The General Data Protection Regulation

News / / The General Data Protection Regulation

The General Data Protection Regulation (“GDPR”) comes into force on 25 May 2018. The GDPR will update and harmonise data protection procedures, address new technological developments and bolster enforcement across the EU.

Following the UK’s decision to leave the EU, the current government has indicated that it will implement the GDPR to secure unimpeded data flows between the UK and the EU, particularly to underpin free trade, though it has not yet indicated whether the UK would seek an EU “adequacy” decision in Brexit negotiations or what alternative arrangements might arise.


Key Differences

There are several critical differences between the GDPR and the current data protection regime (the Data Protection Directive, introduced in 1995). The GDPR will enhance rights for individuals, including:

  >  providing them with easier access to their personal data

  >  providing better information about what happens to their personal data once it is shared

  >  a “right to be forgotten” where individuals can have their personal data deleted when the data controller has no legitimate grounds for retaining it

  >  a right of data portability whereby individuals can transfer their personal data to another service provider

  >  a right to object to profiling.

Data Subject Access Requests

Data subject access requests will continue to exist, but the employer will be required to provide additional information, namely the envisaged period of storage; details of “delete it, freeze it, correct it” rights; and the safeguards applied on a third country transfer of data. The employer will be obliged to comply within one month, with an extension of two additional months if necessary, taking into account the complexity of the request. The £10 fee will be abolished, though where a request is “manifestly unfounded or excessive” the employer may either charge a reasonable fee, taking into account administrative costs, or may refuse to act on the request altogether.

Data Breaches

Where a data security breach occurs, under the GDPR data controllers must notify the national data protection authority without undue delay and, where feasible, no later than 72 hours after having become aware of it, unless the breach is unlikely to result in a risk for the rights and freedoms of the individuals concerned. The GDPR will also remove the requirement for companies to submit an annual registration with a national data protection authority, instead requiring them to maintain detailed documentation showing data processing compliance.



The GDPR will have a tougher penalty regime. The maximum penalty for non-compliance will be €20m or 4% of the undertaking’s worldwide turnover (compared with a current maximum penalty in the UK of £500,000).

Organisational Impact

The GDPR is likely to require organisation-wide changes for many businesses, to ensure that personal data is processed in compliance with the new requirements. Although data protection legislation applies to all areas in which a business processes personal data, including data relating to customers, suppliers and website users, the implications for data relating to employees are particularly significant, as businesses are likely to process significantly more personal data in relation to employees than in other contexts.

Changes for employers to consider include:

  >  ensuring that sufficient resources to prepare for the changes have been allocated

  >  identifying all existing data systems and personal data processed

  >  redesigning systems that process personal data

  >  updating data protection policies

  >  implementing a policy on retention and storage of data

  >  training staff on data protection responsibilities

  >  establishing processes for dealing with data breaches

  >  renegotiating contracts with third party data processors

  >  restructuring cross-border data transfer arrangements.

Related services:

Quick links

The Legal 500 2021

“Very available and responsive to company developments in real time. Frank, clear advice – not just the ‘easy’ answer.”

The Legal 500 2022

“The solicitors who have handled our employment related issues are of the highest quality in terms of their specialist area of expertise, their professionalism and their approach to us as clients and as people. Special mention has to be made of Laura Livingstone. Laura became a key member of our team and felt more like a colleague than an external adviser – a colleague you could rely upon. Laura’s attention to detail, professionalism and responsiveness was second to none. Laura has come to know and understand us as individuals and this has enabled her to personalise her advice and even sometimes to preempt our future requirements. We have a very special and extremely valuable relationship with her and the firm.”

- The Legal 500

The Legal 500 2022

“Ince are an excellent “fit” with our specific needs. The firm has consistently provided a broad range of personnel-related advice and in our experience that advice has been consistently of the very highest professional standard: it has been timely, comprehensive, accurate and at a cost which is commensurate with the budget of an organisation of our size.”

- The Legal 500

The Legal 500 2022

“The firm has an unusually high degree of insight into the practices and policies required by the Gambling Commission as regards compliance with its own requirements and conditions – particularly Andrew Tait, derived from his previous in-house experience.”

- The Legal 500