Skip to main content

The new GDPR regulations explained…


Currently, in the UK, businesses operate under the Data Protection Act 1998 (which implemented the EU Data Protection Directive 95/46/EC), a framework that was established at a time when people had less of an online presence, before the loyalty card was prevalent in the retail industry and when people were often still managing their data in a very manual way. As we turned digital, there was a radical shift in the volume, variety and the speed data was being produced. Discussions have been ongoing in the EU for many years about the implementation of a new data protection regime to address these changes.

Towards the end of 2015 the European Parliament and the Council gave informal political approval of the General Data Protection Regulation (GDPR) and formally adopted it in April 2016. The GDPR was published in the Official Journal on the 4th May 2016, and it is due to enter into force on the 24th May 2016. Once law, there will be a 2 year implementation period before the GDPR comes into effect, and businesses will need to comply with its provisions from 25th May 2018.

The GDPR focuses heavily on protecting individuals and their data. This has also been intentionally agreed as a regulation which means it will be a single piece of legislation directly applicable across all EU Member States. The GDPR includes a number of new and increased obligations businesses will need to adhere to, including the elements described below:

Key elements in the new EU General Data Protection Regulation

1. Rights of Individuals

There has been a desire to strengthen data subject rights within the GDPR. To this end, there are a number of new (e.g. the Right to be Forgotten) or enhanced (e.g. Right to Information) data subject rights that will be included in the GDPR. The Right to be Forgotten and information that should be provided when personal data is collected from the data subject is explained in a little more detail below.

  • Information to be provided on collection – businesses need to make sure individuals understand who the controller is that is collecting their personal data and the purposes for which they are processing it.  Organisations’ privacy policies will need to be updated in line with the requirements of the GDPR. The new principle of accountability in the GDPR means there will be much more of an onus on controller businesses to demonstrate compliance with the data protection principles within the GDPR.
  • Right to Erasure (“Right to be Forgotten”) – Since the decision of the European Court of Justice in Google Spain1 it has been accepted that individuals have a right to request Internet search engines to remove, from the list of results displayed following a search made on the basis of a person’s name, links to web pages that are published by third parties and containing information relating to that person, where such processing of personal data is incompatible with Directive 95/46/EC. A Right to Erasure (“right to be forgotten”) has now been set out clearly in the GDPR which will allow individuals a qualified right to request that their data be erased, provided certain grounds apply (for example, the data is no longer necessary in relation to the purposes for which it was collected). Where relevant, businesses will have an obligation to erase the relevant personal data it holds concerning that individual without undue delay.


2. Data Protection Officer (DPO) 

In certain circumstances, businesses are required to appoint a DPO to enable those businesses to comply with its accountability obligations under the GDPR. This is a designated role with tasks set out in the GDPR, including responsibility for monitoring compliance with the GDPR.


3. Obligations on data processors

Under the Data Protection Act 1998 the statutory obligations are on data controllers only. However under the GDPR, data processors will also have obligations, for example, the processor will have a responsibility for implementing appropriate technical and organisational measures for the security of personal data during its processing activities.

4. Data Protection Impact Assessment

Businesses will need to carry out a data protection impact assessment where the processing of personal data is likely to result in a high risk to the rights and freedoms of individuals.

5. Data breach notification

The current Data Protection Act contains no obligation to notify the ICO or individuals concerned in the event of a personal data breach, although the ICO's guidance supports where it would be good practice to do so. The GDPR includes a requirement for controllers to report a personal data breach to its data protection supervisory authority (the ICO in the UK) without undue delay and where feasible, no later than 72 hours after being aware of the breach, unless the breach is unlikely to result in a risk to individuals’ rights and freedoms. Where the personal data breach is likely to result in a high risk to individuals’ rights and freedoms, the controller will also need to communicate the breach to the individual without undue delay.

What is the impact of the new EU GDPR if businesses get it wrong?

Under the Data Protection Act 1998, the power of the UK Information Commissioner to impose a monetary penalty is capped at a maximum of £500K. However, the potential amount that a data protection supervisory authority may impose an administrative fine under the GDPR will be increased significantly, in a stepped fining regime, with a maximum fine of up to €20,000,000 or 4% of total worldwide annual turnover of the preceding financial year, whichever is higher, for specified infringements.

Individuals will also have the right under the GDPR to bring a claim for damage suffered as a result of an infringement of the GDPR.

The GDPR is due to enter into force on the 24th May 2016. Businesses will then have two years to implement changes to ensure compliance; however, a forward-thinking business would start to think about implementation requirements now, so as not to risk falling behind. Click here for a checklist on ‘how to comply’.

Or for more information, download the GDPR report, in partnership with Data IQ, to identify its impact on marketers and consumers.

[1] Case C-131/12 Google Spain SL & Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González. (2014)  

Please note that while we can support businesses with their preparations for the GDPR, we cannot offer legal counsel or compliance advice.