This website uses 'cookies' to enhance your experience and for basic functionality. Using this website means you're happy with this. To find out more about cookies on this website, see our privacy policy.

GDPR – The new data privacy law: What you need to know and how we can help

David Farquharson

Several of our clients have been asking if we can help them get up to speed with the new General Data Protection Regulation (GDPR) legislation which comes into force on 25th May 2018. The answer is a resounding yes! We’ve already helped numerous clients with this over the last few months and have developed a simple step by step approach.

Here’s a whistle stop tour of GDPR and what you need to know:

What is GDPR?

GDPR is a new privacy law which governs the collection and use of data relating to all individuals within the EU. It will give people more rights and protection around how their personal data is processed, used and shared between and by organisations. It introduces tougher fines for non-compliance and gives people more say on what companies can do with their data. It also makes data protection rules more or less identical throughout the EU.

But what about Brexit?

GDPR doesn’t affect just EU-based organisations – any business that processes the data of EU citizens must comply with the regulations, even if that data is processed outside of the EU.

What are the main things that are going to change?

Your organisation will likely need to change how it collects, manages and administers data. Moving forward:

  • You need to give a clear reason for collecting data.
  • You must have positive consent from an individual that shows they are happy to receive future communications.
  • GDPR requires you to show how you enable compliance – e.g. by documenting the decisions you take about a data processing activity. You are responsible for everyone in your supply chain, so if you have a sub-contractor processing personal data, choose them with care.
  • People have the right to view and/or amend data upon request, or even have it destroyed under the “right to be forgotten”.

What is the penalty if we fail to comply?

Supervisory authorities now have powers to undertake on-site data protection audits and to issue public warnings, reprimands and orders to carry out specific remediation activities. Companies that fail to comply are liable to a penalty of up to €20m or 4% of global annual turnover (whichever is greater).

What recommended actions should we take?

  • Even though it’s not a legal requirement, it would be a good idea to appoint an expert or a dedicated Data Protection Officer. They can work with departments within the organisation and advise on all matters relating to Data Protection law.
  • Set up clear data use and data breach policies, such as “Find out what information we hold on you” and “Remove all information about me” sections in your privacy policy to give people clear information.
  • Implement training for all staff and put detailed confidentiality provisions in employees’ and consultants’ contracts.

What can I do now to prepare for GDPR?

    • The first thing is not to panic. The new legislation is an opportunity for you to review how you currently process data and make sure you’ve got plans in place to make any changes necessary to be ready for May 2018. Compliance is an ongoing, dynamic process but through good planning; structure and teamwork, you’ll be fine.

    What can Ignition Law do to help?

    We’ve developed a simple 3 step approach which covers everything you need to know to ensure you comply with the new legislation. This covers:

    1. Educating you and your colleagues - coming in to your offices to provide you with a short, informed talk on GDPR and how it will apply to you and your business. A whole organisation approach is helpful (where all employees know the basics) and this talk will help to do that.
    2. Auditing your data – either by providing you with a questionnaire to complete or coming in and holding interviews to determine exactly how you use data as a business.
    3. On the basis of the above, putting together data use and data breach policies for the whole organisation (including how to respond to any Subject Access Requests and any new requests to delete data held under the new GDPR ‘right to be forgotten’).

    We hope this article has helped you understand the basics of GDPR and the changes that are afoot. If you’d like to talk to us about how you can be fully prepared for GDPR then do get in touch with or

      You may also like...

      Ignition Law to host joint interactive seminar with EIP during London Tech Week

      Ignition Law and EIP will explain the importance of getting the legalities in order from the outset, sharing advice on everything a tech business needs to know in order to achieve the best chance of success


      Caroline Sherrington discusses the role of a director in Tech City News

      Caroline Sherrington discusses director roles and liability for director duty breaches in Tech City News


      David Farquharson advises entrepreneurs at YFood House of Genius London event

      David Farquharson advises entrepreneurs at YFood House of Genius London event as an advisory panelist, providing supportive input and creative ideas to food tech entrepreneurs.


      Ignition Law website wins Bronze at iNOVA Awards

      The Ignition Law website has won a Bronze Award in the Professional Services category at the iNOVA Awards 2016


      Partner Alex McPherson writes on Uberisation and agile working in the legal profession

      Alex McPherson writes on Uberisation and agile working in the legal profession in HRM Guide, Growth Business, IT Pro Portal and Legal IT Insider


      Ignition Law is shortlisted for the FT Innovative Lawyers Award 2017

      Now in its eleventh year of publication, the FT Innovative Lawyers Report has become one of the top legal rankings in Europe and the accompanying awards are widely regarded as the


      all posts