The General Data Protection Regulation (EU) 2016/679, and the new Data Protection Act 2018 (DPA 2018) form part of the data protection regime in the UK. The changes introduced by this new regime, mean that most organisations will need to review the processing of personal data and the associated controls.

GDPR Consultancy

GDPR Troubleshooting

Offline and Online Analysis

GDPR Compliance

How Can We Help


Our team of experienced GDPR experts can help your organisation, from assessing your GDPR compliance position and developing a remediation roadmap through to implementing a best-fit data compliance framework. Whether you are an SME, multinational, charity or public sector organisation, we can tailor our GDPR services to your individual needs.

Risk assessment

Looking at how you currently handle personal data and identifying any potential risks associated with this.

Data Identification

Categorising the types of data that your organisation holds and highlighting sensitive personal data that requires additional procuderes to process.

Gap Analysis

an assessment of your organisation’s current level of compliance with the GDPR  and helps identify and prioritise the key areas that your organisation must address urgently.

3rd Parties

Looking at all 3rd parties that handle data on behalf of your company and identify any risks their forms of processing may pose

Policy Review

Looking at your current privacy and retention policies to ensure that they meet the new standards introduced by GDPR.

Data Processing Assessment

Identifying the types of processing you carry out and assessing their compliance with the regulation.

Marketing Consents

Assessment of your marketing activities to ensure that the appropriate steps have been taken to obtain consent from your customers.

GDPR Roadmap

We’ll produce a personalised how-to guide highlighting the areas of your business that are not compliant and the steps required to remedy this

Document Creation

Documents for both online and offline including Website polices and internal templates.

Let's create something together.

Frequently Asked Questions

When did GDPR come into force?

The GDPR was approved and adopted by the EU Parliament in April 2016. The regulation took effect after a two-year transition period and, unlike a Directive, did not require any legislation to be passed by the government. GDPR on 25th May 2018.

Who is affected by GDPR

The GDPR not only applies to organisations located within the EU but also applies to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.

What are the penalties for non compliance?

Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting an impact assessment. It is important to note that these rules apply to both controllers and processors – meaning ‘clouds’ are not exempt from GDPR enforcement.

What is classed as personnel data?

The GDPR applies to ‘personal data’, meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.

How does GDPR affect policy surrounding data breaches?

Proposed regulations surrounding data breaches primarily relate to the notification policies of companies that have been breached. Data breaches which may pose a risk to individuals must be notified to the DPA within 72 hours and to affected individuals without undue delay.

What is the difference between a data processor and a data controller?

A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.

Do data processors need ‘explicit’ or ‘unambiguous’ data subject consent – and what is the difference?

The conditions for consent have been strengthened, as companies are no longer able to utilise long illegible terms and conditions full of legalese. The request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent,meaning it must be unambiguous. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.​ Explicit consent is required only for processing sensitive personal data – in this context, nothing short of “opt in” will suffice. However, for non-sensitive data, “unambiguous” consent will suffice.

What is the difference between a data processor and a data controller?

A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.

Do companies need to be compliant after Brexit?

If a company processes data about individuals in the context of selling goods or services to citizens in other EU countries then it will need to comply with the GDPR, irrespective as to whether or not the UK retains the GDPR post-Brexit. If activities are limited to the UK, then the position (after the initial exit period) is much less clear. The UK Government has indicated it will implement an equivalent or alternative legal mechanisms. The expectation is that any such legislation will largely follow the GDPR, given the support previously provided to the GDPR by the ICO and UK Government as an effective privacy standard, together with the fact that the GDPR provides a clear baseline against which UK business can seek continued access to the EU digital market.

What will happen to companies that have missed the deadline?

If the GDPR deadline has been missed, it is imperative the business in question acts urgently to become compliant. Demonstrating strong data rights management is important to both customers and employees; they should understand why the data is collected and how it is handled on a legal basis. Current business data processes need to be looked at as an immediate priority so that the company doesn’t risk non-compliance penalties.


     It All starts when you say hello.

  We would love to hear about your project!


Get In Touch

I am happy to contacted in relation to my query*

2 + 11 =

Please  see our Privacy Policy For More Information

Net Nutz Digital Ltd





M45 6GG

Company Number: 10236234

07905 328 772