The General Data Protection Regulation: the new dawn of data protection is on the horizon

On 25th May 2018 a new law will be imposed called the General Data Protection Regulation (or the GDPR for short).

Video courtesy of ThinkBDA Limited

There has been a lot of coverage on the GDPR, not least due to the headline-grabbing threat of fines of up to 20 million Euros or 4% of a business’ global turnover, whichever is the greater.  This is certainly significantly more punitive than the maximum of £500,000 under the existing law.

The GDPR will override the Data Protection Act 1998 and, in doing so, will bring about the biggest change to data protection law in over 20 years.  The Brexit vote caused widespread confusion as to the future applicability of the GDPR to organisations in the United Kingdom.  However, it has now been made clear that businesses should prepare to comply with the GDPR regardless of Brexit.

The countdown clock to its implementation is therefore ticking and all organisations, regardless of their size or remit, will have to take notice of the GDPR and be prepared for it.  

What steps should businesses be taking to comply?

Many businesses will be unsure of what they should actually be doing to get ready.  Getting to grips with the GDPR can certainly appear daunting and here at Franklins we are available to offer Partner led tailored advice and assistance which is focused on the steps that an organisation should put in place to get themselves ready.  

We have produced a summary of some of the key aspects of the GDPR.  However, this is not a substitute for legal advice and there is clearly a great deal of detail in the GDPR which cannot be covered in such an overview guide.  Further information can be found on the website of the Information Commissioner’s Office.

By way of expansion upon this summary, businesses should be aware of the following:

  • The new law imposes enhanced transparency obligations on data controllers.  Under the GDPR, data controllers must provide data subjects with information notices which contain prescribed information about the processing of the data subject’s personal data.  Whether they are referred to as privacy policies, data protection statements or something else entirely, the information that an organisation gives to individuals when they collect their data will therefore clearly need to be reviewed and updated to meet the new information standards in the GDPR.
  • In addition to the content of information notices, all points of data collection will need to be assessed to ensure that explicit consent to such notices is properly requested.  Under the GDPR, businesses are required to meet a higher standard of consent and acquiescence (such as by failing to un-tick a pre-ticked box in a privacy policy) will no longer indicate valid consent.
  • Implementation of measures under the GDPR will, in some cases, require the appointment of a data protection officer.  An organisation will therefore need to make an assessment as to whether or not it is required to appoint a data protection officer.
  • The GDPR builds on the current law by enhancing existing data subject rights and adding a number of entirely new data subject rights.  New rights include the “right to be forgotten” and “data portability rights”.
  • When appointing a data processor (which could include a supplier or sub-contractor), a data controller must ensure that a written data processing agreement is in place which meets detailed requirements set out in the GDPR.  
  • The supervisory authorities will retain broad investigative and enforcement powers.  These include being able to hand out the headline-grabbing fines set out above.

Why should you seek legal assistance to prepare for the GDPR?

If you are asking yourself why you should engage us to assist you with your preparation for the GDPR’s implementation, the answer is quite simple: you will be compliant with the new law from when it comes into force, you will be able to demonstrate your compliance and, as a result, you will mitigate the risk of investigative action, negative publicity and losing ground to better-prepared competitors.

As a firm, we are adopting a four stage approach to assisting businesses with the GDPR as follows:

  • Stage 1: if an organisation wishes to receive our assistance, we will send them a questionnaire and documentation request for them to complete and return so that we can understand how the GDPR is likely to impact upon them.
  • Stage 2: we will then consider the responses and documentation provided to us.  Based on this review, we will provide a proposal for providing written advice on the GDPR which is tailored to the business.
  • Stage 3: if the organisation wishes to proceed in engaging us, we will provide them with the tailored written advice.  In addition to providing them with advice on the GDPR which is bespoke to them, this will set out any advisable actions such as in respect of amending or drafting policies, procedures and contracts to ensure compliance.  Our proposals for assisting with such actions will also be set out.
  • Stage 4: if the business also wishes to engage us to assist with the actions we have advised, we will then undertake this work for them.

We hope that you find this overview of assistance.  If you require further advice or assistance regarding the GDPR then please do not hesitate to contact Christopher Buck on 01908 660966 or

Next step