skip to navigationskip to main content

May deadline for new data protection rules

9 February 2018

Major changes in rules governing how businesses manage personal data take effect this May. It is essential you are familiar with the new requirements.

 The EU General Data Protection Regulation (GDPR) comes into effect on 25 May 2018 and will replace existing data protection rules. Although this is EU law, the government has said it will remain in force after Brexit.

The GDPR gives individuals – including customers and employees – greater control of their personal data held by businesses and other organisations. They will be able to choose whether and how businesses use that data, and they will also have the right to have their data deleted. Businesses will need explicit consent to hold a person’s data in electronic format and to share it with other organisations. The definition of data has widened to include IP addresses, internet cookies and even DNA.


A new right to data portability will allow individuals to move, copy or transfer personal data

easily from one IT environment to another. For example, they could upload their data to a price comparison website to find a better deal based on their personal circumstances. Your business must therefore be able to identify all of an individual’s data, and make it available in a structured, commonly used and machine-readable form, for example CSV files. This will generally have to be done free of charge and within one month of a request.

Subject to various conditions, individuals will also have the right to: be informed how their data will be used; have their data corrected or deleted; restrict or object to processing of their data; and object to automated decision-making.

By 25 May you need to know precisely what data you are holding and for what purposes. In

particular organisations must:

  • Ensure that employees are fully informed about the uses being made of their persona data and that HR staff have training in the new rules.
  • Delete all information about employees and customers that they no longer need.
  • Only collect and process personal data that they legitimately need for identified purposes.
  • Update their procedures for managing access requests by data subjects.

Don’t delay: the penalty for getting it wrong after 25 May will be up to 20 million euros or 4% of worldwide turnover – whichever is the higher -depending on the damage done.

If you need more information on GDPR and the steps you need to take to be compliant, we are teaming up with Barclays to hosting a free GDPR Seminar on Thursday 8th March 8am – 10am. Visit our Events page to book your free place.

View other blog posts