Ready or not? Everyone is reading this.

Are you a start-up, a business, a charity or a public corporation? Are you a “controller” or “processor” of personal data? Does your business have a client database? Do you sell products or services overseas? Do you have a list of email address contacts for business purposes? if so, you need to start preparing for the GDPR (General Data Protection Regulation).

What is the GDPR?

The GDPR is Europe’ s new framework for the data protection laws. It comes into effect on 25 May 2018 and will replace the 1995 EU Data Protection directive upon which our current Data Protection Act 1988 is based. The legislation is designed to harmonise data privacy laws across Europe, give greater rights and protection to individuals as well as impose tougher rules on individuals, organisations, public bodies and companies that handle data i.e. “controllers” or “processors” of personal data.

The United Kingdom’s new data protection legislation which will implement the GDPR was published on 14 September 2017. The bill is currently going through the House of Commons and the House of Lords.

What is personal data?

Personal data means any information that can be used to identify a living individual. This can be a name, date of birth, telephone number, IP address etc.

What are the main changes?

1. Companies covered by the GDPR will be more accountable for their handling of people’s personal information. This can include having data protection policies, data protection impact assessments and keeping documents on how you process data.

2. A company with more than 250 employees must have documentation of why people’s information is being collected and processed, descriptions of the information that’s held, how long its being kept for and descriptions of the security measures in place.

3. Companies that have “regular and systematic monitoring “of individuals on a large scale or which process a lot of sensitive personal data have to employ a data protection officer (DPO) who has to report to senior members of staff, monitor compliance with GDPR and be a point of contact for employees and customers.

4. Businesses must obtain consent from customers to process data in some situations. When an organisation is relying on such consent there has to be a “positive opt-in” by the customer. Pre-ticked opt-in boxes are not indications of valid consent.

5. Consent for children must be given by the child’s parent or guardian and must be verifiable.

6. The new law provides five other ways of processing data that may be more appropriate than consent e.g. Legitimate interest, compliance with a legal obligation, to enable performance of a contract, protection of the vital interests of a data subject or other person and performance of a task in the public interest. Whichever basis you use, you need to document your decisions to be able to demonstrate to the ICO which lawful basis you have used.

7. Individuals will now have a lot more power to access the information that is held about them. The current Subject Access Request (SAR) fee of £10 under the current regulations will be scrapped under the GDPR and requests for personal information can be made free-of-charge.

8. When someone asks a business for their data, the business must provide the information within one month.

9. The GDPR also gives individuals the right to get their personal data erased in some circumstances. This would apply if consent is withdrawn, it is no longer necessary for the purpose it was collected, the information was unlawfully processed or there is no legitimate interest.

10.Any data breach must be notified to the Supervisory Authority (ie the ICO) within 72 hours after having become aware of the data breach.

11.Individuals must be notified if an adverse impact is determined.

12.The data processor or controller does not have to notify the data subjects if anonymised data is breached.

13.GDPR fines: The legislation also introduces the following sanctions

(a) a warning in writing in cases of first and non-intentional non-compliance.

(b) regular periodic data protection audits and

(c) the power to fine businesses for non-compliance. So, if a business does not process a person’s data correctly, it can be fined. If a business does not have a Data protection officer when it should have one it can be fined. If the business commits a security breach it can be fined. The fines will be decided upon by the ICO’s office. The GDPR sates that smaller offences could result in fines of 10 million Euros or two percent of a firm’s global turnover whichever is greater. More serious offences can result in fines of up to 20 million Euros or four percent of a firm’s global turnover whichever is the greater. These sums are larger than the £500,000 penalty currently levied by the ICO. The ICO have said that their primary intention is to work with businesses and other organisations to ensure compliance and that fines will not be imposed heavy-handedly.

Who will enforce it in the UK?

The Information Commissioner’s Office.

What about Brexit?

The GDPR takes effect on 25 May 2018 and Brexit is due to happen in the Spring of 2019. The GDPR will be law before the UK leaves the EU. After Brexit the GDPR provisions will be retained in UK law.

How can I prepare my business for the GDPR?

To help businesses prepare for the GDPR, the ICO has created a 12-step guide available here:

This guide covers steps that a business should take such as ensuring that decision makers and key people in the organisation are aware of the changes, the carrying out of information audits, reviewing current privacy notices, consent documentation etc, the checking and updating of current procedures and the designation of a DPO as appropriate.

And remember, if you need advice on the GDPR or any business matter that is bothering you, call us on telephone nos 01234 834620/01234 83462 or contact Eve Jarrett at

1 view0 comments

Recent Posts

See All



01234 938089/938090 (Bedford Office)

    0207 846 0123 (London Office)


Mobile: 07745996907



Appointments are available in the office, by telephone or video conference with Skype.





London Office:

3rd Floor

86-90 Paul Street

London EC2A 4NE   

Bedford Office:

Excel House

3 Duke Street 

Bedford MK40 3HR   


  • Black Facebook Icon
  • Black LinkedIn Icon
  • Black Twitter Icon

Pure Business Law is the trading name for Pure Business Law Ltd-a private limited company registered in England & Wales with company registration number 10405413. Registered office and Principal place of business : Excel House, 3 Duke Street, Bedford. MK40 3HR. VAT number 265 5386 75.



Pure Business Law is authorised and regulated by the Solicitors Regulation Authority (SRA number 635679)- we are governed by the SRA's  professional rules which may be found at A list of our directors is available on request.  The term "director" denotes a shareholder or director of the company or an employee or consultant who is a lawyer with equivalent standing and qualifications. Calls may be recorded for security and training purposes.


Terms and Conditions   |   Privacy Notice , Disclaimer  & Cookie policy