GDPR: A Really Simple Guide
A preface to the
eBook now available
on Amazon Kindle
Get the eBookAboveAndBeyond Series Guidebooks
• The General Data Protection Regulation is
legislation enacted by the European Union to
protect the data privacy rights of its citizens
• Because it’s a Regulation, not a Directive, it
becomes law in all member states immediately.
• Since May 2018, the EU has been able to enforce it
• The EU regulation impacts on all organizations,
anywhere in the world that employ EU citizens or
have EU citizens as customers
GDPR came from
EU regulators became concerned about the legal
imbalance between individual EU citizens wishing to
protect their data, and corporations handling and
processing their data poorly.
Legal cases like Edward Snowden evidenced how
poorly the personally identifiable data of individuals
was being protected—and the challenges individuals
faced in holding organizations to task.
This led to the formation of legal countermeasures by
the EU to ensure that the data privacy rights of its
citizens were protected.
Now, as we are all individuals that face a risk of big
brother taking our privacy data rights too lightly,
that's a good thing - right?
• Get your compliance to the GDPR
badly wrong and you could face fines
to the tune of 4% of your global
• There are other undesirable
outcomes of noncompliance such as
the impact on brand reputation.
• Nearly all organizations will face
significant cost of change—the IT,
legal and consultancy spending
required to change operating
behaviors may turn out to be the
bigger story in the long term.
• The GDPR applies to the handling and
processing of personal data of any living
EU citizen over the age of consent by
businesses regardless of whether the
processing takes place in the EU or not.
• For this reason, it’s set to have an impact
on everyone in business, particularly those
responsible for the welfare of the people in
the organization they serve.
• The senior managers of any organization
managing or processing personal data—or
those involved in commercial negotiations
and supplier selection decisions—should
understand its ramifications.
There are 99 pages of legal text to get through if you want to really get intimate with the regulation, so I've
summarized some of the key-points below.
• New challenges for data processors—Data processors can no longer avoid regulatory fines for the
processing activities they carry out for data controllers. If you work for a company that is processing data on
behalf of another business (and therefore acting as a data processor) a fundamental change that the GDPR
ushers in is the rebalancing of regulatory liability between the data controller and their data processors.
• Data breach reporting—Notice must be provided “without undue delay and, where feasible, not later than 72
hours after having become aware of it.” If notification is not made within 72 hours, the controller must provide
reasons for the delay. In the event of a personal data breach, data controllers must notify the supervisory
authority "competent under Article 55" which is most likely (looking to Article 56(1)) the
supervisory authority of the member state where the controller has its main establishment or only
• Cross-border transfer—Organizations need to know where all their data is at geographically level. The act of
transferring privacy data outside the European Economic Area ( EEA)—such as outsourcing partners based
outside of the EU, or cloud services based outside of the EU etc.—without permission of the data subject is
prohibited unless there is an adequacy decision or derogations or additional safeguards in a country outside
• Data mapping—Organizations need to know where their data is systematically & geographically.
• Data protection impact assessments—DPIAs are mandatory for organizations with technologies and
processes that are likely to result in a high risk to the rights of the data subjects. Article 35 of the GDPR
states that data protection impact assessments (DPIA) are mandatory for organizations with technologies and
processes that are likely to result in a high risk to the rights of the data subjects; especially, if an organization
• Privacy by Design/Default—Privacy must be documented as being built into the design. The GDPR installs
an important systems engineering design concept called ‘privacy by design/default’.
• Accountability—Everything must be documented – no more permissive standards. The GDPR introduces a
legal accountability obligation to European data protection law. Accountability principle requires data
controllers to implement appropriate technical and organizational measures to show the compliance of the
...and this isn't even the full list!
This illustration shows what’s involved in transitioning the ‘business-as-usual’ of an organization to embrace
the GDPR. Plans will vary according to the specific circumstances of the organization performing the change.
