.
  7. What consent must be given to process personal data?  Consent must be provided by an individual/data subject for the processing of their personal data. The request for consent must be in an intelligible and easily accessible form, with the purpose for data processing attached. Inactivity or pre-ticked boxes will no longer constitute consent for the processing of data. Organisations that demonstrate active consent will have a record of how and when this was provided.  If consent is removed, there must be evidence to show the related data is no longer processed.
  8. How can we show we are accountable?  Many organisations have measures in place due to the Data Protection Act (DPA). Others must examine and address current practice for GDPR compliance to show how they adhere.  For example, demonstrating the procedures that are in place to protect the data they hold.
  9. Why is a Data Protection Impact Assessment (DPIA) needed?  To reduce a project’s privacy risks. This assessment identifies the risks to address to help mitigate these at an early stage.
  10. Do I have to report all personal data breaches?  Yes, it is mandatory to report a personal data breach that may result in a risk to people’s rights and freedoms.

How we can help

IASME Governance (Information Assurance for SMEs) Accreditation is a straightforward and cost effective alternative to ISO:27001 that incorporates Information Governance,  baseline IT security and GDPR Readiness.

When you achieve accreditation, you receive badges to place on your website and communications to demonstrate to your supply chain that you are GDPR ready and have the correct measures in place to protect your supply chain from cyber attack or GDPR non-compliance.

In our capacity as an IASME accredited certification body, we can help you achieve your certification quickly and effectively.  We offer a range of competitively priced IASME Governance Packages to suit your budget, timeframe and level of experience.  Prices start from just £400.