This website uses 'cookies' to enhance your experience and for basic functionality. Using this website means you're happy with this. To find out more about cookies on this website, see our privacy policy.

GDPR – The new data privacy law: What you need to know and how we can help

David Farquharson

Several of our clients have been asking if we can help them get up to speed with the new General Data Protection Regulation (GDPR) legislation which comes into force on 25th May 2018. The answer is a resounding yes! We’ve already helped numerous clients with this over the last few months and have developed a simple step by step approach.

Here’s a whistle stop tour of GDPR and what you need to know:

What is GDPR?

GDPR is a new privacy law which governs the collection and use of data relating to all individuals within the EU. It will give people more rights and protection around how their personal data is processed, used and shared between and by organisations. It introduces tougher fines for non-compliance and gives people more say on what companies can do with their data. It also makes data protection rules more or less identical throughout the EU.

But what about Brexit?

GDPR doesn’t affect just EU-based organisations – any business that processes the data of EU citizens must comply with the regulations, even if that data is processed outside of the EU.

What are the main things that are going to change?

Your organisation will likely need to change how it collects, manages and administers data. Moving forward:

  • You need to give a clear reason for collecting data.
  • You must have positive consent from an individual that shows they are happy to receive future communications.
  • GDPR requires you to show how you enable compliance – e.g. by documenting the decisions you take about a data processing activity. You are responsible for everyone in your supply chain, so if you have a sub-contractor processing personal data, choose them with care.
  • People have the right to view and/or amend data upon request, or even have it destroyed under the “right to be forgotten”.

What is the penalty if we fail to comply?

Supervisory authorities now have powers to undertake on-site data protection audits and to issue public warnings, reprimands and orders to carry out specific remediation activities. Companies that fail to comply are liable to a penalty of up to €20m or 4% of global annual turnover (whichever is greater).

What recommended actions should we take?

  • Even though it’s not a legal requirement, it would be a good idea to appoint an expert or a dedicated Data Protection Officer. They can work with departments within the organisation and advise on all matters relating to Data Protection law.
  • Set up clear data use and data breach policies, such as “Find out what information we hold on you” and “Remove all information about me” sections in your privacy policy to give people clear information.
  • Implement training for all staff and put detailed confidentiality provisions in employees’ and consultants’ contracts.

What can I do now to prepare for GDPR?

    • The first thing is not to panic. The new legislation is an opportunity for you to review how you currently process data and make sure you’ve got plans in place to make any changes necessary to be ready for May 2018. Compliance is an ongoing, dynamic process but through good planning; structure and teamwork, you’ll be fine.

    What can Ignition Law do to help?

    We’ve developed a simple 3 step approach which covers everything you need to know to ensure you comply with the new legislation. This covers:

    1. Educating you and your colleagues - coming in to your offices to provide you with a short, informed talk on GDPR and how it will apply to you and your business. A whole organisation approach is helpful (where all employees know the basics) and this talk will help to do that.
    2. Auditing your data – either by providing you with a questionnaire to complete or coming in and holding interviews to determine exactly how you use data as a business.
    3. On the basis of the above, putting together data use and data breach policies for the whole organisation (including how to respond to any Subject Access Requests and any new requests to delete data held under the new GDPR ‘right to be forgotten’).

    We hope this article has helped you understand the basics of GDPR and the changes that are afoot. If you’d like to talk to us about how you can be fully prepared for GDPR then do get in touch with or

      You may also like...

      Finalist at the Lawyer Awards 2018

      The Lawyer has announced the finalists for their 2018 Awards and Ignition Law have been shortlisted for the Best Collaboration Initiative!


      Ignition Law are delighted to welcome Phil Robinson

      Ignition Law are delighted to welcome Phil Robinson


      Alex McPherson & Caroline Sherrington present at The Lawyer Business Leadership Summit

      Alex McPherson & Caroline Sherrington discuss addressing the demand for agile working at The Lawyer Business Leadership Summit 2016


      Partner Bill Cogan comments in Business Value Exchange

      Bill Cogan comments on corporate venturing in Business Value Exchange


      Ignition Law featured in Flexible Working Report

      Flexible and family friendly working: The competitive advantage for organisations in the legal sector - ​Ignition Law featured in Flexible Working Report by Hydrogen and My Family Care


      David Farquharson and Stephanie Ng speak at Virgin StartUp Workshop

      David Farquharson and Stephanie Ng advise entrepreneurs at Virgin StartUp 'Ready, Steady, Grow' workshop


      all posts