GDPR | Nelsons

The European Union’s General Data Protection Regulation (GDPR) came into force on 25th May 2018, replacing the Data Protection Act 1998. All businesses in the United Kingdom, who handle personal data, have to comply with the legal framework.

Key points to consider

Valid consent to using personal data
The requirements for consent were tightened with the introduction of the GDPR. Clear positive consent is now required. Silence or pre-ticked boxes on your website no longer constitute valid consent from a customer.

You also have to give the customer the right to withdraw their consent at any time. This means that you should allow your customer the right to withdraw consent using the same method that was used to obtain it in the first instance.

Special categories of personal data
Most businesses are already familiar with the concept of ‘sensitive data’ from the previous data protection legislation. ‘Sensitive data’ includes information concerning racial or ethnic origin and health generally. There are other categories of information too, including genetic and biometric data.

Obligations are now imposed on you to show that you have considered and integrated compliance measures into your day to day practices. This may mean adopting appropriate data protection policies, staff training and appointing a data protection officer. Importantly, you now have to prove you comply with your obligations under the GDPR by keeping appropriate records.

In a significant departure from previous legislation, the GDPR requires you to have formal contracts with any service providers who process personal data on your behalf – and ensure they comply with their obligations under the GDPR. Equally, if you are processing data on behalf of a third party, the GDPR places specific legal obligations on you and make you liable for breaches that you are responsible for.

Right to erasure
More commonly known as the ‘right to be forgotten’, allows data subjects the right to have their personal data erased in specific circumstances – such as where the personal data is no longer necessary for the purpose for which it was originally collected or processed.

Data breach notification
If you accidentally or unlawfully destroy, lose, alter, disclose, or give access to, personal data a requirement to notify the Information Commissioner’s Office will be triggered depending on the nature of the breach. You may be tempted not to notify to avoid any bad publicity, however, failure to notify risks an administration fine of up to €10,000,000 or two per cent of the total worldwide annual turnover in the preceding year – whichever is higher.

For the most serious breaches the penalty is doubled to €20,000,000 or four per cent of total worldwide revenues.

About our GDPR solicitors
Our expert lawyers work with businesses to put the best data protection systems in place to comply with the GDPR. Our team drafts detailed compliance policies setting out a business’ attitude to the GDPR and the steps that need to be taken to properly collect, store and safeguard relevant data.

For more information visit


Read More