UK data protection law is changing

On 25 May 2018, the General Data Protection Regulation (GDPR) will replace the Data Protection Act, a new Data Protection Bill is currently going through Parliament, and there are plans to replace the UK Privacy and Electronic Communications Regulations (PECR) with a new e-privacy directive.

These changes will affect all organisations that collect or use individuals’ personal information (data controllers), from private sector companies to public authorities, from large charities to members’ clubs. Many will see the compliance burden increase significantly and some will need to appoint a Data Protection Officer.

There will also be new obligations on third-parties that process personal information on behalf of other organisations (data processors), such as outsourced IT providers and external marketing companies.

Ensure you are ready

It is important to use the next few months to get ready as there will be no transitional relief period once the new law comes into force in May next year. Getting it wrong could lead to fines of up to EUR 20 million or 4% of total worldwide annual turnover, not to mention serious reputational damage.

Our data protection lawyers are helping clients to get in shape for the GDPR by delivering practical training for senior managers and staff, reviewing data processes, updating policies and reviewing contracts.

Topics like fundraising and consent have been dominating GDPR-related headlines. Carla Whalen highlights the importance of seeing your GDPR compliance as an on-going process

Privacy notices are a core part of GDPR compliance. It's the document that explains what you're going to do with people’s personal data. Victoria Ehmann explains why it's key you get it right

Get in touch if you would like help with:

  • data protection training for staff, board members and trustees including obligations on data controllers and data processors under the GDPR
  • preparation for data protection reform including data mapping and data audits
  • the role of the Data Protection Officer, documentation and record-keeping requirements under the GDPR
  • data minimisation, storage limitation, anonymisation and pseudomysation
  • data processing justifications, legitimate interests and consent
  • data protection impact assessments (DPIAs)
  • information sharing agreements and data processing contracts with third-parties
  • cross-border data transfers outside the EU including standard contractual clauses and binding corporate rules
  • individual rights under the GDPR including the right to data portability and the right to erasure (the ‘right to be forgotten’)
  • advice and support in relation to data subject access requests
  • e-privacy, direct marketing and website cookies
  • data protection breaches, correspondence with the ICO, notification obligations, fines and sanctions

Contact one of our specialists to ensure you are ready.