General Data Protection Regulation (GDPR) is a law brought in by the European Union (EU) in May 2018. It replaced the Data Protection Directive 1995, also known as the Data Protection Act 1998 in the UK.

The aim of GDPR is to modernise the laws that protect the personal information of individuals. GDPR applies to any business collecting personal data. It enforces the way data should be stored and handled within a business environment, and places sole responsibilty on business owners.

After Brexit, the EU law was replaced in the UK by UK GDPR. In essence, this holds UK organisations to very similar data protection regulations as under the EU GDPR. There are some minor technical changes, but the core principles remain the same.

If businesses fail to follow the guidelines for storing and processing personal data, it can result in hefty penalties. The likes of Google, H&M and British Airways are just some companies who have been hit by multi-million pound fines for breaching GDPR.

In this blog, we explore GDPR in more detail, so you know exactly how it impacts your business.

What does GDPR consider as personal data?

Under GDPR, personal data is any information that relates to an identified or identifiable living individual. This definition is broad and can encompass a wide range of data.

Directly identifiable data is information that can directly identify a person, such as:

• Name
• Address
• Email address
• Phone number
• ID number

Indirectly identifiable data doesn’t always directly name someone, but it can be used to identify specific people. Examples include:

• Location data (GPS coordinates, IP address)
• Online identifiers (cookies, username)
• Health data
• Genetic data
• Political opinions
• Religious beliefs

What does GDPR mean for UK businesses?

GDPR has also introduced strict penalties for companies that suffer data breaches. In order to meet the guidelines, your business must:

• Compliance with UK GDPR: UK businesses must comply with the UK GDPR, which incorporates most of the original EU regulation. This means following similar rules on how personal data is collected, stored, and used.
• Following eight individual rights: Individuals have eight rights regarding their personal data under UK GDPR. These rights include access, rectification, erasure (to be forgotten), restriction of processing, data portability, objection, and rights related to automated decision-making. Your business must be prepared to handle requests related to these rights.
• Legal basis for processing: You need a lawful reason to process personal data. Common reasons include consent, contractual necessity or legitimate interests. You should be transparent about the reason for processing data and be able to demonstrate compliance.
• Data security: GDPR requires appropriate technical and organisational measures to protect personal data from unauthorised access, disclosure, alteration or destruction.

You need to make sure you have processes in place to abide by these rules – including secure systems.

What to does it mean if your company has a data breach?

If your business has a data breach, whether this is from a cyber-attack or human error, you have the responsibility of reporting it to the ICO within 72 hours of the occurrence. If you fail to notify the ICO within the stated timeframe of 72 hours upon discovery of data breach, a 2% of annual turnover penalty may apply.

That’s not to mention the reputational damage your business will face, plus the personal impact to customers whose data is breached.

Steps for your business to follow now

1. Understand and map your data

A good place to start is identifying what personal data you collect, store, and process. Understand where this data comes from and for what purposes it’s used. Remember, you should aim only to store the data you really need, while protecting individual rights.

You should also pinpoint how long you retain the data and how it’s ultimately disposed of. This should always be done safely to minimise the risk of breaches.

2. Be transparent with data subjects

Every business should have a clear and concise privacy policy, outlining how you handle personal data. Within this, you should specify the lawful basis for processing data (covering consent and contract). You should also explain individual rights under GDPR and how to exercise them.

Make sure this policy is readily available, so anyone who you collect data from understands how it’ll be used.

3. Obtain lawful consent

Whenever you collect data from someone, you must obtain unambiguous consent before you process anything. This might include tick boxes on online forms, adding consent statements into paperwork or asking for it orally.

Make it easy for users to withdraw consent at any time, in case they change their mind. This could include giving them contact details for withdrawals or adding unsubscribe links to your emails.

4. Implement stringent data security measures

You must also have inn place appropriate safeguards to protect personal data from unauthorised access, disclosure, alteration or destruction.

Examples of such measures include:

• Encryption. Encryption acts as an impenetrable lock, scrambling data with a key so only authorised users can access it. This applies to data at rest (stored on devices) and in transit (transmitted over networks).
• Set access controls. Access controls determine who holds the key. Granting access on a “need-to-know” basis ensures only essential personnel can view data. Strong passwords, multi-factor authentication and permission levels further tighten security.
• Conduct regular assessments. Regular security assessments can identity data protection weaknesses. Penetration testing simulates cyberattacks to expose vulnerabilities, while vulnerability scans highlight software flaws.
• Security awareness training. This educates employees to be vigilant against social engineering tricks.

By combining these safeguards and fostering a culture of security, businesses can build a robust defence against data breaches. It’s also wise to follow general cyber security best practice to avoid the chances of hacking, leading to breaches.

5. Manage data breaches

Your business should establish a plan for identifying and containing data breaches before they ever happen. Part of this includes having procedures in place to notify the Information Commissioner’s Office (ICO) and affected individuals within required timeframes.

Once you’ve created the plan, it must be followed every time you face a breach.

6. Appoint a Data Protection Officer (if applicable)

Organisations that handle large volumes of data can benefit from having a specific Data Protection Officer (DPO) in place. They ensure all staff and management adhere to the businesses data protection obligations. More importantly, they oversee the data protection strategy for the entire business to ensure the business is compliant with GDPR and other related regulations.

The DPO role can be given to an existing staff member, but they must be clued up on the regulations. Typically, it will be given to IT personnel who already have a role in processing and protecting data.

7. Train staff on GDPR

GDPR can be confusing, but knowing what it means is crucial to getting it right. Take time to educate your employees on their data protection responsibilities under GDPR.

As part of the training, inform them on data security best practices and how to handle data subject requests.

8. Maintain records of processing activities

Make sure you document your data processing activities, including the data collected, its purpose and legal basis for processing. This may fall into the DPO’s responsibilities if you have one.

If you do need get asked about your processes, having a paper trail will make them much easier to validate.

How to approach in the modern age

GDPR may have been introduced years ago, but its core principles are more relevant than ever.

As organisations collect more data, adopt cloud services and increasingly embed AI into everyday operations, the challenge of protecting personal and sensitive information has intensified. Data now moves faster, across more systems, users and third parties — expanding the attack surface and increasing the risk of misuse, exposure or breach.

Compliance alone is no longer enough. To truly protect data in today’s environment, organisations need a security model that assumes risk, limits access by default and continuously verifies trust — especially as AI accelerates how data is accessed, analysed and shared.

This is where modern security strategies, like Zero Trust, become critical. Not just for meeting regulatory requirements like GDPR, but for safeguarding data in an AI‑driven world.

How do you protect data when AI changes everything?