General Data Protection Regulation (GDPR) - what you need to know

10 Jul 2018

GDPR is one acronym it’s been impossible to ignore in recent months.  The implementation date may have passed, but GDPR represents a regime that is here for good, and for good reason; it’s something we must all embrace.

High profile data breaches and cyber attacks certainly hit the headlines, from the Yahoo! breach in 2014 that affected over 500 million user accounts, to the more recent revelation that Dixons Carphone suffered a huge data breach in July 2017 involving over 5.9 million payment cards and 1.2 million personal data records sourced from UK High Street staples such as Curry’s, PC World and Carphone Warehouse.

Naturally, businesses are concerned about becoming the next victim of a cyber attack and suffering huge costs to fix the problem while risking a loss of reputation as a consequence. How such data breaches can best be prevented is a hot topic, and questions are being asked about whether the new standards for processing data in the EU under the General Data Protection Regulation (GDPR) is of help. Thanks to extensive media coverage, most businesses were well aware of the implementation of GDPR on 25 May and made preparations to comply with it. However there still seems to be some confusion as to what the new standards and requirements under GDPR are in practice, and the consequences of non compliance.

One of the changes under the new legislation requires that businesses know what data they have in their possession. This includes knowing what type of data it is, where it comes from and what its purpose is. Businesses should make a thorough assessment of their records and remove any data where the purpose of the data collection is completed or the data is no longer required.  If businesses are relying on consent from parties to process the data, then they must be able to demonstrate that they are obtaining a clear and unequivocal response that is specific to the use of the data.

Under GDPR, there has been an expansion as to what the law considers personal data, and stricter requirements as to sensitive data. Personal data includes any piece of information that can be used to identify a person, and sensitive data covers information such as race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (used for identification purposes), health data and data relating to sexual orientation. In order for a company to collect personal data, including customers’ IP address or users’ social media posts, they must explicitly ask customers for permission.  Additionally, businesses must provide access to a customer’s data on their request.

Handling of personal data comes with responsibility and there are inevitably expenses associated with implementing data protection policies, risk assessments, and wider policy changes. The investment of funds and resources to implement appropriate policies and to appoint a data protection officer, however, is worth it because businesses can face hefty fines for non compliance. The Information Commissioner’s Office (ICO) has two tiers of administrative fines based on the specific breach. The first tier carries a fine of up to €10 million (£8.7 million), or 2% annual global turnover, whichever is higher; the second carries a fine of up to €20 million (£17.5 million) or 4% annual global turnover, whichever is higher.

If you are at all concerned about whether or not your business is GDPR compliant or if you would like more information on how you can protect your business or your data, please contact Robert Ganpatsingh.

Written by Julie Marie Stacey, edited by Beatrice Bass

Further reading

CMA fines pharmaceutical company more than £100m

Drug pricing policies under scrutiny as CMA comes down hard on inflated prices and supernormal profits
Read more Read

5 data protection changes to be aware of

Commercial law specialist Liz Gillingham provides a summary of recent developments in data protection law
Read more Read

Destination: office?

Blog, News & PR
Emily Wood considers the results of our recent survey and the implications for the future of the post-pandemic workplace
Read more Read

Commercial lease renewals and pandemic clauses

Will commercial reality trump the law when leases are up for renewal? Property expert James Picknell takes a look
Read more Read
  • Brighton Office

    1 Jubilee Street


    East Sussex

    BN1 1GE

  • Gatwick Office

    Griffin House

    135 High Street


    West Sussex

    RH10 1DQ

  • Guildford Office

    Wonersh House

    The Guildway

    Old Portsmouth Road



    GU3 1LR

  • Horsham Office

    Ridgeland House

    15 Carfax


    West Sussex

    RH12 1DY

  • London Office

    6 New Street Square

    New Fetter Lane


    EC4A 3BF

  • Get in touch