What does this mean for your business?

Data Protection reform package approved

What does this mean for your business?

What does this mean for your business?


The General Data Protection Regulation (GDPR) deals with rights, obligations and potential penalties in relation to data protection. The aim is to gain a common set of data protection rules across the EU but member states will still be able to legislate directly in some areas, one being in relation to employment.

Whilst the Regulations have been approved by the European Union we must now await publication and there will now be a period before it becomes binding but it is expected that the Regulations will need to be implemented by all businesses by the summer of 2018. The European Commission believes it will save business EUR2.3 billion a year but some commentators have challenged this figure suggesting that compliance will increase burden on businesses rather than save them money.


There will be a tougher penalty regime with the maximum penalty for non-compliance EUR20 Million or, if it would be higher, 4% of an undertaking’s worldwide turnover. The current maximum penalty in the UK is £500,000. This change is likely to mean that businesses will need to place more focus on compliance.

Employment data

The general approach will be similar to that currently required under the Data Protection Act 1998 but there will be greater focus on data protection and compliance with requirement for more granularity, legal processing and extended rights for data subjects. Which in turn is likely to require more extensive information being provided by businesses to employees and the need for clear policies and procedures. It appears unlikely that it will be acceptable for consent to processing to be given in an employment contract, a stance that many employers currently adopt.

The Regulations set out stricter and more detailed conditions for use of consent which must be freely given, specific, informed and unambiguous, shown by either a statement or a clear affirmative action which signifies agreement to processing. Consent must also be ‘explicit’ for sensitive date. As the data controller you will need to be able to demonstrate that consent was given.

Next steps

Whilst 2018 may seem a long way off, it would be advisable to start reviewing your processes and procedures now as many of the obligations are likely to take time to integrate into your current practices and procedures.

Things you could be doing to prepare are:

  1. Put in places clear policies and procedures;
  2. Establish a framework for accountability;
  3. Embrace privacy by design;
  4. Analyse the legal basis on which you use personal data;
  5. Check your privacy notice and policies;
  6. Be prepared to deal with data subject requests;
  7. If you are a supplier consider whether you have any new obligations as a processor;
  8. For cross-border transfers ensure you have a legitimate basis for transferring

There could of course be one further issue – the UK could leave the European Union after the referendum, this then raises the question of how UK businesses will be affected by these changes, if at all!

  • Author
  • Knowledge
  • News & Events
Louise Brenlund profile
Louise Brenlund Associate

T: 01622 776405

Email Louise Brenlund