New data protection rules: Is your business ready?

The General Data Protection Regulation (GDPR) is coming into force across the European Union on 25 May 2018, and companies are urged to act now to ensure that they are ready to meet the new regulations.

The new rules come as part of a modernisation since the digital boom, with the rights of citizens at the heart of the reform. The right to erasure, rather than the well-known right to be forgotten, as well as the right to data portability, are among the largest elements of the changes that businesses should prepare for.

We’ve summarised the main 10 points from the new rules that you need to consider to ensure that your business is up to speed with the new rules.

  1. The GPDR will apply to British businesses as it is written (along with the other 27 countries), and is likely to remain after Brexit exactly as its written thanks to the Great Repeal Act. It also affects any company that holds data about EU citizens, so British business is likely to continue to comply with this as is written.
  2. Data “by which an individual can be identified” will not only be the responsibility of the data controller (the person who owns the data), but of any company or individual who processes the data. Meaning that cloud providers are also responsible.
  3. Users will be able to make compensation claims against data losses as a result of unlawful processing. This will have severe financial penalties with fines as high as €20m or 4% of global revenue. The current maximum fine in the UK is £500,000.
  4. Users can demand that their data be erased. Businesses will need to understand how to do this so that it is completely erased from their databases and systems before the rules come into place.
  5. Data controllers have one month to respond to access requests under the GDPR and requests cannot be chargeable. These changes are significant from rules in the UK where businesses had 40 days to respond and could charge a £10 subject access fee.
  6. Data controllers must inform and remind users of their rights, and document the fact that they have reminded them.
  7. Users should not have to opt-out of their data being used, rather opt-in to your systems. These cases will be sanctioned harsher than under the current directive.
  8. Users also have the right to transfer their personal data from one electronic processing system to and into another, without being prevented from doing so by the data controller, under the right to data portability. Data must also be given in an open source format.
  9. Data controllers must meet “reasonable expectations” of citizens in regards to data privacy. Tokenisation, encryption, and pseudo-anonymised data meets this definition according to the GPDR.
  10. Regulators must be informed of data losses within 72 hours of when they occur, unless data was encrypted or tokenised. There is, however, no timeframe in place for informing users.

In a dispute? To find out more about our commercial litigation services, call Louise Johal on 0115 988 6709, or email We also offer a range of digital marketing services, to explore how they can benefit you call Josh Henwood on 0121 374 2318 or email

Free family law consultation