GDPR Overview

GDPR (General Data Protection Regulation) is due to come into effect in the UK on the 25th May 2018

The new GDPR legislation is replacing the existing Data Protection regulations and is being implemented through EU Law in all 28 countries in Europe and even though the UK is going through Brexit, UK businesses still need to comply with the new legislation.

Why is GDPR being implemented?

It is being implemented to improve transparency and the effectiveness of data protection, how businesses obtain consent for their new and existing prospects and customers, how people subscribe to any mailings and how their details are being stored. The customer needs to know exactly how their personal data is being used and for what purpose.

And with security of data being very important, it is also intended to make businesses aware of their duty to keep personal information safe and implement any necessary security measures to do so.

How does it affect UK businesses?

1. UK Businesses need to give clarity over personal data

Customers will need to be aware who has their data and why. Under GDPR Businesses will be required to give greater clarity when they are collecting customer data and to explain what it will be used for.

For example, a customer will no longer be able to be automatically opted-in for any marketing purposes like email newsletters, a customer must have the ability to choose if they wish to opt-in or not - it must not be automatically ticked.

2. They will need to give control back to customers

As well as making the consumer aware of why a business may have their data, they need to give them control over it. For example if they wish to update it or delete it upon request.

This right to be forgotten gives individuals the option to remove traces of their past data that has been collected and it is worth noting that what constitutes “data” is also being expanded to include IP addresses, internet cookies and DNA.

3. Improved security measures will need to be in place

Security breaches within major organisations are not unheard of and under GDPR legislation it is the responsibility of the business to make sure they are prepared against all attacks and that personal data is safe and protected.

If a breach does occur, businesses, no matter if they are large or small, have just 72 hours to notify the ICO and, if it is a severe attack, all individuals at risk must be notified as well.

4. They will be subject to stricter ruling

The ICO are having their powers extended to help protect UK consumers from having their data stolen. The number of punishable offences is being increased, and so are the limits on fines they can impose. As of May 28th, the limit will be £17 million, or 4% of global turnover, which is drastically more than the current limit of £500,000.

GDPR - what do businesses need to do?

UK businesses need to make themselves aware of the new GDPR legislation and in particular how their own business manages, protects and administers their customers data, and what they need to do to comply with the new legislation.

Update their Website Terms and Conditions and Privacy Policy to reflect the new GDPR legislation.

We also strongly recommend reading the explanation of the GDPR on the Information Commissioners website at