General Data Protection Regulation (GDPR)

What is GDPR?

The General Data Protection Regulation (GDPR) will replace the existing Data Protection Act in May 2018. It is the first major review of data protection for 20 years. GDPR extends the rights and freedoms of data subjects and places far more responsibility on organisations to process data fairly, accurately and securely.

Penalties for non-compliance have been increased from a maximum of £500,000 to a potential £20m.

How is it implemented?

Organisations can recruit a professional privacy expert, train an existing member of staff or use a compliance consultancy to implement the rules, procedures and guidelines of a privacy policy. Considerable savings can be achieved by using the consultancy option, along with continuous monitoring without the worry of holiday and sick cover. This is important because if there is a data breach it must be reported to the Information Commissioner’s Office (ICO) within 72 hours.

Training all staff in data protection awareness is part of compliance too. In addition to this an organisation will need to appoint a Data Controller, mainly in the form of a Data Protection Officer. GDPR recommends that organisations should adopt ‘Data Protection by Design’ and this means identifying other people to become Information Asset Owners (IAO) and a board member to become the Senior Information Rights Owner or SIRO. These are recommendations but adoption of such a structure plays an important part in demonstrating compliance.

Contact us
  • This field is for validation purposes and should be left unchanged.

Mark Burnett

Head of Privacy and Data Protection

+44 (0)208 088 4923


Email:
Mark Burnett

Neil Finlayson

Partner - Head of Not for Profit

+44 (0)20 7566 3761


Email:
Neil Finlayson

Nick Brooks

Partner

+44 (0)20 7566 4000


Email:
Nick Brooks

Jon Sutcliffe

Partner

+44 (0)20 7566 4000


Email:
Jon Sutcliffe