Keeping on the right side of new data protection laws

Big organisations already have a heads-up on the new General Data Protection Regulation (GDPR) but for SMEs the impact is unclear and often confusing.

Posted on: 29/03/2017
The application of computer technology and artificial intelligence to manage and control data in an office setting.

Never mind Brexit, UK business must comply

GDPR compliance represents the biggest shake-up in data protection legislation for decades, introducing new roles, responsibilities and, potentially, heavy fines. All businesses need to be aware of these and take action to minimise the risks involved.

The new legislation will replace the Data Protection Act and take full effect in May 2018. It will be automatically effective in all EU member states and, irrespective of Brexit, UK business must comply.

If you already comply with the Data Protection Act your approach to compliance will remain valid under the GDPR and will be a good place to start. Over the next few months the Information Commissioner’s Office (ICO) is planning new guidance and tools to assist. That said, start as early as you can by considering GDPR’s new transparency and individuals’ rights provision. Don’t worry, we’re covering this below.

The ICO has produced a helpful 12 step approach to preparing for GDPR. Here are some of the key points so that you have a better understanding of what is required:


Use GDPR’s two-year lead-in period to raise awareness and update your risk register accordingly.

Information held

Document what personal data you hold, where it came from and who you share it with. Post GDPR if you have inaccurate data and share this with another organisation you will have to tell the other organisation about the inaccuracy so it can correct its own records.

Communicating privacy information

Future privacy notices will now need to explain your legal basis for processing data, data retention period and right to complain.

Individual rights

On the whole, the rights that individuals will enjoy under GDPR are the same as those under the DPA, but with significant enhancements. The main rights for individuals under GDPR include:

  • the right to be informed

  • the right of access

  • the right to rectification

  • the right to erasure

  • the right to restrict processing

  • the right to data portability

  • the right to object.

Subject access requests

The timescales for responding to requests are reduced to a month and in most cases you will not be able to charge. If you refuse a request you will need to have the necessary policy and procedures in place.


It is advisable to review how you are seeking, obtaining and recording consent. Consent needs to be freely given, specific, informed and unambiguous. GDPR makes reference to ‘consent’ and ‘explicit consent’ and it is for you to provide evidence that consent was obtained.

Legal basis for processing personal data

You will need to review the type of data processing you carry out, define your legal basis for doing so and document it. People will now have a stronger right to have their data deleted, particularly where you use consent as your legal basis for processing.


In the UK that’s anyone below the age of 13, so you will need to verify individuals’ ages and obtain consent from parents or guardians to process their data. Special rules now apply to children’s data obtained from, say, social media.

Data breaches

Make sure you have the right procedures in place to detect, report and investigate a personal data breach. This could involve assessing the types of data you hold and documenting which would fall within the notification requirement, if there was a breach.

Data protection impact assessments

You should familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments (PIA): the situations giving rise to a PIA and who will need to be involved.

Data protection officers

While some organisations will need to designate a data protection officer, the important thing is to make sure that someone in your organisation, or an external data protection adviser, takes responsibility for your data protection compliance.


If your organisation operates internationally you should determine which data protection supervisory authority you come under.


Awareness is crucial if you are to minimise the impact of GDPR. If you have not already done so, start talking with your professional advisers, suppliers and distributors to co-ordinate your efforts. Some companies will set up an internal project team while others will appoint external advisers to ensure compliance.

Whatever your business, it’s a good idea to get a plan in place – and sooner rather than later.


Connect with Innovate UK Business Connect

Join Innovate UK Business Connect's mailing list to receive updates on funding opportunities, events and to access Innovate UK Business Connect's deep expertise. Please check your email to confirm your subscription and select your area(s) of interest.