It’s the new data legislation that everyone’s talking about these days. Regardless of your sector, your business size or your profession, GDPR (General Data Protection Regulation) is shaking up how company’s user data is stored, shared, collected and used.

Its estimated nearly two third of businesses haven’t even heard of EU new regulation GDPR. The new EU law is a substantially an overhaul of the DPA (data protection Act ) laws that have evolved over the past three decades, designed to ensure data privacy and enhance control of personal data for EU residents in line with the emerging risk of new digital world we find ourselves in today.

With increasing hype of about who needs to do what, by when and why, we have shortlisted our top 6 things you might not know about the legislation.

Number 1 Does It only applies to people living or residing in European Union?

A lot of GDPR resources found on the Internet interchange the terms "resident" and "citizen" without being clear on what's actually required. GDPR only applies while a person is located in the EU – i.e. the person's locality at the time the data is collected affects its applicability.

If an EU citizen is transacting business with a US company over the Internet or phone while located in the EU, then, yes, the GDPR does apply. If that same EU citizen is travelling then local privacy laws will then apply. The legislation may vary from country to country

Individual countries can be flexible in how they implement certain areas of the legislation. The age at which someone can submit data without parental consent, for example, can vary across borders, so it’s worth looking out for points of difference and how you may need to alter your data management approach accordingly.

Number 2 Does it only applies to B2C only?

Any company with employees located in the EU is obligated to comply. Whilst those companies with under 250 employees have considerably fewer obligations to consider, businesses still need to evaluate their processes in line with the requirements outlined.

Voluntary groups, member clubs and charities also need to wise up and may have a few organisational changes to make too.

Number 3 Do you need to do full data and process mapping?

You’ll certainly have come across a few GDPR rumourmongers stating that Data and process Mapping is a mandatory requirement of the regulation. Well the good news is that you may have less to do than you think.

Whilst extensive end-to-end data and business process mapping is always a useful exercise, this isn’t a requirement.

As long as you understand your core data and business processes and their relation to personal data, you should be well equipped to evaluate and mitigate your key risks without all-encompassing project.

Number 4 Once 25 May approaches grace period will be Provided?

In fact, some may argue this has already been and gone. With the legislation introduced over two years ago, the May 25 deadline is very factual. At a minimum by the end of May, your team members should be fully versed in their roles and responsibilities as they relate to GDPR. You also need to have your key risks identified along with a clear action plan to remediate them.

Still feeling stunned? GDPR will likely require some big changes for you which can’t happen overnight but being able to demonstrate that a plan is in place can act as a safeguard.

Completing a risk assessment and aiming to remediate those risks of a high-priority in the first instance is the best course of action for any organisation feeling afraid, dazed and confused by GDPR.

A practical, sensible, risk-based approach should ease those sleepless nights in the run up to May and put you on the right track to achieving GDPR compliance.

Number 5 Which type of data is the most critical one?

Well If you are processing the data of children you must decide whether you need to have a system in place to confirm their age and to obtain parental /guardian consent if you are offering online services.

Information provided to a child should be in an easily understood format. Under the GDPR a child is defined as under 16 however the UK may reduce that age to under 13. So Any data related to children and personal record may well be regarded as critical data that need urgent attention.

Number 6 What needs to change immediately?

It will become much more difficult to obtain valid consent under the GDPR but there are other lawful bases which have been ignored under the DPA.

Businesses must identify what lawful basis it is relying on: is it necessary for you to gather the data for the performance of a contract; is it necessary for you to share the data because of a legitimate interest you have? Business will not be able to lawfully process the user data without consent this will have massive business impact as this significantly reduce your marketing mailing list.