General Data Protection Regulation (GDPR)

We are now less than a year away from the coming into force of the long awaited General Data Protection Regulation (GDPR). The GDPR will apply from 25th May 2018 but businesses should start preparing well in advance for this wholesale change in the law relating to data.


The GDPR will affect every business that ‘processes data’. In fact, it is difficult to think of any business that will not be affected by the regulations, as any enterprise that has the names and addresses of employees or customers kept in a paper file or on a computer, will be deemed to be ‘processing data’ and will therefore come within the provisions of the regime.


So what will be changing?


The first thing to note is that the penalties for non-compliance are now much greater, and may easily impact on businesses solvency. The penalty for breach will be up to 4% of global turnover or 20 million Euros, whichever is greater.


The other key changes are:


Expanded reach – the GDPR catches data controllers and processors based outside the EU who hold data on those within the EU. This will be particularly relevant, not only to US businesses trying to sell into the EU, but also to British businesses trying to sell into the EU post Brexit. By way of example, any business which trades online with customers in the EU will have to comply, irrespective of where it is based.


• Direct obligations for data processors – Businesses that process data will be required to implement organisational measures to ensure that they process that data in a compliant way.


• The establishment of a new “European Data Protection Board” – This will be set up to oversee the implementation of the GDPR and to exercise an advisory function.


• Onerous obligations on data controllers – Data controllers can be asked to demonstrate compliance with the directive, conduct impact assessments, and evidence implementation of compliant systems.


• Consent – Data controllers will need to demonstrate that the data subject (customer) has given their consent freely. The days of pre-ticked consent boxes will be over. The provisions will require businesses to keep an audit trail of customers’ consents. Businesses are required to review their online terms and conditions to ensure that the way in which they capture customers’ data is fully compliant.


• Duties to notify breaches – There is a duty on businesses that process data to notify affected data subjects of any breach of the data protection legislation. This means that if a business loses or inadvertently destroys a customer’s data, there is a duty on that business to ‘own up’ to the customer whose data was lost that a breach of the data protection legislation has occurred.


• Right to be forgotten – Individuals will now have a right, in certain circumstances, for their data to ‘be disappeared’ and to require businesses that process their data to expunge it from their records.


Clients are best advised to get their data protection policies in order ahead of the change in the law and to:


1. Prepare for data security breaches – review policies and ensure that they deal with the data subject’s right to notification for breach.

2. Establish framework for accountability – implement policies and cultures designed to minimise risk, conduct impact assessments.

3. Privacy by design – all multi-channel sales portals should be fully equipped to deal with the new directive.

4. Analyse legal basis of personal data use – businesses should review their data processing activity and establish what processing is undertaken and what aspects of compliance the business will need to prove under the new regime.

5. Check privacy notices and policies – all privacy notices, whether online or elsewhere should be transparent and easily accessible.

6. Bear in mind rights of data subjects – how do these rights compete with the business’s legitimate interests and what if an individual tries to exercise them?


As customers become increasingly aware of their rights as data subjects and of the obligations of businesses who process their data, compliance with the GDPR is not something that businesses can afford to ignore.

If you would like further guidance on ensuring that your business is ready to meet the demands of the GDPR please contact Tim O’Callaghan on 0207 3795114.

Back to Main News page