Is there anything to be afraid of in the General Data Protection Regulations?

The European Union’s General Data Protection Regulations (GDPR) set new and demanding compliance requirements for any organization involved in creating, handling and treating data. With fines of up to €20 million or 4 percent of the annual worldwide turnover of the organisation responsible for the data breach, we need to look in particular at who needs to be aware of the GDPR – which I will attempt to do within this blog.

Data Subjects

These are people, organisations, business and public sector bodies, clubs, and societies … any entity that has their data stored by any organization.

I write as a victim of data breaches with these two experiences:

  • I received an unexpected letter from the financial organization that held a mortgage on my family home, advising me to change passwords on my accounts due to a data breach. That was an unwelcome shock.
  • My internet provider had large numbers of customer records hacked, and since then I have been regularly contacted by callers using withheld telephone numbers and purporting to be agents of my internet provider, asking me to give them remote access to my computer. They claim to need to check for broadband problems. I’m not trusting enough to allow access to people who may counterfeit my identity, access bank details or link my PC to a botnet. Sadly, not everyone is alert to such scams.

Joint and Several Liability

This is a legal term that indicates more than one party may have liability. As a result of the GDPR, data controllers and processors need to negotiate the scope of their obligations, liabilities and indemnities accordingly.

Extra-EU Liability

Organisations may still be held liable even if they are not located within EU boundaries but create, handle or treat data of EU citizens and/or organisations outside the EU.

Data Controllers

This is the title given to organisations that create and store records of any data. In the computer age, this is virtually every organisation that holds names, addresses, telephone numbers, and personal details such as qualifications, bank account details, hobbies, religion … and the list goes on.

Data Processors/Data Handlers

In short, this includes people who process, handle or store data on behalf of others. “The cloud” is one such place where data is processed and stored. Unlike the vaporous place the name suggests, the cloud has an infrastructure of hardware scattered throughout data centres and server farms where data is stored.

Data Treatment

This includes anyone who processes data, from doing number crunching analysis up to and including destroying data. This is the area in which I work professionally for Arrow, providing IT asset disposition (ITAD) services. My role is to ensure global compliance for Arrow and approved partner organisations that provide ITAD services, including secure destruction of protected data.

There is a lot more to look at in this area – enough for another blog! Reach out to me if you’d like any information on Arrow’s compliance with the GDPR.


Gary Griffiths manages global partner compliance for Arrow Electronics, ensuring that Arrow and its global partners comply with local and international laws, regulations, and best practices. A Chartered Environmentalist and a Chartered Waste Manager with more than two decades’ experience, Gary has expertise in data security and compliance.

No Comments Permalink

Say something