General Data Protection Regulation

New EU data protection laws applied from 25 May 2018, impacting businesses and changing how they hold customer information. The General Data Protection Regulations (GDPR) applies to all UK businesses despite Brexit Building on current and UK Data Protection legislation GDPR is designed to strengthen data protection for individuals within the European Union by handing the power back to the user and providing a ‘right to be forgotten’.


In order to comply with General Data Protection Regulations (GDPR) you need to know what data you collect from people, you need to make sure you can justify exactly why you collect it and you need to be able to evidence that you have obtained consent to collect, manage and store the data.

According to article 5 of the GDPR the data protection principles are that data should be:

“a) processed lawfully, fairly and in a transparent manner in relation to individuals;

b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and

f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”


In order to start working towards compliance you need to be aware of certain key, practical points:

  • Existing and prospective customers will have to provide consent in order for you to legally manage and process data for specific purposes.

  • Existing or prospective customers will have to give consent for the information to be held and used.

  • Companies will no longer be able to use lengthy. illegible terms and conditions full of legalese. Privacy notices must be presented in plain English and be easily accessible.

  • Personal data can be any information which allows an individual to be identified including name, address or any unique identifier used by an organisation.

  • Online identifiers such as IP address, cookies and tags also fall under the remit of personal data.

  • In certain circumstances individuals will have the right to request their data be removed (the right to erasure) for reasons including withdrawing consent. However there are a number of exclusions to this, for example the defence of legal claims.

  • It is essential that you have written contracts with any third party companies (including referencing agencies and external marketing agencies) who handle data on your behalf. These contracts need to outline the processes that are followed in handling data.

  • Certain types of data breach need to be reported to the relevant data protection authority within 72 hours.

Companies that do not take action to adhere to GDPR risk a fine of up to four per cent of global annual turnover or 20m euros. Furthermore if a data breach takes place and your agency does not inform the relevant authority within 72 hours, it faces a fine of two per cent of global annual turnover or 10m euros.

How Are We Helping You to Comply?

It may take some businesses months to get ready for it for GDPR. There may be business bosses in the UK are still unaware of this new regulation, don’t understand it, or are unaware of the consequences of non-compliance. But that will be no excuse if you suffer a loss of data. So what resources are we putting together to help you get your house in order?

Training Course

Protecting Data (Online Course)

This eLearning course focuses on educating employees about the new GDPR legislation. Book now.

Fact Sheet

GDPR Resources

We have put together practical resources to help you implement a GDPR plan. Download your copy.


Legal Helplines

If you're after some GDPR advice try our free member legal helpline. You can find the phone number by logging into the members' area.



We will be keeping members updated on GDPR and other key topics affecting the industry through our newsletters.