We're here to help
0345 222 5391
Mon-Fri, 9am-5pm, local rate & mobile friendly

New data protection regulation: in with GDPR, out with the Data Protection Act


GDPR changes the way companies must gather, handle and store personal data.

From 25 May 2018, the General Data Protection Regulation (GDPR) replaces current EU legislation covering the protection of personal data. In the UK it also replaces the Data Protection Act 1998.

That sounds a long way off but, if your business handles data, you need to get up to speed sooner rather than later. There are fairly hefty financial penalties for organisations that don’t comply.

And small businesses shouldn’t look away just yet. GDPR isn’t just for the Facebooks or Googles of this world – it impacts any business that handles or stores data. Recruitment agencies, photographers, accountants, IT firms and marketing companies will be affected. In fact, it’s hard to think of an industry that won’t need to sit up and take note.

What’s GDPR all about?

The general principle is to level the data protection playing field across Europe. All businesses and organisations handling EU citizens’ personal data will work to the same set of rules, eliminating the current patchwork of pan-European regulations. The regulations will still apply in the UK, regardless of whether we hard Brexit, soft Brexit or end up with something in the middle.

Importantly, accountability lies directly with businesses. You’ll need to show you have suitable policies, assessments and staff training in place.

Businesses not actively complying with the regulations, or who suffer a data breach, will be penalised.

Penalties for a data protection breach, or a failure to notify the Information Commissioner’s Office (ICO) of a breach, means a fine of whichever’s the greater of these two:

  • Up to 4% of annual revenue
  • Up to €20m

It’s fair to say most business, large or small, would find paying out these sorts of sums of money painful.

Protecting personal data

The types of personal data we’re talking about relate to anything that could be used to identify an individual, such as name, address, marital status, job title etc. Under the new regulations the type of data that needs to be protected now also includes genetic, cultural, economic and social identifiers – IP addresses, mental health information, religious or political beliefs, for example.

Individuals must actively give consent for their data to be collected, must understand exactly what information is being collected and specifically what it’s being used for.

This needs to be explained by businesses in clear and concise language. Also, businesses can’t now collect more data than is needed for a specific purpose. So no more huge forms with excessive data-capture fields and the dubious practice of pre-ticked consent boxes.

A new part of GDPR gives individuals the right to know what data is held about them by different organisations. That means an individual’s data must be stored in such a way that it can be identified quickly and easily. And if the individual wants their data transferred to a different organisation, removed from a database (including copies) or for collection of their data to be halted, they now have a right to ask for that.

These rules are called the ‘right to data portability’ and the ‘right to be forgotten’.

GDPR & data breaches

If a business suffers a data breach, it has 72 hours to notify the ICO. It’s not expected to have fixed the situation in that time but it does need to have taken steps – such as alerting individuals whose data’s been lost, altered, accessed or disclosed without authorisation.

The exact financial penalty applied depends on what steps the organisation has taken to protect the data and how severe the data breach is.

Consumer awareness

While businesses are getting their heads around the new legislation, you can be sure that consumers will also be getting to grips with their new rights. We wouldn’t be surprised if this leads to more people taking businesses to court for incorrectly requesting or handling their data. What’s certain is consumers are going to be much more savvy about their data protection rights than they have been in the past.

Sorry if all this sounds a bit heavy. But that’s because it is. With vast fines and your reputation at stake, it’s simply not worth getting this wrong.

For more information on the details of the new GDPR visit the ICO and read more about how GDPR impacts you.

Image used under license from Shutterstock.

If you liked this, you might like these...

Do I need terms and conditions?
Not sure if your business needs to have terms and conditions? Here's a run down of the who's, what's, where's, and how's of Ts & CS.
How to protect yourself against identity fraud
Knowing how to protect yourself against identity fraud can save you a lot of trouble. Here's how to stay safe when using the web.
Why turnover matters for your insurance
Here's why your turnover matters and why it's important to keep your insurer in the loop. Especially when it comes to renewal.

More Advice, News & Know-how