What is GDPR?

... and why you should care!

Learn More

What is GDPR?

GDPR is the new data protection legislation.

It originates in the EU, and is already part of UK law.

It comes into force on 25th May 2018.

If you are involved in an organisation, it will have an impact on you!

Download the full regulation free here!

What is different in GDPR?

Much of the law about data protection is similar to the Data Protection Act (DPA), but there are some significant differences.

You are guilty!

It is a core tenet of UK law that you are 'innocent until proven guilty'. Not any more! Under GDPR the presumption is you are guilty unless you can prove you are not!

Furthermore, you cannot 'pass the buck' any more. If you are a data controller, or a data processor, and that covers everyone, you are jointly liable unless you can prove you are 'in no way responsible'. Can your policies, practices and systems deliver that?

Massive fines!

The law says fines should be 'dissuasive', and they are going to be! €20 Million or 4% of last year's global annual turnover, whichever is GREATER!

This means the scope for fines has been increased by 40 times! And it's intended to be simpler than ever to complain to the regulator. Does your cashflow have that much slack?


Data subjects are entitled to claim damages for infringements. They were before, but had to show they had suffered some material harm. Now non-material damages are provided for.

This means 'offending' a data subject, or 'upsetting'; them will be adequate for them to claim damages, and you are automatically guilty, unless you prove otherwise.

Class Actions

The damages can now be treated as a class action, so all data subjects can benefit, meaning the costs are far more significant.

Legal teams are preparing to prosecute class actions, and who can blame them, the potential value is so magnified. The scope of a fine can be understood, but class actions are without limit.

Contracts required

The processing of personal data by another organisation must be governed by a written contract. This means the contract can be examined to determine where blame lies.

If you do not have a written contract, you are at fault. Even if you do, you are jointly liable with the other party for any infringements, unless the contract exonerates you.

Restricted overseas transfers

Transferring personal data overseas is more fraught. You take greater responsibility, and must be sure your data resides in a territory with an 'adequate' data protection regime.

This includes 'rule of law', 'respect for human rights and freedoms', 'effective and enforcable data subject rights' amongst others. You should review any overseas transfer.

Subjects to understand processing

For processing to be legal it must be 'fair and transparent'. This means the data subject must know how you will use their data, how long you will keep it, and YOU must inform them of their rights!

These rights include the right to access, the right to object, the right to erasure, the right to rectification, the right to not be subject to automated decision making. None of them are absolute, be aware of your circumstances.

Subject Access Requests

The right to access has been stiffened. The data must be provided free of charge, and within 30 calendar days. If you hold large volumes of personal data, or have it in distributed or multiple systems, you should review how you will comply.

In addition, for certain organisations, this opens the possibility of access requests being used as weapons. Consider BP after Blue Water Horizon, how would they have coped with perhaps 500,000 subject access requests?

Stronger enforcement

The ICO is hiring 200 more 'lawyers, analysts, investigators, and others' as the agency prepares to enforce compliance. A Telegrpah artice covers how the Commissioner put it to a House of Lords committee.

The ICO also has an incentive to act. They are to become self-funding from the fines and penalties they raise against non-compliant organisations. You are going to have to fight them, but first you need that proof!

So, you manage an organisation ...

Who's responsible for the protection of personal data?

If you don't know – it's probably you!

What have you done about personal data protection?

If you don't know, you probably need to think about it!

FREE initial consultation!

Call now on 0800 2800 679

eMail enquiries@dept679.com