In May 2018 the Data Protection Act in the UK will be changing to the EU’s General Data Protection Regulation (GDPR). The changes pose much tougher punishments for those who fail to comply with new rules around the storage and handling of personal data. Although the UK is leaving the EU, the Great Repeal Act means that this will likely be converted to British Law.



The Data Protection Act was passed by Parliament in 1998 and was established to control the way information is handled and to give legal rights to people who have information stored about them.  This specifically applies to larger companies that handle a lot of data and the need to treat this confidentially. Over the recent years, the upgrades in technology and online have made it easy for SMEs and anyone who owns a website to accumulate large databases and secure handling of personal data along with records of consent are essential for general sales and marketing.

Following the recent increase in cybercrime and misuse of data, the role of data protection has become increasingly important, with UK companies losing over £1 billion in the last year due to cyber breaches. Specifically, cyber criminals have been able to access data such as:

  • names
  • email addresses
  • passwords
  • bank details
  • pension information

Key changes in the new data protection laws 

Active agreements: A pre-ticked box online for short term lenders and all ecommerce companies will no longer be enough to demonstrate customer consent. If they plan to send additional marketing information, companies that have control of data will need to demonstrate a clear audit trail of consent including what the customer consented to which could include screen grabs or saved content forms.

Right to be forgotten: Those users that want their information removed from a mailing list or website now have the right to be completely forgotten. The individual’s details must be fully erased and not just deleted from a mailing list including any DNA, IP addresses and cookies too – leaving no trace whatsoever.

Data Portability: Individuals will have the right to obtain data held about them in a commonly used, machine-readable format.

Reporting: In the event of a data breach, the new GDPR forces companies and webmasters to inform relevant authorities within 72 hours, giving full details of the breach and proposals for mitigating its effects.

How do I get a copy of my personal data? 

In order to obtain a copy of your data, currently you need to write to the government or organisation in question requesting to see the information held about you, known as a ‘subject access request.’ The organisation or data controller may ask you to pay a small fee to receive this data or proof of identity to retrieve the data. In the UK, the fee that may be charged means £10 and the organisation has 40 calendar days to provide the information from receipt of the request and the fee. Under GDPR, the charging of the fee is prohibited and the information should be provided within one month.


The challenges facing the new bill 

One of the main challenges of the new act is that it may cause some major internal changes for SMEs and organisations. Handling data and complying with GDPR now has to become the centre of company culture and companies all over the country will need to redo their internal processes, marketing and legal documents, which comes at a cost.

In fact, for certain companies, having previous data records of customers who consented to receiving marketing via a pre-filled tick box will not be sufficient to demonstrate consent under GDPR. Several companies may therefore have the chore of asking millions of users to update their marketing preferences again and/or opt in again and, if they do not respond, the organisation may have to remove their details from their marketing system.

The potential fines for getting the new data protection changes wrong is significant – whereby previous fines were capped at £500,000, two tier regulatory fines will now be introduced.  These include up to 4% of worldwide annual revenue or EUR 20 million (whichever is the higher) where data subject rights are infringed or up to 2% of worldwide annual revenue or EUR 10 million (whichever is the higher) where data security breaches occur. Those exempt include companies who have kept data on suspicion of those doing money laundering, terrorism or anti-doping. Also, journalists who aim to express wrongdoing or opinion may be exempt.