GDPR: How to save €20 million

The countdown for the United Kingdom’s implementation of the General Data Protection Regulation (GDPR) is fast approaching, with almost 12 months to go until 25 May 2018, the date by which affected companies are required to ensure compliance, or face penalties.

The GDPR is the widest-ranging amendment to data protection law in the UK in 20 years, but if your company doesn’t process any data which can identify a living person, or is prepared to face fines of up to €20 million (or, if greater, 4% of the previous year’s global turnover), you may be more relaxed about taking steps to prepare for the GDPR now.

In light of the UK’s impending Brexit, it is worth noting that this is likely to be one area of law which will remain unaffected by the UK’s departure, as any entity which trades in the European Union will be required to comply with GDPR. Thinking back to the referendum some 11 months ago, the May 2018 deadline won’t take long to arrive, so the time to start preparing is now, or very soon.

Those companies confident of their compliance with the requirements of the Data Protection Act 1998 are in a good position, but are not free from having to take further action. The main changes introduced by the GDPR include:

  • Maximum Fines are being increased so that, depending on the nature of the breach, companies could be fined up to €20 million (or, if greater, 4% of the previous year’s global turnover) or up to €10 million (or, if greater, 2% of the previous year’s global turnover). This is increasing from the current fine cap of £0.5 million;


  • Consent to processing must now be given explicitly and affirmatively. This will likely remove the ability to rely on silence or inactivity (such as failing to tick a box) to prove consent to the processing of data. Consent may also be withdrawn at any time, and must not be used as a pre-condition for a contract for which data processing isn’t necessary;


  • Data Processors (being those who are processing data on behalf of another entity) will now be subject to compliance requirements too; and


  • Subject Access Requests must be complied within 1 month, instead of within 40 days.


This change of law is likely to affect the overwhelming majority of companies in the UK and entails far more changes than are set out here. However, when it is implemented, its boundaries will no doubt be tested before the courts.

If the prospect of being a test case (with €20 million riding on it) doesn’t sound attractive, there is still sufficient time to start asking: what data you hold; why you have it; what budget needs to be allocated to implement all the changes required; and what do the data protection (and liability cap) clauses in your current contracts say?

May 2018 may seem far off, but there is no time like the present.

While great care has been taken in the preparation of the content of this article, it does not purport to be a comprehensive statement of the relevant law and full professional advice should be taken before any action is taken in reliance on any item covered.