Are you trapped in the GDPR Labyrinth?

If you don’t know where to start or how to achieve GDPR compliance, we’re here to help. Follow our quick guide to the GDPR to find your way out of the maze!

A quick guide to GDPR

GDPR Fines Bubble

What are the GDPR fines?

If you fail to comply with the GDPR, you’ll face some hefty fines. You may be fined up to €20 million or 4% of your global turnover - whichever amount is greater.

These fines might be imposed for numerous reasons, but you might be seen as non-compliant if you:

  • Retain personal data you no longer need beyond a limited time frame
  • Store personal data in a careless manner, or fail to notify the authorities and your data subjects as soon as you know a breach or loss has occurred
  • Fail to acquire explicit consent to use your subjects’ data
  • Miss the deadline for a subject access request, or charge subjects who would like to make one

There are many other reasons why you might be fined, so it’s important to ensure your organisation is GDPR compliant.

Bubble Relevant

Who does the GDPR affect?

Although a lot of people have known about the GDPR since 2016, that hasn’t made it any easier on businesses. Confusing messaging about who it affects and why has meant many people simply don’t know if its rules apply to their organisation.

As a general rule of thumb, the GDPR will apply to your organisation if you handle any EU citizen’s personal data. That could be the data of your clients, customers or staff. So while it will impact larger, multinational organisations more heavily, it will also impact small-to-medium sized enterprises (SMEs) too.

Data minimisation bubble

What is data minimisation?

Data minimisation is the practice by which you limit the amount of data you collect to try to minimise the risk of a data breach. To comply with GDPR, you need to ensure you limit the amount of data you collect to the bare minimum needed in order to complete your task.

What that means in practice is something like this. If a contact form asks a user for their birthday, but the content they are trying to access doesn’t have an age gate, the organisation asking for their birthday is acquiring personal data it doesn’t need. That makes it non-compliant with the GDPR. So think about what data you need to complete your work and only acquire that.

Right to be forgotten bubble

What is the right to be forgotten?

The right to be forgotten is a new right the GDPR gives data subjects. After May 25th, if an EU citizen wants to delete their information from an organisation, they now have that right. They can make a request for you to delete all data you hold on them. You therefore need to have policies in place and the infrastructure necessary to remove and delete an individual’s data.

To do that, you need to know where your data is and what data you actually have. As such, you need to complete a thorough data audit of your organisation. Once you know what data you hold, settle on the changes you need to make in order to quickly delete a subject’s data.

Individuals also have the right to access any data you hold on them, or to request updates to their data. You’ll need to comply with subject access requests quickly when GDPR takes effect; by conducting a data audit, you can establish suitable processes to achieve compliance in this area.

Data processing bubble

What’s the difference between data controllers and data processors?

With GDPR, you’ll hear a lot of talk about data controllers and data processors. Depending on which one you are, you’ll have different responsibilities under GDPR. A data controller is whoever owns the personal data, while a data processor is whoever uses that data to complete a task.

It’s possible to be both controller and processor, but at other times you may only be the controller. For instance, some programs like Google Analytics can see Google play both data controller and processor. However, you might also take the role of controller, while Google is your processor. It’s best to understand what role you play in different scenarios so you can adjust your processes appropriately.

Mail bubble

How do I safeguard data?

Safeguarding data under GDPR will take a lot more than what you currently do, but the previous Data Protection Act will have prepared you to a good degree. To safeguard data now, you just have to do a little bit more. But we’re here to help.

Data minimisation and purpose limitation are a good place to start. We’ve already talked about data minimisation, but limitation means you can only use data for a specific purpose for which you have explicit consent from the data subject. If you use the data you have for any purpose without consent to do so, you risk failing to safeguard data.

Meanwhile, storage limitations mean you may have to delete data you no longer need. Set a time limit on data you hold so if users don’t use your services, eventually their data will be automatically deleted. Likewise, you should pseudonymise data where possible so that if a breach does occur, hackers don’t know who the data applies to. There’s more to it than that, but Cyber-Duck is able to help you achieve compliance.

HR bubble

Will GDPR apply to my HR department?

GDPR will apply to any organisation that handles personal data of EU citizens, so it will most certainly apply to your HR department! You need to protect this data just as securely as you would the data of the general public or your clients.

In particular, it’s best if you also try to limit how long you keep your former employees’ data after they leave. For instance, you don’t need to hold extensive data on a former employee who left a decade ago. Data minimisation means you will need to delete this.

Proven GDPR Experience

Daniel Hill Guildford

Cyber-Duck’s comprehensive report has been used as our platform for planning and executing the work required to ensure we comply with GDPR, leaving us in a position of strength. ”

Daniel Hill

Director at May Stanley


So there’s a lot to learn if you want to get out of the GDPR maze and achieve compliance.

At Cyber-Duck, a digital agency in London, we’ll ensure your organisation is GDPR compliant. We’ll audit your current data processes and recommend the changes. In addition, we can also implement any changes on your behalf.

Get Your GDPR Audit For Less Than The Cost of an iPhone