For queries please call: 01543 420000

Data Protection and Privacy

You will know that if you handle personal information about individuals, for example information on your employees, customer or supplier lists or perhaps information on potential target clients you have obligations to protect that information under the Data Protection Act (DPA).

You will also know that if you send electronic marketing messages (by phone, fax, email or text), use cookies, or provide internet or telecoms services to the public you must comply with the Privacy and Electronic Communications Regulations (PECR).

However, the law relating to data protection and privacy is being overhauled to keep pace as technology evolves.  New laws will be introduced in May 2018.

The ICO is advising organisations not to leave compliance until the last minute.

1. Timing

The General Data Protection Regulations (GDPR) will apply in the UK from 25 May 2018 and the government has confirmed that the UK’s decision to leave the EU will not affect its commencement.

There will be questions about how the GDPR will apply in the UK on leaving the EU, but the message from government is that the UK will retain GDPR standards.

Implementing the GDPR is likely to have significant organisational implications.  The May 25th deadline in 2018 is fast approaching.  Procedural and system changes are likely to be needed for many organisations, and compliance will be difficult or impossible if preparations are left until the last minute.

When questioned about grace periods post May 2018 ICO’s Interim Deputy Commissioner Steve Wood said:

“Will there be a grace period? No. You will not hear talk of grace periods from people at the ICO.  That’s not part of our regulatory strategy.”

“If we come knocking on the door, if we investigate or conduct an audit in an organisation, the best way you can demonstrate to us that we won’t need to delve deeper and you’ve got covered all the compliance issues is to have a comprehensive accountability program.”

2. Does it matter?

The GDPR introduces new stringent enforcement provisions with fines of up to €20 million, or 4% of total worldwide annual group turnover of the preceding financial year whichever is higher, (currently the maximum fine in the UK is £500,000).  There are also wider investigative powers including a power to carry out audits and judicial remedies, including compensation from data controllers/processors.

Non-compliance with data protection law will not be regarded as a low risk issue.

3. We can help:

Information audits –

Review of controller and processor agreements

Data Protection Policy

Privacy notices

Audit trail

Legal basis for processing

Consent mechanisms

Data Protection Impact Assessments


Breach notification and templates