DISCOVERY PHASE—To qualify the current situation and
capture insights needed to frame prioritization and project
DESIGN PHASE—To prioritize go-forward actions into an
actionable implementation plan giving feedback to
stakeholders; to then make changes to the way the
Organization governs data, and behaves in accordance with
the GDPR, installing mechanisms and new approaches.
(IMPLEMENT FOR) OPERATIONAL PHASE—To manage
the data protection activities day-to-day in line with the
REVIEW PHASE—To review progress by reporting on
progress, adapt plans and re-balance perceptions of risk.
Explore more here
Howyou can move forward…
Read more about the subject. Why not take a
moment to read my AboveandBeyond Guide
that offers an implementation plan and useful
tools that will help you to plan out your change
Also, check out the UK Information
Commissioner’s Office website at
https://ico.org.uk. It’s packed with more
Find out what the plan is for your GDPR
program and who is leading it. If nobody is,
share some content with senior execs. It’s
important—nobody wants a fine that’s 4% of
Discover what EU privacy data you are holding
by conducting a review of data and processes.
Consider interviewing department heads. Most
of all, prioritize your activities towards the
most probable and impactful areas of risk.
The Big Disclaimer
It’s Legal Stuff
The GDPR is a law and it REALLY
PAYS to get legal advice on this
Explore More Sources
Don't just use this guide as your
only source of insights as the
impacts of the GDPR vary
according to the type of
enterprise you are and how much
EU citizen data you hold
In addition to this article, I've
written a complete guide on the
GDPR and how you can
implement the changes to
Business-As-Usual needed to live
'Data Privacy by Design'
Ian Tomlin has been a senior strategist and management consultant in the tech
industry since 1990, experiencing first-hand the impact of Information Security and the
GDPR. In 2015, he joined the award winning Canon Europe Security Team and, in
2016, went on to perform a leading role in the GDPR commercial solutions team;
inheriting the responsibility of innovating GDPR technology-led solutions for Canon’s
European customer community. At the time of writing, Canon is listed by GlobalTrak as
the fourth most trusted brand in the world.
His first book ‘CEO’s Guide to Business Agility’ written in 2004, describes the move
from legacy to modern agile organizational design. In 2006 he wrote his second book
on the topic of business social marketing and its move into the cloud, then a new
concept of computing on the horizon. ‘Cloud Coffee House’ was followed by his third
book ‘Social Operating Systems’ (2009) predicting the future evolution of what have
now become comprehensive online platforms like Office365 and Google G-Suite. In
2014, he turned his attention to the subjects of personal development and brand
management publishing two guides, one giving advice to newcomers entering the
business world on how to achieve more from their careers.
This led to the creation of the AboveAndBeyond range of guidebooks for
executives. He writes fictional novels under the pseudonym of Christian J.
Starting his life as a professional shoemaker, he joined the tech industry in 1990
after a period in local government and has spent most of his career at the leading
edge of B2B marketing innovation.
He created the management consulting business NDMC Ltd in 2001. In 2002, he
worked with a small team to create ENCANVAS; the first and only code-less
applications design and deployment platform that gives non-technical people the
ability to individually create enterprise scalable business applications. In 2006, he
created a technology similar to WhatsApp called SQUORK and in 2009 a
container cloud computing platform that simplified the deployment of cloud
applications. He continues to sit on the board of several start-up hi-tech
businesses. Today, he advises business leaders on how to grow their business,
manage risk, tell their story and establish conversational marketing strategies.
Ian Tomlin is a storyteller and
technology evangelist with a passion
to help businesses make conversation
READ the eBook
GDPR by Ian Tomlin
• Get the really simple Guide to the GDPR
• Learn more about the Regulation
• Written by practitioners with hands-on experience of
• Packed with hints, tips and learning lessons on how to implement a
change program for the GDPR within your organization
• Source the tools and process models you need to make the GDPR
• Available on AMAZON KINDLE now