• Send us a message

    Fill in our form and we'll get back to you as soon as possible

    Please enter name
    Please enter your telephone number
    Please enter your email address
    Please let us know which of offices would most convenient for you?
    Please enter the details of your enquiry
    Please enter the verification code
    Send us a message
  • Services for you
  • Services for business

GDPR - What you need to know

The EU General Data Protection Regulation – What You Need To Know

The EU’s General Data Protection Regulation (EU) 2016/679 (GDPR) will replace the current Data Protection Act 1998 (DPA 1998) with effect from 25 May 2018.

Although the data protection principles under the GDPR are similar to those currently in the DPA 1998, there are some additional obligations on data controllers which businesses processing personal data will need to be aware of, and comply with, from 25 May 2018. Therefore such businesses should carry out an assessment on their existing data collection and management processes and be prepared to revise their existing privacy notices and consent procedures to ensure compliance with the GDPR when it comes into force on 25 May 2018.

What is new?

Key areas of change include the following:

  • a new ‘accountability’ requirement on data controllers to demonstrate compliance with the data protection principles;
  • a higher standard when relying on consent to process personal data, requiring unambiguous consent and clear affirmative action, meaning silence, pre-ticked boxes or inactivity will not constitute consent under the GDPR;
  • data processors to be held liable in their own right for the first time;
  • stricter data breach notification rules; and
  • an increase in the maximum fine for non-compliance with the regulations to 20 million euros or 4% of total global turnover, whichever is greater.

What should your business be doing now?

To demonstrate compliance with the GDPR, and the new ‘accountability’ principle in particular, businesses will need to:

  • document the decisions taken about the data processing activity;
  • implement internal data protection policies, for example a ‘Data protection policy’ and/or ‘Data Protection Manual’;
  • implement staff training on data protection compliance; and
  • implement internal audits of processing activities.

Businesses processing personal data will also need to verify the consent of the data subjects by keeping a form of record of how and when such consent was given. Such consent should be in a form of written declaration which is:

  • clearly distinguishable from other matters;
  • in an easily accessible form; and
  • made using clear and plain language.

For further information, advice or for a review of existing data protection policies please do not hesitate to contact Scott Richardson, in our Commercial Business team on 01329 227907 or scott.richardson@glanvilles.co.uk.