Machins Solicitors LLP
Leading Solicitors in Bedfordshire, Hertfordshire & Buckinghamshire
  • Luton: 01582 514000
  • Berkhamsted: 01442 872311

The General Data Protection Regulation: What do you need to do to prepare?

Posted: 22nd November 2017   In: Corporate Commercial

The EU General Data Protection Regulation (GDPR) is set to become enforceable from the 25 of May 2018. The GDPR creates a wider definition of personal data than the Data Protection Act. It covers all organisations in the public, private and non-profit sector and applies throughout the EU and beyond, even if the business itself is not based in the EU.

Does the GDPR apply to my business?

If your business processes personal data (i.e. any data relating to a data subject and from which he/she can be identified) within the EU, your business should take steps to comply with the GDPR. Processing data could be by collecting personal data via an enquiry form on your website, using email marketing to target new customers or communicate with existing clients or outsourcing your payroll or pension provision. In practice, most businesses will, in some way or other be processing personal data. Your business needs to have evidence in place that it is complying with the GDPR. That can only be done by having the necessary policies, procedures and training in place to ensure that you are taking steps to comply with the principles of the GDPR as set out below.

Principles of the GDPR

Under the GDPR, personal data must be:

  1. processed fairly, lawfully and in a transparent manner;
  2. collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes ;
  3. adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
  4. accurate and where necessary, kept up to date;
  5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed;
  6. in accordance with data subjects’ rights;
  7. processed in a way that ensures appropriate security of the personal data; and 
  8. not transferred to a third country or to an international organisation if the provisions of the GDPR are not complied with.

It is also worth noting some of the wider ranging changes compared to the current Data Protection Act:

What should businesses be doing now?

If you already comply with the Data Protection Act then you have a starting point for compliance with the GDPR and you may be familiar with some of the language used. In terms of the practical points of what you should be doing, we suggest the following:

If you would like further advice about the issues raised in this article or any aspect of data protection law, please contact Sarah Liddiard on [email protected].

Posted by: Sarah Liddiard
Corporate Commercial
Luton Office