What businesses need to know about the new GDPR

Aug 1, 2017
Author: Paul Wormald
Paul is a partner at our Doncaster office. Paul specialises in advising small businesses and businesses in the transport & logistics sector. Paul also specialises in providing cloud accounting services to our clients.

General Data Protection Regulation

The General Data Protection Regulation (GDPR) is set to come into force from May 2018.

It will replace the current Data Protection Act and is the biggest overhaul of data protection legislation for over 25 years. GDPR will change the way organisations process personal data and regardless of what happens during the Brexit negotiations, it has been made clear that businesses will have to comply with the new rules – this means it is likely we will adopt most if not all of GDPR as domestic legislation.

Businesses must ensure they are up to date with the new legislation to make sure they are fulfilling their legal responsibilities. In this article, we take a look at some of the things you can do to make sure you are prepared.

Personal Data

Technology has moved on since 1998 when the current Data Protection Act was enacted, and whilst the definition of Personal Data is generally the same as in that Act, there are changes to add matters such as online identities and location data. The general concept remains the same though, Personal Data is any information which identifies an individual.


Usually, under the soon-to-be old rules, simply saying “click here to read our privacy policy” would be perfectly acceptable. However, under GDPR this is no longer the case. GDPR states that you must clearly explain why you are collecting personal data and how exactly you intend to use it.

Furthermore, if you plan on selling any of the data on to third-party organisations, you must get explicit consent. In order for the consent to be valid, it will need to be freely given, informed, specific and an unambiguous indication through a statement or clear affirmative action, i.e. ticking a box.

Opt ins and opt outs

With GDPR, it is essential that a business complies with a set of lawful conditions to process data for direct marketing purposes.

It should be noted that organisations do not need consent for all forms of marketing, businesses are allowed to make contact for direct marketing purposes via calls to numbers that are registered with the telephone preference service or by post. As long as the organisation can satisfy the legitimate interest condition.

While giving people the opportunity to opt out is acceptable, it will not mean a business has consent, that will rely on legitimate interest only. Businesses must ensure that they get this right.

Managing data

People can request the removal of data under GDPR, dubbed the “right to be forgotten”. This could be for a number of reasons, such as the individual no longer wants the business to have the information or if it’s no longer to be used for the purpose for which it was initially collected. The data must be kept up to date and accurate, so businesses should consider how they are keeping data to ensure it is not held for longer than is necessary.

User access

One of the key points to GDPR is giving people the opportunity to see what data that business has about them. Individuals are able to make information requests to view the data and what the business intends on doing with it.

Data breaches

The fines for organisations that are subject to a data breach have been increased by the Information Commissioners Office (ICO), as well as new duty for organisations to report data breaches should they occur. Businesses must ensure they have the correct procedures in place to detect, report and investigate a data breach. When a breach does occur, it must be notified to the ICO within 72 of the organisation becoming aware of it. It is worth staying up to date with information from the ICO to keep on top of developments.

Actions required

  1. Review the requirements as they apply to your organisation. Carry out a gap analysis to identify where the business falls short of the requirements.
  2. Consider appointing a director or staff member to be responsible for compliance with the new regulations.
  3. Regulation and compliance will almost certainly involve additional costs. Budget appropriately for these.
  4. Develop policies and systems to collect, process and protect personal data and to identify and report potential breaches.
  5. Train staff to make sure that they are aware of the requirements of the regulations as they apply to their everyday tasks.
  6. Review arrangements with third party data processors (e.g. payroll providers and HR providers) to ensure that they remain compliant also.

If anything in this article is of interest to you, or concerns you in any way, please get in touch with our advisors here.

Paul Wormald is a partner at Hawsons, working in the Doncaster office. He worked previously with two national firms of Chartered Accountants prior to joining Hawsons in 2001. For more information or advice on anything covered in this article, please contact Paul on pw@hawsons.co.uk or 01302 367 262.[/author_info]