The General Data Protection Regulation: the new dawn of data protection is here

On 25th May 2018 a new law came into force called the General Data Protection Regulation (or the GDPR for short).

Video courtesy of ThinkBDA Limited

There has been a lot of coverage on the GDPR, not least due to the headline-grabbing threat of fines of up to 20 million Euros or 4% of a business’ global turnover, whichever is the greater.  This is certainly significantly more punitive than the maximum of £500,000 under the previous law.

The GDPR has overridden the Data Protection Act 1998 and, in doing so, has brought about the biggest change to data protection law in over 20 years.  The Brexit vote caused widespread confusion as to the future applicability of the GDPR to organisations in the United Kingdom.  However, it has been made clear that businesses should comply with the GDPR regardless of Brexit.

All organisations, regardless of their size or remit, will have to take notice of the GDPR and comply with it.  

What steps should businesses take to comply?

Many businesses will be unsure of what they should actually have done to comply.  Getting to grips with the GDPR can certainly appear daunting and here at Franklins we are available to offer Partner led tailored advice and assistance which is focused on the steps that an organisation should put in place to get themselves compliant.  

Businesses should be aware of the following:

  • The new law imposes enhanced transparency obligations on data controllers.  Under the GDPR, data controllers must provide data subjects with information notices which contain prescribed information about the processing of the data subject’s personal data.  Whether they are referred to as privacy policies, data protection statements or something else entirely, the information that an organisation gives to individuals when they collect their data need to be reviewed and updated to meet the new information standards in the GDPR.
  • In addition to the content of information notices, all points of data collection need to be assessed to ensure that explicit consent to such notices is properly requested.  Under the GDPR, businesses are required to meet a higher standard of consent and acquiescence (such as by failing to un-tick a pre-ticked box in a privacy policy) will no longer indicate valid consent.
  • Implementation of measures under the GDPR will, in some cases, require the appointment of a data protection officer.  An organisation therefore needs to make an assessment as to whether or not it is required to appoint a data protection officer.
  • The GDPR builds on the previous law by enhancing existing data subject rights and adding a number of entirely new data subject rights.  New rights include the “right to be forgotten” and “data portability rights”.
  • When appointing a data processor (which could include a supplier or sub-contractor), a data controller must ensure that a written data processing agreement is in place which meets detailed requirements set out in the GDPR.  
  • The supervisory authorities retain broad investigative and enforcement powers.  These include being able to hand out the headline-grabbing fines set out above.

Why should you seek legal assistance to comply with the GDPR?

If you are asking yourself why you should engage us to assist you with your compliance with the GDPR, the answer is quite simple: you will be compliant with the new law, you will be able to demonstrate your compliance and, as a result, you will mitigate the risk of investigative action, negative publicity and losing ground to better-compliant competitors.

As a firm, we are adopting a four stage approach to assisting businesses with the GDPR as follows:

  • Stage 1: if an organisation wishes to receive our assistance, we will send them a questionnaire and documentation request for them to complete and return so that we can understand how the GDPR will impact upon them.
  • Stage 2: we will then consider the responses and documentation provided to us.  Based on this review, we will provide a proposal for providing written advice on the GDPR which is tailored to the business.
  • Stage 3: if the organisation wishes to proceed in engaging us, we will provide them with the tailored written advice.  In addition to providing them with advice on the GDPR which is bespoke to them, this will set out any advisable actions such as in respect of amending or drafting policies, procedures and contracts to ensure compliance.  Our proposals for assisting with such actions will also be set out.
  • Stage 4: if the business also wishes to engage us to assist with the actions we have advised, we will then undertake this work for them.

We hope that you find this overview of assistance.  If you require further advice or assistance regarding the GDPR then please do not hesitate to contact Christopher Buck on 01908 660966 or

Next step