GDPR: My organisation is paper-based, so it doesn’t apply to us…

Wrong. GDPR still applies, and here’s why.

Records can be stolen and misused whether they are on paper or stored digitally. If the information included in a given record can be used to identify an individual, then it falls under General Data Protection Regulations.

Consider all your organisation’s physical paper and digital records. Do they include information about employees or customers, assuming they are consumers? The answer will invariably be “yes”. HR records alone contain payroll, absences, next of kin/emergency contact information, disabilities, medical records and personal contact details to name only a few categories of private data.

GDPRThe General Data Protection Regulation (GDPR) has been getting a lot of airtime lately, and rightly so. It is law. It is being enforced on 25th May 2018. GDPR, for want of a better phrase, is the UK’s Data Protection Act on steroids. Infringe these new laws after the 25th May 2018 and face penalties of up to €20million or 4% of global annual turnover, whichever is greater. In the UK, the locally appointed regulator to govern the new data privacy laws is the Information Commissioner’s Office (ICO).

GDPR is an EU regulation being adopted by all member states and before you think it Brexit will not protect you. The UK courts need to go through a repeal process and that won’t happen for GDPR before 25th May 2018.

While not an exclusive list, at least for a start it boils down to an organisation having:
• An understanding of where all the data is
• An understanding of how the data is managed with processes and controls
• Relevant access rights controls to the data
• The ability to document, justify and provide evidence of how they manage consent, access, employee training on data privacy and always consider any impact on the individual affected
• Accurate processes to archiving and deleting (or shredding) data when required/not required

Winterhawk has partnered with insurance firm, RSA and financial advisors, Lansdowne Woodward to bring a market first: GDPR Insurance. We also provide a range of GDPR-related services, readiness assessments and a GDPR Starter Kit to get organisations prepared to tackle compliance activities.

Contact us at for further details.