Brexit and the new EU GDPR rules

Nov 2, 2016
Author: Hawsons
GDPR rules

The final text of the new EU General Data Protection Regulation (GDPR) was released in April 2016. Since this deals with the handling of personal data it is likely to apply to almost every law firm as you will hold personal information regarding your clients and staff as part of your everyday work. Whilst we are told  ‘Brexit means Brexit’, it is highly likely that the UK will still apply the GDPR rules.

The new EU GDPR rules & Brexit – a brief summary

The new EU GDPR rules have been put forward to make Europe fit for the digital age, and for the UK are an update to the Data Protection Act. The EU GDPR rules will apply to all entities, regardless of where in the world they are located, which hold or use the personal data of an EU citizen.

The new EU GDPR rules come into law on 25th May 2018 and whilst it might be tempting to say the UK will not have to apply them, the likelihood is that we will. Irrespective of the form of Brexit the UK takes, the UK is likely to adopt the EU rules as the other alternative is to adopt UNECE rules (covering Europe, North America and Asia) which are very similar.

Irrespective of EU GDPR, the Law Society and other regulators it is just good business sense to take steps to protect the data of your clients and staff, above all your firm’s reputation is at stake. Ideally, you should start to take action now to review current business procedures and implement appropriate measures ready for the new regime.

The rules bring radical changes to how organisations process personal data, giving greater protection to the public and greater powers to authorities to take action against companies that breach the rules. One of the most important changes EU GDPR stipulates is regarding the mandatory reporting of breaches.

Unlike the Data Protection Act, EU GDPR rules apply to a data processor in exactly the same way as a data owner and law firms cannot exclude themselves from responsibility or liability.

Data breaches will now be far more expensive than ever before, and where there is a breach and a failure to comply with the new regulations there will be fines of up to the greater of €20m and 4% of annual global revenue.

12 things you should be doing now to prepare for EU GDPR

The Information Commissioner’s Office (ICO) has released a 12 step plan to help companies prepare for EU GDPR.

It is important you begin to prepare for the new EU GDPR rules before the regulation comes into law on 25th May 2018.

You need to determine your risks and take the necessary measures before the new GDPR rules come into force. This is a process that could easily take two years.

Here are 12 things the ICO recommends you should be doing now:

  1. Appoint a data protection officer
  2. Raise staff awareness of the new EU GDPR rules
  3. Implement procedures to detect, report and investigate data breaches
  4. Audit the information you hold (including its source and use)
  5. Review privacy information and implement appropriate changes
  6. Consider individual’s rights (including the right to be forgotten)
  7. Update subject access request procedures
  8. Establish and document your legal basis for processing data
  9. Review consent mechanisms and implement appropriate changes
  10. Incorporate data protection by design and privacy impact assessments
  11. Update procedures for processing data about children
  12. Determine the data protection authority for international organisations

As you can see, for a number of organisations there will be a lot of work to do and less than two years to get everything in order. Failing to do so could result in considerable fines and loss of reputation.

How we can help you

Our data protection experts have a great deal of experience in this area, working closely with businesses to implement information security management systems. If you are looking for help in this area, please get in touch with Charles Kavazy, Director of IT Services at Hawsons, on 0114 266 7141.

About this Author

Simon Bladen, Partner

Simon Bladen is the partner responsible for looking after the firm’s legal clients and has worked at Hawsons throughout his career. For more information or advice on anything covered in this article, please contact Simon on or 0114 226 7141.[/author_info]

Charles Kavazy

Charles Kavazy

Charles Kavazy heads up the firm’s IT services providing independent IT advice helping businesses with data security. He also helps businesses purchase, implement and get the most out of their software and hardware. For more information or advice on anything covered in this article, please contact Charles on or 0114 266 7141.[/author_info]

Free initial meeting

Solicitor Newsletter Sign-Up