JPP Law Blog
General Data Protection Regulation: Guide for businesses (Part 1)
Part 2 can be found at: GDPR - A guide for Business (Part 2)
The General Data Protection Regulation (GDPR) becomes law in the UK on 25 May 2018 and will be unaffected by our decision to leave the EU. The regulation strengthens the rights of individuals to control the way in which their personal information is used and increases obligations on businesses to ensure that any personal data they collect is dealt with in a fair and transparent way. If you have not already familiarised yourself with the provisions of the GDPR, and audited your business to ensure compliance, you need to do this now before the new requirements come into force.
In the first of a two-part series of articles looking at GDPR we provide an overview of the key requirements. In the second article we'll explain the steps you should take to prepare for them.
Key rights for individuals
Individuals will have the right to:
- be informed that their personal information is being used;
- be provided with access to that information, if they request it and usually without the payment of a fee;
- ask for inaccurate information to be rectified;
- ask for the erasure of information that is no longer needed or which they no longer consent to being used;
- ask for the use of their personal information to be restricted, if appropriate;
- use information collected about them for their own benefit, for example to help them pre-populate an internet search; and
- object to certain decisions about them being made by an automated process rather than human review.
Some of these rights are similar to those already enjoyed at the moment under the Data Protection Act, but some are very different, including the enhanced right to erase information, known as the 'right to be forgotten':
'The right to be forgotten exists where there is no compelling reason for personal information about an individual continuing to be held and used, for example where it is no longer needed for the purpose for which it was collected or where use of the information was only permissible because of the individual's consent and this has since been withdrawn. However, it is not an absolute right which means that where, for instance, there is a legal obligation to continue to use the information or where the information is needed for the bringing or defending of a legal claim, a request for erasure can be refused.'
Where someone asks for erasure and you determine that this should be respected, you will need to ensure that this occurs. You will also have to notify any third-party you have shared the information with so that they can take steps to erase it as well.
Key obligations for businesses
Businesses will have to:
- ensure that they have a lawful basis for collecting and using personal information, such as consent from the individual concerned or a contractual requirement;
- provide more information about the collection and processing of personal information upfront and in a more transparent and easily accessible way;
- maintain records about all the personal information they hold and how it is collected, stored and used (although, for businesses employing less than 250 people, this obligation will not apply unless you are undertaking what is classed as higher risk processing, for example by dealing with information related to criminal convictions and offences or which has the potential to risk the rights and freedoms of individuals);
- appoint a Data Protection Officer in certain circumstances;
- respond to requests for rectification within one month, or three months if the request is particularly complex;
- inform third-parties who have received personal data where the data in question needs to be restricted or erased;
- immediately stop using personal information for direct marketing where a request for this is made;
- comply with stricter requirements where personal information is held about children; and
- notify the supervisory authority where there has been a data breach and, if the breach risks the rights and freedoms of individuals - for example, by exposing them to the possibility of financial loss, loss of confidentiality, damage to their reputation or risk of discrimination or social disadvantage - you must also notify affected individuals as well.
Again, some of these obligations already exist under the Data Protection Act, but there has been a widening and strengthening of the requirements. For example, if you are relying on the consent of an individual for the collection and use of their personal data, this consent needs to be express. You cannot rely on pre-ticked or opt-out boxes, or on silence or inactivity. You also need to ensure that where consent is given, you make it easy for that consent to be withdrawn.
The definition of personal data has been broadened to include online identifiers, such as an IP address, and pseudonymised data - that is data that has been altered to try to make it less obvious who it relates to - but from which it is still possible to determine who the individual is. For example, if you use a system which identifies individuals by a reference number that uses a combination of random letters and numbers rather than the individual's name, this will be caught if it is possible to link the reference number back to the particular individual concerned.
Businesses will have to demonstrate compliance with the GDPR requirements or face the possibility of a fine of up to £20 million or four per cent of annual global turnover, whichever is higher.
For a confidential discussion about GDPR, or any other corporate or commercial needs, please contact Mark Glenister on (0)20 3468 3064 or by email to info@jpplaw.co.uk
JPP Law Blog

- Case Studies and Reviews (9)
- Commercial Law (90)
- Dispute Resolution (27)
- Employment Law (118)
- Intellectual Property (2)
- Start-ups (21)
- Videos (8)
- 2021 March (1)
- 2021 February (1)
- 2021 January (1)
- 2020 December (1)
- 2020 November (2)
- 2020 October (2)
- 2020 September (2)
- 2020 August (1)
- 2020 July (3)
- 2020 June (1)
- 2020 May (3)
- 2020 April (1)
- 2020 March (2)
- 2020 February (2)
- 2020 January (2)
- 2019 December (2)
- 2019 October (1)
- 2019 September (5)
- 2019 July (3)
- 2019 June (2)
- 2019 May (2)
- 2019 April (3)
- 2019 March (2)
- 2019 February (2)
- 2019 January (2)
- 2018 December (2)
- 2018 October (4)
- 2018 September (12)
- 2018 February (6)
- 2018 January (7)
- 2017 December (2)
- 2018 July (14)
- 2018 June (2)
- 2018 May (13)
- 2018 April (8)
- 2018 March (11)
- 2017 November (6)
- 2017 October (12)
- 2017 September (14)
- 2017 July (7)
- 2017 June (10)
- 2017 May (6)
- 2017 April (4)
- 2017 March (11)
- 2017 February (6)
- 2017 January (1)
- 2016 December (2)
- 2016 September (4)
- 2016 July (1)