GDPR – the main changes

You may have heard about GDPR, the new EU privacy regime.  You may also have heard that it won’t apply until sometime next year.   And even when it does, the UK is about to leave the EU so probably nothing to get too worried about…


Here are the facts:

  • The General Data Protection Regulation (GDPR) is an EU Regulation (rather than an EU Directive). As such it will automatically apply to the UK with effect from 25th May 2018 when the UK will still be part of the EU.
  • Even post-Brexit, it is almost inconceivable that the GDPR will not be retained, assuming that the UK proposes to continue trading with the EU that is.
  • The GDPR contains some onerous obligations which will have a significant impact on some, and affect virtually all, businesses. Given the changes that may need to be made to systems and processes the next 12 months are likely to pass by very quickly.


This note deals with the main changes introduced by the GDPR, those that are likely to apply to most businesses which supply goods or services in the EU.  It does not deal with the additional obligations which apply to public authorities, or to entities whose core activities involve regular and systematic monitoring of data subjects, to large-scale processing of special categories of data, or to businesses located outside the EU.


Data processors: Unlike the current data protection regime which allocates virtually all responsibility on data controllers, the GDPR imposes direct obligations on data processors, including:

  • If the organisation has 250 or more employees, maintaining a written record of processing activities carried out on behalf of each data controller.
  • Implementing technical and organisational measures, as well as appropriate security measures.
  • Notifying the data controller of personal data breaches without undue delay.
  • Obtaining the consent of the data controller for the sub-contracting of any data processing (sub-processing).
  • Complying with obligations on cross border transfers, including binding corporate rules (BCRs).


Data subject consent: The GDPR confirms that in order to be valid a data subject’s consent must be a “freely given, specific, informed and unambiguous”.  It follows that consent is not freely given if the data subject has no genuine and free choice, and the data subject must be able to withdraw that consent at any time.  Relying on pre-ticked boxes or the data subject’s inactivity to obtain consent are not effective options.


Data subject rights: The GDPR significantly bolsters the rights of individual data subjects, which now include:

  • The right to require information about data being processed about themselves.
  • Access to the data in certain circumstances.
  • The right to require incorrect data to be corrected.
  • The right to restrict certain processing.
  • The right to object to their personal data being processed for direct marketing purposes.
  • The right to receive back their personal data in a structured, commonly used and machine-readable format which allows the data to be transferred to another organisation “without hindrance” (“data portability”).
  • The right to require the data controller to erase their personal data without undue delay in certain situations (the “right to be forgotten” or “right of erasure”), such as where they withdraw consent and there are no legitimate grounds for retaining the data.

Data controllers must respond to requests for information within a month (unless particularly complex), and the information must be provided free of charge unless the request is “manifestly unfounded or excessive”.


Privacy notices: As is already the case, data controllers must provide transparent information to data subjects at the time that the personal data is obtained.  But existing privacy policies and privacy notices should be reviewed and updated to comply with the more detailed requirements in the GDPR, including:

  • The effectiveness of the data subject’s consent (see point 2).
  • The rights of data subjects (see point 3).
  • The period for which the data will be stored.

Privacy policies need to be “written in a concise, transparent, intelligible and easily accessible form, using clear and plain language”.


Privacy by design: GDPR requires businesses to take privacy risk into account throughout the process of designing a new product or service, and adopt mechanisms to ensure that, by default, minimal personal data is collected, used and retained.


Data breach notifications: Data controllers must notify data breaches to their Data Protection Authority (DPA), unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.  This must be done without undue delay and, where feasible, within 72 hours of the data controller becoming aware.  The data controller must also notify the affected data subjects without undue delay, unless the breach is unlikely to result in a “high risk” to their rights and freedoms.


Fines:  The relevant DPA will be able to impose fines, in the case of serious breaches (eg requirements relating to international transfers or the basic principles for processing, such as conditions for consent) of up to the higher of 4% of annual worldwide turnover and EUR20 million.  For less serious breaches, fines can be imposed of up to the higher of 2% of annual worldwide turnover and EUR10 million