Skip to main content

General Data Protection Regulation (GDPR)

In just over a year’s time the EU’s new data protection legislation, General Data Protection Regulation (GDPR), will take effect. It is intended to strengthen and unify data protection for individuals both within the EU and the UK. The regulation will ensure that all personal data has to be managed in a safe and secure way; has to be gathered lawfully, is only used for the purposes for which it was collected, and must be accurate and up-to-date.

Despite the results of the EU referendum, the impact on UK businesses will be very real and doesn’t change the need for compliance, with the Information Commissioner’s Office confirming that if the UK wants to trade with the single market, our data protection standards would have to be equivalent to the EU's GDPR framework starting in 2018.


The maximum penalty for non-compliance is 4% of annual revenue or €20 million, whichever is the higher. This means that data protection now has a similar status, with regards to the level of fines, to anti-corruption and bribery legislation.

The other aspect of GDPR that is most impactful is the introduction of mandatory breach notifications. These force the disclosure of data breaches to the national data protection authority (DPA) and, depending on the nature and severity of the breach, also to consumers.

Failure to comply could mean not just high-level fines but reputational damage too.

Who to approach for help

GDPR is not just about technologies: it's as much about process design and procurement. Beyond that, there is, of course, the issue of cyber security, which is enabled and managed through technology.

Our Technology Services division employs a team of experts to provide guidance not only on the right technology mix for your business, but also to understand how much investment is required and how best to spend that funding. 

Their approach to cyber security is defined by three core principles – people, processes and technology. We advise businesses that in isolation any one of those can be a weak link, and each of those need to receive equal attention to reduce the risk of their business being breached. 

For example, you can have great processes and the best technology, but without your people having the right level of training there is no way for them to implement the processes and utilise the technology to its full potential.

The team at Close Brothers Technology Services have been helping a range of companies prepare not only GDPR, but ensuring they are insulating themselves from cybercrime by taking a ‘cradle to cradle’ approach - which links technology acquisition, funding, management and recovery.