Showcasing the Best of Welsh Business

Data Protection Changes: What Businesses Need to Consider


This article has been submitted by Greenaway Scott

On 4 May 2016 the General Data Protection Regulation was published in the Official Journal of the European Union. All EU organisations have to comply with its provisions by 25 May 2018, meaning that UK data protection law will be changing. The government has confirmed that the UK will still adopt the GDPR following the vote to leave the EU as many businesses will still be sharing data with EU member states and it is important that the UK is assessed as providing an adequate level of data protection.

The GDPR has been introduced due to the significant advance in information technology and the ways in which data is shared, and also to provide greater harmonisation of data protection law across all EU member states. The Data Protection Directive that was introduced in 1995 has been implemented in different ways across the EU member states and this creates compliance difficulties for businesses. The GDPR therefore will create a single legal framework across all EU member states.

An important consideration for businesses is that the GDPR introduces increased enforcement powers and the maximum fines that can be imposed for breach of data protection laws will be increased significantly.  Certain business and public authorities must also now designate a data protection officer to take responsibility for data protection compliance.

There are also provisions in the GDPR that will establish a mandatory system in relation to the breach of data security. Businesses should ensure they are putting the right procedures in place now to be able to detect, report and investigate breaches of personal data. The GDPR will introduce an obligation on all organisations to report a breach of certain types of data to the Information Commissioner’s Office (ICO) and in certain cases to the individuals themselves.

The ICO has published an updated data protection self-assessment toolkit for SMEs which will help you assess your progress in preparing for the GDPR. The ICO has also updated its “12 steps to take now” guidance which will help you start to put the processes in place now to comply with the provisions of the GDPR when they come into force next year.

If you would like advice on data protection and the impact the GDPR may have on your commercial contracts please contact the Commercial team by emailing [email protected] or visit our website at