Legalease Home page
Data protection


Data Protection


The European Union enacted on 6 April 2016 a major reform of data protection legislation by adopting the General Data Protection Regulation (GDPR) which replaced the former Directive of 1995, Directive 95/46/EC2. The GDPR will have direct effect from 25 May 2018 in all EU member states.

In the United Kingdom, the GDPR will therefore supersede the UK legislation, in particular the Data Protection Act 1998 (DPA). Although the terms of withdrawal of the UK from the EU are not finally settled as at the time of writing, it is likely that the provisions of the GDPR will continue to apply in the UK during the Brexit transition period and beyond.

According to the European Commission [Communication from the Commission to the European Parliament and the Council Stronger protection, Commission guidance on the direct application of the General Data Protection Regulation as of 25 May 2018], the Regulation did not substantially change the core concepts and principles of the data protection legislation put in place back in 1995. This should mean that the vast majority of controllers and processors, provided that they are already in compliance with the existing EU data protection laws, will not need to make major changes to their data processing operations to comply with the Regulation.

The Regulation impacts most on operators whose core business is data processing and/or dealing with sensitive data. It also impacts on those that regularly and systematically monitor individuals on a large scale. These operators will most probably have to appoint a data protection officer, conduct a data protection impact assessment and notify data breaches if there is a risk to the rights and freedoms of individuals. Operators, in particular SMEs, which do not engage in high risk processing as their core activity will normally not be subject to these specific obligations of the Regulation.

What do businesses have to do to comply with the GDPR?

There are obligations on both 'Controllers* 'and 'Processors' of personal data. Businesses need to undertake thorough reviews of their use of personal data and to clearly identify which data they hold, for what purpose and on what legal basis. They should also assess the contracts in place, in particular those between controllers and processors, the avenues for international transfers and the overall governance (what IT and organisational measures to have in place), including the appointment of a Data Protection Officer. 

The Information Commissioner's Office has General Data Protection Regulation (GDPR) FAQs for small organisations.

What are the main changes introduced by the GDPR compared with the Data Protection Act?

* One single set of rules

There isone single set of rules for citizens and businesses throughout the EU, ending the situation where EU Member States have implemented the 1995 Directive’s rules differently.

One level-playing field will apply for all companies operating in the EU market, whereby businesses based outside the EU must apply the same rules as those based in the EU if they are offering goods and services related to the personal data or are monitoring the behaviour of individuals in the Union.

See: Article 2 GDPR

* Stronger individuals’ rights

Consent to processing: when data processing is based on consent, the data controller shall be able to demonstrate that the individual to whom the data relates (data subject) has consented to processing of his or her personal data. 'Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her [Article 4(11) GDPR].

Comment: reliance on ticking of an opt-out box or consent to terms and conditions covering matters in addition to data processing will not be sufficient.

Right to withdraw: the data subject has the right to withdraw consent at any time and withdrawal of consent must be as easy as giving it. The data subject must be informed of this right efore giving consent.

See:Article 7 GDPR

Children under 16: in relation to the offer of information society services* directly to a child below the age of 16 years, consent to processing must be given the holder of parental responsibility over the child.

* i.e. , any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services [see: article 1(1)(b) of Directive (EU) 2015/1535 of the European Parliament and of the Council

See:Article 8 GDPR

Other specific rights of data subjects include:

* Right of access;

* Right torectification;

* Right to erasure ('right to be forgotten');

* Right to restriction of processing;

* Right to portability of data;

* Right to object to certain types of processing and to automated decision-making

* Greater enforcement and fines

The Regulation gives all data protection authorities in the EU the power to impose fines on controllers and processors (currently not all of them have such powers). s power. Administrative fines may be imposed up to EUR 20 million or, in the case
of a business undertaking, 4% of the worldwide annual turnover

Stronger protection against data breaches: in the event of a “personal data breach”, an organisation will be required to notify the supervisory authority at the latest within 72 hours when the data breach is likely to pose a risk to the individual’s rights and freedoms. In certain circumstances, it obliges to inform the person whose data is concerned by the breach.

Read more: Data protection

Need a data protection policy or more advice? Contact us

[Page updated: 15/04/2018]


More information>
Data protection