The General Data Protection Regulation (GDPR) will come into effect on 25 May 2018 both here in the UK and across the EU. The GDPR builds on the previous legislation: but provides more protections for consumers, and more privacy considerations for organisations. It brings a more 21st century approach to the processing of personal data. And it puts an onus on businesses to change their entire ethos to data protection. The message about GDPR is continuity and change.

The GDPR will include new obligations for organisations. Businesses will have to report data breaches that pose a risk to individuals to us at the ICO, and in some cases to the individuals affected. They’ll have to ensure that specific protections are in place for transferring data to countries that haven’t been listed by the European Commission as providing adequate protection, like Japan and India. Consent will need to be freely given, specific, informed and unambiguous, and businesses will need to be able to prove they have it if they rely on it for processing data. A pre-ticked box will not be valid consent. And finally the GDPR will increase regulatory powers.


But arguably the biggest change is around accountability. The new legislation creates an onus on companies to understand the risks that they create for others, and to mitigate those risks. It’s about moving away from seeing the law as a box ticking exercise, and instead to work on a framework that can be used to build a culture of privacy that pervades an entire organisation. The GDPR mandates organisations to put into place comprehensive but proportionate governance measures. 

Consumers feel a loss of control

People feel that keeping control of their most important information used to be simple, but that over the years, their sense of power over their personal data has slipped. That sense of loss of control impacts their trust in businesses. The last ICO survey found 75 per cent of adults in the UK don’t trust businesses with their personal data.

A pretty big stick 

For the most serious violations of the law, the ICO will have the power to impose fines of up to €20 million or 4% of  turnover. And the ICO’s enforcement powers aren’t just for ‘typical’ data breaches, like laptops left on trains or information left open to a cyber attack. The GDPR gives regulators the power to enforce in the context of accountability eg data protection by design, failure to conduct a data protection impact assessment and documentation. In other words, if a business can’t show that good data protection is a cornerstone of their practices, they’re leaving themselves open to a fine or other enforcement action that could damage bank balance or business reputation.