Skip to main content

Latest Releases

August 17, 2017


From the 25th May 2018, all EU businesses and public services will have to comply with the General Data Protection Regulation (GDPR). Chelsea Parker, corporate commercial executive at Greenaway Scott, explains why it is important for UK companies to assess their levels of data protection in advance of the changes.

On 4th May 2016 the GDPR was published in the Official Journal of the European Union, it states that all EU organisations will have to comply with its stipulations by 25th May 2018, meaning that there will be some changes to UK data protection law which will affect all organisations regardless of their size.

Parliment has confirmed that the UK will still adopt the GDPR principles, regardless of the vote to leave the EU, as many companies will continue to deal with companies with EU member states and continue to share data. It is, therefore, crucial that the UK is compliant and is considered as providing an adequate level of data protection.

The GDPR has been introduced due to the significant advance in information technology and the ways in which data is shared between companies and processed. It will also provide greater harmonisation of data protection laws across EU member states. The original Data Protection Directive that was introduced back in 1995 has been interpreted in a variety of ways which has created compliance difficulties for businesses. The GDPR's fundamental purpose will be to create a single legal framework which will then be used across all EU member states.

It's recommended that a first step would be to conduct an audit to understand what personal data you hold about your staff, customers and 3rd parties, how it is collected, where it is stored and what policies and procedures you have in place to protect it. An important addition under the GDPR is the principle of accountability, which means you will need to demonstrate what you are doing to comply with its principles. Undertaking an audit now will provide you with the opportunity to evaluate current processes and update or streamline them as required in preparation to be compliant before next year. Also, another thing to consider is the increased enforcement powers the ICO (Information Commissioner's Office) will have. There will be significantly increasing the maximum fines that can be imposed for breaching data protection laws, proving accountability and a sensible approach and awareness of responsibilities is going to become essential.

Some of the policies and procedures that can be updated in advance and include those relating to individuals rights and personal data. The GDPR introduces some new rights for individuals as well as some changes to the rights currently in place. For example, if a data subject makes a subject access request there will now be less time to provide the required information and you will have to provide the information free of charge. The £10 charge that could be charged previously will be removed. The right to deletion, or the ‘right to be forgotten’, is also being strengthened under the GDPR although this is still not an absolute right.

The rules around consent are also being enhanced. In order to process individual personal data, you must have a lawful reason. If you rely on consent as the lawful reason for processing data then you must make sure the way in which you collect the consent complies with the GDPR. Consent must be provided by a positive, affirmative action, so pre-ticked boxes, for example, will no longer comply. Consent must also be as easily withdrawn as it is given. This is also connected to the right to be informed, which again has been strengthened. There is further information that must now be provided when you collect data from an individual and so it is advisable to review any privacy notices that you have in place as well as the way in which you collect consent for processing data.

Finally, it is important to consider and understand fully how the personal data you hold is protected. Businesses must ensure that they have ‘appropriate technical and organisational measures’ in place to protect the data they hold. This is increasingly more important given the recent cyber attacks and the record fines issued last year by the ICO. Carrying out an internal review and risk assessment of the IT and security measures you have in place now is essential.

The ICO has published an updated data protection self-assessment toolkit for SMEs which will help you assess your progress in preparing for the GDPR. The ICO has also updated it's “12 steps to take now” guidance which will help you start to put the right processes in place to comply with the provisions of the GDPR when they come into play next year.

If you would like advice on data protection and the impact the GDPR may have on your commercial contracts please contact the Commercial team by emailing 


This article was first published on The Insider Media Website on the 17th August 17 and can be read here. 

Return to index