Showcasing the Best of Welsh Business

Why Welsh SMEs Must Act Now to Get Ready for New Data Protection Law


David Teague from the Information Commissioner’s Office (ICO) in Cardiff highlights the importance of preparing for GDPR.

There’s less than a year to go until a big change in data protection law which means if you’re responsible for people’s personal information, you need to be preparing for that change now.

New legislation called the General Data Protection Regulation (GDPR) will come into effect in May 2018 in the UK via the Government’s Data Protection Bill, and will bring a more 21st century approach to the processing of personal data.

The new reforms place more obligations on all businesses, including those in Wales, to be accountable for their use of personal data. You’ll need to think carefully about the way you deal with customers’ and staff records, and if you’re working alongside Welsh public authorities, you may need to demonstrate your compliance with the new law as part of your working agreement.

Consumers will have more rights under the GDPR such as being better informed about what businesses are doing with their data and having greater access and control over their data. We’ve highlighted a few points as a starting point for Welsh businesses below but our guide – 12 steps to take now is really the best place to start:

Maintaining records and training

No matter what size your business is, you will need to have clear data protection policies and procedures in place, reviewed to take into account the GDPR. All staff will need to be trained on these procedures. The GDPR also requires businesses to maintain records of data processing activities which can differ depending on the size of the business.

Data security breaches

It will be mandatory to report certain data security breaches to the ICO within 72 hours of becoming aware of it and in some cases, where the breach is considered high risk, to the individuals affected.

Individuals’ rights

One of the main changes will be dealing with subject access requests (SARs). This is a person’s right to access information held about them. The GDPR gives less time to respond to these requests, information must be provided without delay and at the latest within one month. In most cases, businesses won’t be able to charge a fee.

The new law strengthens the controls around consent. It will need to be freely given, specific, informed and unambiguous, and businesses will need to be able to prove they have it if they rely on it for processing data. A pre-ticked box will not be valid consent.

If you’re complying with the current data protection law, you’ll be well on the way to complying with the GDPR, but now is the time for all businesses to be making changes.

There’s a wealth of material on the ICO’s website dedicated to helping businesses, including an overview of the new legislation and an updated data protection toolkit for SMEs giving you the ability to compare what you are currently doing around data protection and what you should be doing under the new regulation. As well as the guidance on our website, businesses can also call the ICO Wales office on 029 2067 8400.