GDPR: Important changes

Listed below are TEN important changes that your organisation may face due to GDPR.

Speak to an expert now


The General Data Protection Regulation or GDPR is new data protection law that comes into force on 25th May 2018. It applies not only to the UK but also right across the European Union.


What are some of the important changes introduced by the GDPR?

Even if your organisation is already complying with existing data protection legislation, some changes that it will need to make include the following:

1. Demonstrating compliance with the GDPR (Accountability Principle)
Your organisation must be able to demonstrate that it complies with the GDPR. This will include implementing measures such as staff training and maintaining relevant documentation of your data processing activities. If your organisation has more than 250 employees or is involved in higher risk processing of personal data, it must maintain additional internal records about its processing.

2. Data Impact assessments
Where your organisation’s data processing is likely to lead to a high risk “to the rights and freedoms of individuals”, your organisation is required to carry out a data protection impact assessment. For more detail about data impact assessments, please see our blog.

3. Handling of personal data
Your organisation will need to put in place new procedures to ensure that personal data can be easily ported under the new data portability requirements or erased under the right to be forgotten.

4. Subject Access Requests
The time limits for complying with subject access requests have been reduced.

5. Data Protection Officers
Any organisation, no matter its size, which carries out certain types of data processing will need to appoint a data protection officer. For more information about when your organisation will need to appoint a data protection officer, please see our blog.

6. Consent for processing
There are new rules in relation to the form of and type of consents that organisations obtain from individuals which allow the organisation to process (use) the individuals’ personal data. Consent must be freely given, specific and informed and an unambiguous agreement to the processing in question. Many of the tick boxes or other methods organisation currently use to obtain consent will need to be reviewed.

7. Children’s personal data
There are new rules for processing the personal data of children and the consents that must be obtained which may have to come from parents.

8. Data processors
A data processor, that is to say an organisation who processes personal data on behalf of another (for example a payroll provider handling employee data for an employer), is caught directly by the GDPR. Previously only the data controller (in the example of payroll services, the employer) was caught by data protection legislation. The GDPR sets out various provisions that a contract between a data controller and a data processor must contain. It also places obligations on the data controller to ensure that the data processor that it uses provides sufficient guarantees of compliance with the GDPR.

9. Breach notification
An organisation must self-notify within 72 hours to the relevant regulatory authority, in the case of the UK the Information Commissioner’s Office (ICO), any breach of the GDPR unless it is minor. The organisation must also notify the individual too.

10. Expanded territorial scope
Non-EU organisations offering goods or services to individuals within the EU will be caught by the GDPR. Please see our blog for more details.

How we can help your organisation with their GDPR compliance?

How our GDPR audit can help your organisation?

Our thinking

Get fresh insight on the legal issues that matter on our blog, whitepapers and more.

Find out more


Are you GDPR compliant?

Find out more