Businesses have less than a year to prepare for the General Data Protection Regulation (GDPR) – the EU legislation that will be implemented in the UK, despite Brexit, to initiate what Information Commissioner, Elizabeth Denham, describes as ‘the biggest change to data protection law for a generation’.

Designed to give consumers greater control over the ways in which their personal data are gathered, stored and used, GDPR introduces massive fines based on global turnover for companies that breach requirements to comply with 8 principles set out in the Data Protection Act 1998, which it replaces.

At the same time, it offers them a unique opportunity to reap the rewards of engaging with their customers in ways in which they – the customers – prefer.

In addition to applying to businesses in post-Brexit Britain and across the EU, GDPR will also catch the American technology giants that remorselessly rake in personal data.

By the time GDPR comes into force on 25 May, 2018, any organisation processing personal information must – in accordance with the Data Protection Act principles – be able to demonstrate to consumers that it is

  • fairly and lawfully processed
  • processed for limited purposes
  • adequate, relevant and not excessive
  • accurate and up-to-date
  • kept for no longer than necessary
  • processed in line with their rights
  • secure
  • not transferred to other countries without adequate protection

‘Data protection self assessment toolkit’ is an interactive resource developed by the Information Commissioner’s Office to help businesses ‘get their house in order’ ready for GDPR.

‘Preparing for the General Data Protection Regulation (GDPR) : 12 steps to take now’ provides a useful checklist.


Please see our previous post