30 June 2017 by

The General Data Protection Regulations (“GDPR”) – is your business prepared?

On 25th May 2018 the General Data Protection Regulations (“GDPR”) will become effective in the United Kingdom. Their purpose is to strengthen and unify data protection for all individuals within the European Union.

In this, the first article of several between now and next May, we set out some of the key points that you need to know and should start thinking about.

Individual’s rights

Individuals have a number of rights under the GDPR, some of which are similar to existing data protection rights.

An individual has the right to request the deletion or removal of personal data where there is no specific circumstance for the data to be retained. This right is known as the ‘right to erasure’. They also have the right to request that personal data is rectified if it is inaccurate or incomplete.

The company/organisation must respond to any such request by an individual within a month (two months if the rectification is complex).

Individuals can additionally ask for their personal data to be received in a structured and commonly used, machine readable format so that they can reuse it for their own purposes across different services.

In certain circumstances such as where the processing is unlawful or the individual contests the accuracy of the personal data, individuals also have the right to restrict the processing of personal data. Separately, individuals can object to personal data being processed for direct marketing purposes.

Data breach notices

It is the businesses and organisations themselves who will need to notify the relevant supervisory authority of most data breaches within 72 hours of becoming aware of them if the breach is likely to result in a risk to the rights and freedoms of individuals. The possibility of identity theft is an example of a breach that will need to be notified. If an organisation fails to notify a breach when required to do so this could result for large companies in a significant fine of either up to a maximum of 10 million Euros or 2% of the company’s annual global turnover.

Where a data breach is classed as high risk to the rights and freedoms of the individuals, the organisation must also notify the individuals concerned.

International transfers

The GDPR also restricts the transfer of personal data to outside the European Union, third countries or international organisations.

Personal data may be transferred internationally where the organisation receiving the data has provided adequate safeguards by making sure that individual’s rights are enforceable and effective legal remedies are available to individuals after the transfer.


Organisations will be required to comply with what is called “the accountability principle” by implementing appropriate technical and organisational measures, which could include staff training, internal audits of processing activities, and reviews of internal HR policies. It may also be sensible for organisations to assess whether they need to appoint a data protection officer.

There is a lot therefore that companies need to be aware of and they should start reviewing how the regulations will impact on them. The significant size of the fines that can be levied means this is a change in the law that cannot be ignored.

There will be much more to follow from us on these new Regulations but if you want to speak to us now please contact us on 0207 288 4700

23 June 2017 by

When winding-up proceedings – should not be used!

A recent High Court case provides a useful reminder of the circumstances when a party should not issue winding-up proceedings. […]

23 June 2017 by

Shareholders v Directors – who wins?

Generally it is the shareholders that hold the power in the company with the directors being responsible for its day […]

Signup To Our Weekly e-News

"*" indicates required fields

We’ll never share your details with any third party in line with our privacy policy.