• Careers
  • Contact Us

New Data Protection Laws - It’s the Final Countdown

on Thursday, 08 June 2017.

In May 2016, organisations were given two years to get ready for some big data protection changes. The first year has flown by and now there is just under one year to go.

On 25 May 2018, and regardless of Brexit, the EU General Data Protection Regulation (GDPR) takes effect, replacing the current Data Protection Act (DPA), under which we have operated for the last 20 years. There is no 'grace period' under the GDPR and therefore businesses are expected to be compliant from the get-go next May.

What Does It Do?

The GDPR will introduce new concepts and approaches that will require you to implement new practices around data protection, information security and privacy. Many organisations are already gearing themselves up for the changes and if you have not yet started, it is important that you do so now. It will involve changes in procedures and contracts.

What Happens if It Is Breached?

Breaching the GDPR could result in fines of the greater of up to 20 million Euros or (if greater) 4% of annual worldwide turnover. Under the DPA, fines are currently capped at £500,000.

What Should You Be Doing Now?

  • Plan ahead. Audit and document what personal data (and particularly sensitive personal data such as data about health, race or religion) you hold, where you obtained it, what it is used for, where and how it is stored and with whom it has been shared. This will help you to understand your data flows so that you are clear what steps you need to take to become compliant.

  • Review and update your privacy notices. You must give people certain information about how their personal data is used. This information is usually provided in a document known as a privacy notice. The GDPR will require significantly more information to be included in privacy notices than the DPA currently does. For example, you must tell individuals about their right to complain to the ICO, about how long their data is kept for as well as the legal basis that you are relying on to process their personal data (eg consent, legitimate interest and so on).

  • Pay attention to your marketing materials - particularly if they allow you to obtain consent as a justification for processing data. You will need to review how you obtain this consent - the GDPR requires a very high standard of consent which must be given by a clear affirmative action (freely given, specific, informed and unambiguous).

  • Think information security. The GDPR contains more detail around what you must do to keep personal data safe (eg, via using encryption, data protection policies, etc).

  • Protect data by design and default. Some data uses need additional safeguards such as privacy impact assessments. Is your organisation set up to enable you to do this?

  • Review your record keep obligations. The GDPR contains extensive record keeping obligations. It is not sufficient to be compliant, you also need to demonstrate that compliance.

  • Be aware of your duty to report breaches. There are new requirements to report data breaches to the regulator and in some cases to individuals affected. This has to be done without undue delay and generally within 72 hours. Do you have systems in place to be able to respond where necessary?

  • Consider appointing a Data Protection Officer (DPO). Any DPO appointed can, but does not have to, be an employee, but must be independent and must also be given the resources to do their job.

  • Ensure measures are put in place to deal with data portability and the right to be forgotten. Data subjects have new rights for their data to be removed or provided in a common transferrable format to other people. Are you able to respond to such requests?

  • Identify your data processors. The GDPR will introduce new requirements around data processors. Data processors are organisations who handle personal data on behalf of others. All of the following are examples of data processors: cloud storage providers, payroll service providers and organisations which send out email or postal mailshots on behalf of their client.

  • Enter into written contracts with your data processors. You must ensure that there is a written contract in place with their data processors and that appropriate due diligence is carried out. The GDPR is far more prescriptive than the DPA in terms of what must be included in the written agreement, so it is important to make sure your data processing agreements are updated to be GDPR compliant.

  • Be aware of your own data processing obligations. If you are a data processor, then the GDPR represents a significant change. Data processors currently have no regulatory obligations under the DPA (even if data processors had contractual obligations to data controllers) but will owe extensive obligations under the GDPR (e.g. around information security and reporting breaches to their customers).

How We Can Help

There are many issues organisations need to be aware of and preparing for now in order to be GDPR compliant. As part of the service we offer, we can undertake GDPR audits, provide training to staff and assist with GDPR compliant policies and procedures. There is a lot to do but we are here to help.


For more information or advice, please contact Andrew Gallie in our Data Protection team on 0117 314 562.

Leave a comment

You are commenting as guest.