General Data Protection Regulation

New EU data protection laws will apply from 25 May 2018 which will have a dramatic impact on your business and the way you hold sensitive customer information. The new General Data Protection Regulation (GDPR) will apply to all UK businesses despite Brexit. Building on current and UK Data Protection legislation GDPR is designed to strengthen data protection for individuals within the European Union by handing the power back to the user and giving them ‘right to be forgotten’. If you haven't already started putting a plan into place, now is the time.

What You Need to Know

When it comes to data protection, there are three basic principles that you should ensure are embedded in your organisation; know what data you collect from people; make sure you can justify why you collect it; and certify you have obtained consent to collect it and store it.

In order to start working towards compliance you need to be aware of these key articles of the GDPR:

  • All companies are required to appoint a Data Protection Officer who is responsible for internal record keeping.

  • Existing or prospective customers will have to give consent for the information to be held and used.

  • Companies will no longer be able to use long illegible terms and conditions full of legalese. T&C's must be in an intelligible and easily accessible form.

  • Customers will have the right to request confirmation as to whether or not personal data concerning them is being processed and for what purpose. When requested, companies are required to provide a copy of the personal data, free of charge, in an electronic format.

  • Customers have the right to request their data be removed and further distribution ceased.

  • The collection of online identifiers such as IP address, cookies and tags also fall under the remit of 'personal data'.

  • The use of external marketing agencies will require you to have an official written contract to ensure they are fully compliant with the new law.

  • Loss of data needs to be reported to a data protection authority and the people affected within 72 hours

Companies that are not GDPR-ready by May will face a fine of up to four per cent of their global annual turnover; if a breach takes place and your agency does not inform the supervisor authority within 72 hours, it faces a two per cent of global annual turnover fine.

How Are We Helping You to Comply?

It may take some businesses months to get ready for it for GDPR. There may be business bosses in the UK are still unaware of this new regulation, don’t understand it, or are unaware of the consequences of non-compliance. But that will be no excuse if you suffer a loss of data. So what resources are we putting together to help you get your house in order?

Training Course


Get practical advice on business processes and how to implement an effective GDPR compliant regime with this half-day course.

Business Skills

GDPR Get Ready Simply and Pragmatically (Course)

Advice to help cut through the confusion and so you can plan your GDPR implementation. Book today.

Fact Sheet

GDPR Resources

OWe're putting together some of practical resources to help you start implementing a GDPR plan. Download your resources.


Legal Helplines

If you're after some GDPR advice try our free member legal helpline. You can find the phone number by logging into the members' area.

Business Skills


We have GDPR sessions scheduled at all of our upcoming NAEA masterclasses which are free for members to attend. Find an event near you.



We will be keeping members updated on GDPR and other key topics affecting the industry through our newsletters.