Phone icon
Menu icon
Professional insurance
with a personal touch
We're open as usual
0345 222 5391
Mon-Fri, 9am-5pm, local rate & mobile friendly

New data protection regulation: in with GDPR, out with the Data Protection Act


GDPR changes the way companies must gather, handle and store personal data.

From 25 May 2018, the General Data Protection Regulation (GDPR) replaces current EU legislation covering the protection of personal data. In the UK it also replaces the Data Protection Act 1998.

That sounds a long way off but, if your business handles data, you need to get up to speed sooner rather than later. There are fairly hefty financial penalties for organisations that don’t comply.

And small businesses shouldn’t look away just yet. GDPR isn’t just for the Facebooks or Googles of this world – it impacts any business that handles or stores data. Recruitment agencies, photographers, accountants, IT firms and marketing companies will be affected. In fact, it’s hard to think of an industry that won’t need to sit up and take note.

What’s GDPR all about?

The general principle is to level the data protection playing field across Europe. All businesses and organisations handling EU citizens’ personal data will work to the same set of rules, eliminating the current patchwork of pan-European regulations. The regulations will still apply in the UK, regardless of whether we hard Brexit, soft Brexit or end up with something in the middle.

Importantly, accountability lies directly with businesses. You’ll need to show you have suitable policies, assessments and staff training in place.

Businesses not actively complying with the regulations, or who suffer a data breach, will be penalised.

Penalties for a data protection breach, or a failure to notify the Information Commissioner’s Office (ICO) of a breach, means a fine of whichever’s the greater of these two:

  • Up to 4% of annual revenue
  • Up to €20m

It’s fair to say most business, large or small, would find paying out these sorts of sums of money painful.

Protecting personal data

The types of personal data we’re talking about relate to anything that could be used to identify an individual, such as name, address, marital status, job title etc. Under the new regulations the type of data that needs to be protected now also includes genetic, cultural, economic and social identifiers – IP addresses, mental health information, religious or political beliefs, for example.

Individuals must actively give consent for their data to be collected, must understand exactly what information is being collected and specifically what it’s being used for.

This needs to be explained by businesses in clear and concise language. Also, businesses can’t now collect more data than is needed for a specific purpose. So no more huge forms with excessive data-capture fields and the dubious practice of pre-ticked consent boxes.

A new part of GDPR gives individuals the right to know what data is held about them by different organisations. That means an individual’s data must be stored in such a way that it can be identified quickly and easily. And if the individual wants their data transferred to a different organisation, removed from a database (including copies) or for collection of their data to be halted, they now have a right to ask for that.

These rules are called the ‘right to data portability’ and the ‘right to be forgotten’.

GDPR & data breaches

If a business suffers a data breach, it has 72 hours to notify the ICO. It’s not expected to have fixed the situation in that time but it does need to have taken steps – such as alerting individuals whose data’s been lost, altered, accessed or disclosed without authorisation.

The exact financial penalty applied depends on what steps the organisation has taken to protect the data and how severe the data breach is.

Consumer awareness

While businesses are getting their heads around the new legislation, you can be sure that consumers will also be getting to grips with their new rights. We wouldn’t be surprised if this leads to more people taking businesses to court for incorrectly requesting or handling their data. What’s certain is consumers are going to be much more savvy about their data protection rights than they have been in the past.

Sorry if all this sounds a bit heavy. But that’s because it is. With vast fines and your reputation at stake, it’s simply not worth getting this wrong.

For more information on the details of the new GDPR visit the ICO and read more about how GDPR impacts you.

Image used under license from Shutterstock.

If you liked this, you might like thesethis...

Photography equipment insurance in focus
Having the right photography equipment insurance can stop the shutters coming down on your photography business unexpectedly. Here's all you need to know.
Do photographers need insurance?
Our snappy guide to photographers' insurance explains what insurance photographers need and why, from covering your kit to working on location.
What to do when clients don't pay on time: how to get your invoices paid
When clients don't pay on time, cash flow problems can be the inevitable outcome. Here's how to make sure your invoices get paid.

More Advice, News & Know-how

Sign up to being prepared and protected

Get reliable advice on protecting and fine-tuning your business or charity sent straight to your inbox. Plus, receive other occasional bits we think you'll enjoy, like competitions and offers. We promise not to swamp you, and you can unsubscribe easily.

Sign me up