The EU’s General Data Protection Regulation (“GDPR”) automatically comes into force on the 25th of May 2018. On this date businesses must comply with the new data protection rules that apply to the collection, storage, processing and use of personal data.


    Who does the GDPR apply to

    Any business that offers goods or services to individuals (“data subjects”) within the EU and/or monitors the behaviour of data subjects in the EU must comply with the GDPR. Even if a business is physically located outside of the EU it will be obliged to comply with the GDPR, if it targets the EU market or EU residents (for example: companies in the US selling services to EU companies).

    There are no exemptions for small businesses. There is no grace period for ensuring compliance. Businesses must be fully compliant from the 25th of May 2018.

    The GDPR applies to both data processors and data controllers, although they do have different obligations.


    Brexit Implications

    Brexit will take place after the 25th of May 2018, therefore UK businesses must comply with the GDPR. Even after Brexit, UK businesses still need to comply with the GDPR if they target the EU market or EU residents with their goods and services.


    What is Personal Data

    Personal data is defined under the GDPR as:

    “any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.“

    Personal data therefore includes, but is not limited to: a name, email address, IP address, photos, location data, bank details, social networking posts, medical information, device IDs, genetic data and biometric data.



    A data protection impact assessment (“DPIA”) is a privacy-related impact assessment whose objective is to identify and analyse how data privacy might be affected by certain actions or activities. DPIAs are mandatory in certain cases (for example: where profiling is carried out using personal data).



    Where consent is relied upon as the basis for processing personal data, consent must be unambiguous when given. Businesses must be able to prove they obtained unambiguous consent to the collection, storage, processing and use of personal data (i.e. by data subjects actively clicking a consent box agreeing to the terms of a privacy policy).


    Contracts and Policies

    All existing contracts and privacy policies will need to be reviewed and updated to include the mandatory obligations and information set out in the GDPR. (for example: having a written data processing agreement between the data processor and data controller).


    Data Subject Rights

    Data subjects have the right to request: access to all personal data held on them, rectify inaccurate data, object to processing (for example: for marketing purposes), export of data and erasure of data. Appropriate processes and templates should be put in place to allow data subjects to exercise their data subject rights within the statutory time limit (of 1 month).


    Data Breaches

    There are new obligations to report a personal data breach to a data protection supervisory authority where the breach is likely to result in a risk to the rights and freedoms of individuals (for example: damage to reputation or financial loss), and in some circumstance to data subjects. A personal data breach is defined as “a breach pf security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to personal data” and includes paper data, not just electronic data. Breaches must be reported with 72 hours, providing the specific information set out in the GDPR.


    Appointing a Data Protection Officer (“DPO”)

    Most businesses with fewer than 250 employees will be exempt. However, if a core activity of a business involves large-scale monitoring or processing of sensitive personal data a DPO must be appointed. “sensitive personal data” includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and data concerning health or sex life. Examples of large-scale monitoring provided by the EU are: patient data processed by a hospital, or customer data processed by a bank or insurance company. A CTO/head of IT cannot be a DPO as they are not independent of, the team undertaking the processing, nor from the management.


    International Data Transfers

    Where businesses or their subcontractors, affiliates or suppliers, store or process personal data outside the European Union data subjects must be made aware of this and in most circumstances must consent to this. Where personal data is transferred to a country which does not have adequate protection the methods adapted for protecting the personal data must be specified (for example: the use of contract model clauses).


    Fines for Breaches of the GDPR

    Businesses can be fined the higher of up to 4% of their global turnover or 20 million Euros for serious breaches of the GDPR, or 2% of global turnover or 10 million Euros for breaches that are administrative.


    Preparing for Change

    Businesses must know what personal data they hold, how it is collected, how it is stored and used and where and to whom it is being transferred. All such processes and information must be documented.

    Businesses must implement technical and organisational measures that show they have considered and integrated data protection into their processing activities.

    To achieve the above objectives, businesses should:

    • audit their processing activities and security measures;
    • have in place GDPR compliant privacy and security policies;
    • review and amend existing contracts with customers, suppliers and subcontractors;
    • create a written data processing agreement for use between data processors and data controllers. 

    Quotevine Specific Data Protection Information

    Data Location

    Our primary datacentre is located in England. Our secondary datacentre for multitenant customers is located in the USA. Customers with dedicated hosting can choose the location of their secondary datacentre: it will either be in England, Germany or the USA.

    All datacentre resources, wherever located, are managed by an ISO 27001 accredited partner who operates according to ITIL best practices.