On 25th May 2018, the General Data Protection Regulation (GDPR) will replace the Data Protection Act 1998 in the UK and it’s essential that you review your existing processes in order to comply.

The regulations apply to personal data (any data held on an individual), processed by businesses of any size, and there will be much tougher punishments for any breaches. 

Background as to why the laws are changing

In the 1990s it was only the big companies that stored large amounts of data, but now every size business does. In 2016, businesses in the UK lost more than £1 billion to cybercrime with SMEs being as much at risk, if not more so, than large companies. The GDPR is coming into place to bring the data laws up to date and to protect the individual, but it will also mean that your business will build customer trust and engagement by being more accountable and transparent about the ways that you collect and store data and why you are doing it.  

What are the main things we should be aware of? 

The GDPR will force businesses to know exactly where all the personal data they hold is stored, why it is there and that they are able to quickly remove it or supply a copy of the information held if it is requested by the individual. 

The new regulations are strict: it must be necessary for you to process and store an individual's data. There are six lawful bases under which you can process data. You now need to review the data that you process and decide on which lawful basis applies for each set. 

What are the six lawful bases? 

  1. Consent

  2. Contract

  3. Legal obligation

  4. Vital interests (protecting life)

  5. Public task (the task having a clear basis in law)

  6. Legitimate interests 

If your data comes from ‘consent’ here are the important things you need to know

Consent means that the individuals are given genuine choice and control. From now on you need to keep a thorough record of how and when an individual gives consent to store and use their personal data. There needs to be a clear audit trail with screen grabs or saved consent forms and consent can no longer be inferred by a pre-ticked box. 

You will need to make it very clear (in plain English) to the individual: 

  • your lawful basis for processing data 

  • why you want the data and what you’re going to do with it – different purposes will need different consents 

  • their right to have their data viewed or removed quickly at any time and how they can do this 

You will also need to regain consent if your lawful basis changes (say from consent to legitimate interests). Your consents will need refreshing now if they don’t meet GDPR standards. 


  • Review your existing processes and decide on a lawful basis for each set of data that you process 

  • Make sure all your consenting data now requires positive opt-in, don’t use pre-ticked boxes or any other method of default consent

  • Make sure you have separate consents for separate things 

  • Regain consent from people who weren’t given a positive opt-in or if your use of the data or legal basis changes 

  • Make sure there is a process in place so that people can easily request to remove their data or request a copy of what you hold and that this can be done quickly – you also need to make it very clear to the individual how they can do this 

  • Keep a record of when and how you got consent from the individual and exactly what they were told at the time 

  • Create an easily understandable privacy policy which clearly states:
    – who you are
    – what data you’re collecting
    – why you want the data
    – what you’re going to do with it
    – name any third parties who will use the data
    – how the individual can see a copy of, edit or withdraw consent (unsubscribe) for the data

  • Schedule it in to regularly review your processes in line with the laws and guidelines

Photo by Matthew Fournier on Unsplash.