Brief about GDPR (European Data Regulation coming into effect). On 25th May 2018, the General Data Protection Regulation (GDPR) will become law in all European member states, including the United Kingdom who will still be a member at that time. Some of you might start to think, with BREXIT this might not be apply, you are wrong. UK Parliament has made it clear (refer to Information Commissioner of UK's website) that GDPR will be applicable even post BREXIT, so don't neglect. The new Regulation will replace the Data Protection Act 1998 (DPA) which was developed at a time when most data processing was still paper-based. There was also a limited understanding of the impact that technology would have on the way we process data. The purpose of the GDPR is to: harmonise the EU’s laws surrounding data protection protect all EU citizens’ data privacy re-shape the way organisations across the region approach data privacy. In drafting it, the EU’s aim was to design it as a living document and future-proof the wording. They have also made it ‘technology neutral’ which means that the same regulatory principles apply regardless of the technology used If you hold information which falls within the scope of the Data Protection Act 1998, it will also fall within the scope of GDPR. The GDPR principles are similar to the DPA, but there is a new accountability requirement – you will have to demonstrate how you comply. As of the 25th May 2018, organisations that do not comply will face very heavy fines to the tune of 4% of your global revenues or EUR20 Million whichever is higher. More importantly your customers (whether individuals or corporates) are likely to ask you to comply with GDPR risking your business hence its better to plan ahead and comply. It is important to note that GDPR is still a work in progress with the Information Commissioner’s Office (ICO) issuing monthly updates on its implementation in the UK (The ICO is the UK’s independent body that upholds information rights). Find out more about GDPR on ICO’s website, search for "ICO GDPR" in google. Whom does it apply? The GDPR applies to ‘controllers’ and ‘processors’. The definitions are broadly the same as under the DPA – i.e. the controller says how and why personal data is processed and the processor acts on the controller’s behalf. If you are currently subject to the DPA, it is likely that you will also be subject to the GDPR. The GDPR applies to any business (whether you are a one man army or a larger business) as long as you process (in simple terms "handle") personal data of your customers, employees and business contacts. Your company size, type of data handled, how you process data dictate amount of action you need to take. A corner grocery shop or someone who sells lunch on a van with no personal data being stored or handled is likely to have impact, however if you are a small business and handle personal data (real estate agents, recruitment firms, vehicle dealers, manufacturer, dealer etc..) you will need to take necessary action. Handling of data as private citizen (not as business) is not impacted by GDPR. The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU. GDPR enforces several requirements on businesses such as, fair and transparent processing, rights of Data Subjects, Legal basis of processing, Breach monitoring and reporting, accountability and governance, guidelines of marketing. Any thoughts on likely implications and how to prepare for compliance by small businessess are welcome. Good luck.