Get in touch 0117 325 0526

Government reforms (1): Data protection – changing times…

Data ProtectionWhat do we already know?

Since 1998 when the Data Protection Act (DPA) was first introduced, organisations have been required to put systems in place to ensure the protection of personal data. The DPA was implemented as a consequence of EU law, namely the EU Data Protection Directive.

What’s new?

The European Parliament has this month voted in favour of a new General Data Protection Regulation (GDPR), which will replace the current EU Data Protection Directive and national data protection legislation. The new legislation will apply directly to organisations in the EU without the need for implementation via national laws.

This is an important change and the GDPR aims to form a new, more prescriptive, data protection landscape in Europe with a unified, consistent approach. There will be stricter requirements and higher fines, greater restrictions on staff data-processing overall and less flexibility for employers when it comes to compliance.

In order to help you to understand and prepare for this important reform we set out FAQ’s below:

Who will the GDPR apply to?

All organisations in the EU, both public and private, which collect and keep data about people i.e. ‘data controllers’.

In addition, it will apply to organisations based outside the EU where their processing activities relate to the offering of goods and services to individuals in the EU or to the monitoring of EU individuals’ behaviour.

This means that the GDPR will apply virtually to all businesses serving or targeting individuals in the EU market. This is wider in scope than current data protection laws.

What date to we need to comply by?

Organisations are likely to need to comply by Spring/Summer 2018.

The exact timing depends on when the GDPR is published in the Official Journal of the EU – expected in the next couple of weeks. There is then a two-year transition period from date of publication before the GDPR becomes effective.

What are the main changes?

The most important changes for UK employers, with a focus on those most likely to comprise HR responsibilities, include:

What should we do now?

The revised rules will not apply until the summer of 2018. Although a good way off yet, the new rules have wide-ranging implications and early forward planning and preparation is advised.

The Information Commissioner’s Office (ICO) has published helpful and user-friendly 12-step checklist, available here, for organisations on preparing for the GDPR. We recommend watching the ICO website for any further guidance on how to prepare for the changes.

We also set out our own practical preparation steps below:

Please note that this is a brief summary of a complex piece of legislation. There are many further aspects which will apply in certain contexts. These include rules on transfers outside the EU and a duty to carry out data protection impact assessments.

Given the complexity and extent of these changes there will, no doubt, be further information and more detailed guidance to come. So watch this space….

In the meantime please do not hesitate to contact Luke Menzies at or 0117 325 0526 or any other member of the team for advice and practical guidance on how to prepare for these changes.

Share this...

Review Solicitiors