General Data Protection Regulation (GDPR)

• Applicable to any Personally Identifiable Information – any information relating to a living person who can be directly or indirectly identified from that information.
• Applies to all businesses processing personal data – ‘controllers’ and ‘processors’.
• Transparency and accountability are paramount.
• Personal data must be processed in a manner which ensures appropriate security of the data.
• Enhanced rights for individuals – to be informed, to be forgotten, access to data held, data portability, data rectification, data deletion, restrict processing.
• Mandatory timeline and notification requirements for data breaches – within 72 hours.
• Mandatory Data Privacy Impact Assessments (DPIA) for specific high risk processing activities – eg. those processing ‘sensitive’ personal information.
• Subject Access Request processing time reduced to 30 days with no fee.
• Six lawful reasons for processing personal data – consent is only one of them.
• Where consent is used as the legal basis for processing it must be a freely given, specific, informed and unambiguous indication of the individual’s wishes – a positive opt-in and separate from other terms and conditions.
• Increased fines / penalties: €20m or 4% of global revenue.
• BREXIT will have zero impact.

What Is Guttercrest Doing?

• Appointment of Data Protection Officer.
• Creation of Register of Processing Activities.
• Active consent gathering and recording of individuals’ consent where required.
• Data Sharing Agreements between Guttercrest as data controller and customers as data controllers.
• Data Processing Agreements between Guttercrest as data controller and suppliers as data processors.
• Updated Privacy Notice – for display on Guttercrest website and microsites.
• Fair Processing Notices must be read by individuals at the proposal stage.
• Review of Guttercrest policies and procedures to ensure GDPR compliance.

Customer Considerations

• Have you appointed a Data Protection Officer?
• As a data controller have you registered with the ICO?
• Establish a register of processing activities.
• Do you understand the legal basis for processing personal data?
• Where necessary do you have the consents of individuals?
• Secure (encrypted) transmission of personal data.
• Data minimisation – if you hold personal data that you no longer need, cull it.
• Establish and maintain retention periods and data archiving procedures.
• Data Processing Agreements with your suppliers.
• Data Protection training and awareness programme.
• Privacy by Design – ensure all new IT systems consider privacy first!
• Do you process sensitive personal data?
There are specific conditions for processing such data.


The information provided in this guide is for general information purposes only and is correct to the best of our knowledge at the time of publication (March 2018). Neither Guttercrest nor the author can be held responsible for any actions or consequences arising from acting on, or refraining from taking any action, as a result of reading this.