This website uses 'cookies' to enhance your experience and for basic functionality. Using this website means you're happy with this. To find out more about cookies on this website, see our privacy policy.

GDPR – The new data privacy law: What you need to know and how we can help

David Farquharson

Several of our clients have been asking if we can help them get up to speed with the new General Data Protection Regulation (GDPR) legislation which comes into force on 25th May 2018. The answer is a resounding yes! We’ve already helped numerous clients with this over the last few months and have developed a simple step by step approach.

Here’s a whistle stop tour of GDPR and what you need to know:

What is GDPR?

GDPR is a new privacy law which governs the collection and use of data relating to all individuals within the EU. It will give people more rights and protection around how their personal data is processed, used and shared between and by organisations. It introduces tougher fines for non-compliance and gives people more say on what companies can do with their data. It also makes data protection rules more or less identical throughout the EU.

But what about Brexit?

GDPR doesn’t affect just EU-based organisations – any business that processes the data of EU citizens must comply with the regulations, even if that data is processed outside of the EU.

What are the main things that are going to change?

Your organisation will likely need to change how it collects, manages and administers data. Moving forward:

  • You need to give a clear reason for collecting data.
  • You must have positive consent from an individual that shows they are happy to receive future communications.
  • GDPR requires you to show how you enable compliance – e.g. by documenting the decisions you take about a data processing activity. You are responsible for everyone in your supply chain, so if you have a sub-contractor processing personal data, choose them with care.
  • People have the right to view and/or amend data upon request, or even have it destroyed under the “right to be forgotten”.

What is the penalty if we fail to comply?

Supervisory authorities now have powers to undertake on-site data protection audits and to issue public warnings, reprimands and orders to carry out specific remediation activities. Companies that fail to comply are liable to a penalty of up to €20m or 4% of global annual turnover (whichever is greater).

What recommended actions should we take?

  • Even though it’s not a legal requirement, it would be a good idea to appoint an expert or a dedicated Data Protection Officer. They can work with departments within the organisation and advise on all matters relating to Data Protection law.
  • Set up clear data use and data breach policies, such as “Find out what information we hold on you” and “Remove all information about me” sections in your privacy policy to give people clear information.
  • Implement training for all staff and put detailed confidentiality provisions in employees’ and consultants’ contracts.

What can I do now to prepare for GDPR?

    • The first thing is not to panic. The new legislation is an opportunity for you to review how you currently process data and make sure you’ve got plans in place to make any changes necessary to be ready for May 2018. Compliance is an ongoing, dynamic process but through good planning; structure and teamwork, you’ll be fine.

    What can Ignition Law do to help?

    We’ve developed a simple 3 step approach which covers everything you need to know to ensure you comply with the new legislation. This covers:

    1. Educating you and your colleagues - coming in to your offices to provide you with a short, informed talk on GDPR and how it will apply to you and your business. A whole organisation approach is helpful (where all employees know the basics) and this talk will help to do that.
    2. Auditing your data – either by providing you with a questionnaire to complete or coming in and holding interviews to determine exactly how you use data as a business.
    3. On the basis of the above, putting together data use and data breach policies for the whole organisation (including how to respond to any Subject Access Requests and any new requests to delete data held under the new GDPR ‘right to be forgotten’).

    We hope this article has helped you understand the basics of GDPR and the changes that are afoot. If you’d like to talk to us about how you can be fully prepared for GDPR then do get in touch with or

      You may also like...

      Ignition Law is shortlisted for the FT Innovative Lawyers Award 2017

      Now in its eleventh year of publication, the FT Innovative Lawyers Report has become one of the top legal rankings in Europe and the accompanying awards are widely regarded as the


      Steph Ng asks how best to invest in female founders in Real Business, Growth Business & WeAreTheCity

      Stephanie Ng's article examining the importance of investing in female founders published in Real Business, Growth Business, WeAreTheCity & Businesszone


      Caroline Sherrington shortlisted for ‘Legal advisor of the Year’ at the Women in Finance Awards 2017

      Ignition Law Senior Counsel Caroline Sherrington has been shortlisted for 'Legal advisor of the Year' at the Women in Finance Awards 2017


      David Farquharson gives a talk on new ventures at UCL

      David Farquharson discusses Intellectual Property and Legal Structures at UCL New Venture Creation Group


      Alex McPherson & Caroline Sherrington present at The Lawyer Business Leadership Summit

      Alex McPherson & Caroline Sherrington discuss addressing the demand for agile working at The Lawyer Business Leadership Summit 2016


      Ignition Law featured in Flexible Working Report

      Flexible and family friendly working: The competitive advantage for organisations in the legal sector - ​Ignition Law featured in Flexible Working Report by Hydrogen and My Family Care


      all posts