Black Nova Designs (NEW 2024 Leaderboard Ad)

Let's Talk

Your Total Guide To Business

Bowman House (Business Sponsor)
Top Tips for Data Protection from Thrings

Top Tips for Data Protection from Thrings

Thrings has written a series of guides, top tips and Question and Answers to help steer you through some legal hot topics. To find out more and to view the rest of the Guides, follow the link at the bottom of this page.

The General Data Protection Regulation (GDPR) is the EU’s new data protection law. Replacing existing laws such as the Data Protection Act 1998 (DPA), it comes into force on 25 May 2018 and, barring any major policy changes in the next couple of years, will survive Brexit in 2019. UK businesses have 12 months to get up to speed and make necessary changes to ensure compliance. Here, we’ve put together tips to help you do this.


While the new GDPR brings about a number of important changes, the following headline issues require particular awareness:

“Privacy by design, privacy by default” – this maxim marks a fundamental change in attitude to personal data and means that businesses will have to hardwire both data protection and data minimisation into their operations.

Accountability – businesses will no longer need to “notify” (register) with their national data protection authority, but will now be required to document and demonstrate their compliance with the GDPR. Transparency and best practice are key and are as much about good customer care as technical compliance. Importantly, this applies directly to data processors as well as data controllers.

Increased fines – from comparatively low fines (e.g. the current UK maximum of £500,000), the GDPR will significantly increase penalties to €10m (2% of annual worldwide turnover) for minor or technical breaches, and €20m (or 4% of turnover) for more serious operational failures.

Tightening up of consent – businesses will no longer be able to rely on vague indications of consent such as pre-ticked consent boxes and confusing double negatives – and will instead need to ensure that consent is properly obtained and adhered to. Consent will have to be freely given, unambiguous, specific, informed and clear (and also explicit in the case of special categories of data, such as health and religion). Most businesses need not be overly concerned by these changes, however. The GDPR can be considered a reboot of the DPA so, in general, if you’re compliant with the current law, you’re unlikely to have much trouble meeting the new requirements. Over the next two pages we’ve compiled the crucial areas of change to note:


The GDPR effectively means that Data Protection is a key business function and must be overseen at board level. You should make sure that key people are aware of the changes in the law and appreciate how this will impact their role in the business. Data processors will find themselves more directly affected by the GDPR and less able to look to their data controllers for compliance.


You will need to be able to document and disclose what personal data you hold, together with the sources for that data, the purposes for which it is processed and the relevant consents for that processing.


You need to review your current Data Protection Policy (aka “Privacy Policy” or “Fair Processing Notice”) and prepare to make appropriate changes.


Individual data subjects will have increased rights of access to their data. They will also be entitled to call for their data to be corrected, deleted and transferred to other businesses. Your procedures and policies may need to be reviewed and updated so that your business can respond in a compliant manner.


For each individual whose data you hold, and for each type of data processed, you will need to document and abide by the relevant legal basis for that processing. This basis will commonly be “consent” but not always – you will need to review how you are seeking, obtaining, recording and updating the basis for your processing.


The GDPR requires parental consent for children under 16 but allows Member States to lower this age limit to 13. The UK has indicated it is intending to adopt this lower age limit (which is widely seen as the de facto global cut-off) so you may need to be able to demonstrate how you verify individuals’ ages and parental consent where necessary.


You need to have procedures and policies in place to detect, report, investigate and resolve any breaches of an individual’s rights regarding their data. There is a new 72-hour deadline for reporting breaches. It’s important to note this is a strict time limit and does not take account of weekends, bank holidays, etc.


As part of “privacy by design, privacy by default” you may need to adopt and implement Data Protection Impact Assessments.


While the GDPR doesn’t require every business to have a DPO, it is strongly recommended that all organisations appoint an appropriate individual tasked with oversight of data protection compliance. The DPO should be independent of day-to-day implementation and should have a direct line of communication to CEO/board level to report issues.


Businesses operating across borders may need to check which national data protection authority they are regulated by. Additionally, the GDPR applies to most businesses outside the EU dealing with data subjects in the EU.

At Thrings, we have extensive experience providing legal advice regarding data protection. To discuss how we can help you, or to learn more about the GDPR, please contact Graeme Fearon on 0117 930 9557 [email protected]


LINK: To download more Guides from Thrings, please click here.


Thrings Swindon


Thrings Solicitors in Swindon have been providing legal advice to businesses and individuals for almost 300 years.

6 Drakes Meadow, Swindon, SN3 3LL

Bowman House (NEW - Animated Ad)
Wrag Barn (Animated Ad)
Fiona Scott Media Consultancy
HT Wills (Animated Ad)
Lydiard Park Hotel & Conference Centre (Animated Ad)
Future Planning
Steilea (Animated Ad)

We recommend

Black Nova Designs (NEW Animated Ad for 2024)
Dayfold Print (Animated Ad)
Bowman House (NEW - Leaderboard Ad)

Weather in Swindon