General Data Protection Regulation – the new regulation from Europe to replace the data protection directive

This blog post was also featured as a column in the June 2016 issue of Legal Practice Management magazine. To read the issue in full, download LPM magazine.


On 17 May I had the honour of taking part in an expert panel in this year’s LPM conference. The conference was a huge success, full of great information, and our panel was there to emphasise the importance of “accepting that change is on the horizon.”

When questioned by the LPM team where we felt the most change for our clients (you) was in the second half of 2016, I had no hesitation in screaming “GDPR!”

“What on earth is GDPR?” I hear you holler back. Well, it’s the General Data Protection Regulation. This is the new regulation from Europe to replace the data protection directive. It has taken four years to be approved, with thousands of changes requested from all member states. It is thought that the GDPR provides a harmonisation of data protection regulations throughout the EU.

This regulation enforces the control of personal data for both clients and employees alike and carries penalties of up to 4% of company-wide annual turnover, rather than the pre-existing £500,000 cap, for non-compliance.

From the launch this spring we have a twoyear transition period to conform and practice the GDPR – which will be in force from 25 May 2018. This may sound like a long tim awaye, but the changes we need to have in place will take most organisations and practices at least two years to implement. Every company must now be responsible and accountable if it’s processing/ storing personal information of any EU citizen. Personal information includes: addresses, NI numbers, copies of passports and any other information relating to the individual.

At this stage some readers may hold up the Brexit shield in hope that if we leave the EU this will not apply to us. My prediction is that if we do leave the EU we will still need a best practice for dealing with personal data and the GDPR. Many firms deal with the data of European citizens, so the GDPR applies, whether we’re in or out.

Moving on to the most important question, how do we prepare? Well, I have read the GDPR and it’s a cumbersome document. Obviously it goes without saying that this is a massive change for all of us and I would advise you to take the time to read the whole document – but in the meantime the Information Commissioner’s Office has formulated a wonderful document called the ‘12 steps to take now’.

We have placed a link to it on our website for all our clients and LPM readers:

It’s a lot to take in, I know. But never fear – over the next two months we’ll be taking a selection of these steps and helping you place them in an actionable form for your firm. Hold on tight LPM readers – it’s going to be hard work but we will get there! 

Post a Comment

Add your comment