14 September 2017

The GDPR: New Rules for Data Protection

Q. What is the GDPR?

The EU General Data Protection Regulation (EU) 2016/679 (or GDPR):

  • Comes into force on 25 May 2018
  • Repeals and replaces the current Data Protection Directive
  • Brings significant changes to EU data protection
  • Affects EU businesses and non–EU businesses if they target or monitor EU residents
  • Increases penalties for infringement to 4% of annual revenue or 20 million euros

Q. What sort of changes does it make?

Personal data

  • Now extends to online identifiers e.g. IP addresses and cookies
  • Sensitive personal data now includes genetic and biometric data


  • Must be freely given, specific, informed and with a clear indication of wishes
  • Affirmative action is required for valid consent, and data controller must prove it
  • Consent may not be rolled in with other contractual terms
  • Right to withdraw consent at any time

New rights for data subjects

  • Rights of rectification and erasure are strengthened
  • New right to restriction of processing
  • Data portability - right to receive data and to transmit to another controller
  • Controllers must tell third party recipients of information of requests for rectification, restriction or erasure.

Privacy by Design and Privacy by Default:

  • Privacy by Design: privacy measures during product design processes
  • Privacy by Default: ensure by default that only necessary data is processed

Q. What do I need to do?

Prepare by reviewing/updating:

  • Your products and services, privacy notices and policies (including regarding consent)
  • T&Cs for privacy consents
  • Public and employee privacy notices and policies
  • Third party contracts related to personal data
  • Data breach register, data governance records and privacy impact assessments
  • Selection and appointment of a Data Protection Officer
  • Subject access request handling policy
  • Personnel training on data protection security protocols, encryption and pseudonyms, notification obligations for breaches, security breach notifications and security breach response plan
  • Privacy impact assessment and privacy by design implementation and review

If you have any questions or would like us to conduct a review of your policies and procedures, please contact Brian Levine on 01935 846258 or