This website uses 'cookies' to enhance your experience and for basic functionality. Using this website means you're happy with this. To find out more about cookies on this website, see our privacy policy.

GDPR – The new data privacy law: What you need to know and how we can help

David Farquharson

Several of our clients have been asking if we can help them get up to speed with the new General Data Protection Regulation (GDPR) legislation which comes into force on 25th May 2018. The answer is a resounding yes! We’ve already helped numerous clients with this over the last few months and have developed a simple step by step approach.

Here’s a whistle stop tour of GDPR and what you need to know:

What is GDPR?

GDPR is a new privacy law which governs the collection and use of data relating to all individuals within the EU. It will give people more rights and protection around how their personal data is processed, used and shared between and by organisations. It introduces tougher fines for non-compliance and gives people more say on what companies can do with their data. It also makes data protection rules more or less identical throughout the EU.

But what about Brexit?

GDPR doesn’t affect just EU-based organisations – any business that processes the data of EU citizens must comply with the regulations, even if that data is processed outside of the EU.

What are the main things that are going to change?

Your organisation will likely need to change how it collects, manages and administers data. Moving forward:

  • You need to give a clear reason for collecting data.
  • You must have positive consent from an individual that shows they are happy to receive future communications.
  • GDPR requires you to show how you enable compliance – e.g. by documenting the decisions you take about a data processing activity. You are responsible for everyone in your supply chain, so if you have a sub-contractor processing personal data, choose them with care.
  • People have the right to view and/or amend data upon request, or even have it destroyed under the “right to be forgotten”.

What is the penalty if we fail to comply?

Supervisory authorities now have powers to undertake on-site data protection audits and to issue public warnings, reprimands and orders to carry out specific remediation activities. Companies that fail to comply are liable to a penalty of up to €20m or 4% of global annual turnover (whichever is greater).

What recommended actions should we take?

  • Even though it’s not a legal requirement, it would be a good idea to appoint an expert or a dedicated Data Protection Officer. They can work with departments within the organisation and advise on all matters relating to Data Protection law.
  • Set up clear data use and data breach policies, such as “Find out what information we hold on you” and “Remove all information about me” sections in your privacy policy to give people clear information.
  • Implement training for all staff and put detailed confidentiality provisions in employees’ and consultants’ contracts.

What can I do now to prepare for GDPR?

    • The first thing is not to panic. The new legislation is an opportunity for you to review how you currently process data and make sure you’ve got plans in place to make any changes necessary to be ready for May 2018. Compliance is an ongoing, dynamic process but through good planning; structure and teamwork, you’ll be fine.

    What can Ignition Law do to help?

    We’ve developed a simple 3 step approach which covers everything you need to know to ensure you comply with the new legislation. This covers:

    1. Educating you and your colleagues - coming in to your offices to provide you with a short, informed talk on GDPR and how it will apply to you and your business. A whole organisation approach is helpful (where all employees know the basics) and this talk will help to do that.
    2. Auditing your data – either by providing you with a questionnaire to complete or coming in and holding interviews to determine exactly how you use data as a business.
    3. On the basis of the above, putting together data use and data breach policies for the whole organisation (including how to respond to any Subject Access Requests and any new requests to delete data held under the new GDPR ‘right to be forgotten’).

    We hope this article has helped you understand the basics of GDPR and the changes that are afoot. If you’d like to talk to us about how you can be fully prepared for GDPR then do get in touch with or

      You may also like...

      Ignition Law announces partnership with leading equity crowdfunding platform Seedrs

      Ignition Law is delighted to announce its partnership with leading equity crowdfunding platform Seedrs


      Ignition Law to host joint interactive seminar with EIP during London Tech Week

      Ignition Law and EIP will explain the importance of getting the legalities in order from the outset, sharing advice on everything a tech business needs to know in order to achieve the best chance of success


      Alex McPherson: Agile working is the future of law in The Lawyer

      Alex McPherson is in The Lawyer Magazine with a 60 sec interview on agile working.


      Legal Innovation Report in The Times

      Legal Innovation Report in The Times


      Caroline Sherrington & Gretchen Lennon discuss share options in Tech City News

      Caroline Sherrington & Gretchen Lennon discuss share options and implementing an appropriate scheme for employees in Tech City News


      Caroline Sherrington comments in Tech City News

      Caroline Sherrington comments on what Donald Trump’s appointment means for UK tech in Tech City News


      all posts