Lead Forensics
Prettys Solicitors Ipswich



Data Protection Changes – what should my business be doing now?

June 2017 - Issue 94

Background to the changes

The data protection regime in the UK is set to be overhauled from 25th May 2018. This may seem like a long way off, but the changes are wide-ranging and require logistical planning by businesses. Preparation is key and we urge business to begin preparing for these changes now.

The new regime

The new regime will be contained within EU Regulation 2016/679, otherwise known as the “General Data Protection Regulation”. This Regulation will apply directly to EU Member States. International businesses operating in within the EU should also be mindful that they will be caught by this Regulation if they process or store personal data of individuals based in in EU Member States.

You may be wondering whether this new regime will even be relevant in the aftermath of the UK’s decision to leave the European Union. It is currently unclear what reform of the UK’s data protection regime will look like following Brexit, although it is expected that it will broadly mirror that contained in the Regulation. This is due to a political drive for consistency across borders, on the assumption that this is conducive to trade and business across borders. In particular, the UK’s Data Protection Minister at the Department for Culture Media & Sport has stated that a harmonised approach even post-Brexit will be “crucial both to businesses and organisations and to consumers and citizens”.

The Regulation will apply to “Data Processors” and “Data Controllers”. “Data Processors” are any person that determines the purpose(s) for which, and the manner in which, any personal data is processed. “Data Controllers” are any person who processes personal data on behalf of the data processor (excluding employees). In broad terms ‘Personal Data’ will include any data that relates to a living individual (i.e. the “Data Subject”) who can be identified from that data, including opinions about that individual.

What are the key changes?

Lawful Processing

Article 6 of the Regulation sets out six grounds on which personal data may be processed, these include:

  1. consent;
  2. necessary for the performance of a contract with the data subject; and
  3. necessary for the purpose of a legitimate interest;

Whilst ‘consent’ is a current lawful ground for processing, businesses need to consider carefully the changes being made to what constitutes valid consent. Under the new regime, this is subject to a considerably higher threshold. Our view therefore, is that other grounds should be relied on before opting for consent. Under the new regime, consent needs to be obtained from a positive, affirmative action that is freely given and unambiguous. This test is therefore considerably more stringent than under the existing regime where consent can be impliedly given, such as an individual not ‘unticking’ a pre-ticked box on an electronic form about their agreement to the processing of their personal data. Consent will also be revocable at any time under the new regime, which could present logistical headaches for organisations.

We therefore suggest that organisations consider other potential grounds for processing before consent. In particular, consider whether there is a ‘legitimate interest’ for the processing. If your organisation is seeking to rely on this, be aware that this could vary according to the type of data processed. Your business needs to take care to ensure that the purported reason is actually relevant to the type of data being processed.

Steps to take now

Where consent is intended as a legitimate ground going forwards, make sure that your approach is consistent with the ICO’s draft guidance on consent (to be formalised in due course).

If your organisation is seeking to rely on a ‘legitimate interest’, consider from the outset whether there is a genuine need for the processing. Identify the ‘legitimate interest’ in respect of each category of data held and consider whether the processing is proportionate to achieving this interest (i.e. is a balance being struck between the organisation’s need to process the personal data against the individual’s right to privacy?)  Once you have identified this legitimate interest, it needs to be documented. It will also need to be clearly stated in the Information Notice/Privacy Notice (discussed below).

Privacy Notices

Under the current regime, privacy notices need to be given to set out why data is being processed. This will continue under the new regime but organisations need to be aware that more information needs to be included. The ICO has published a code of practice on privacy notices to this effect (this should be consulted to ensure compliance going forwards).

In particular, the privacy notice should be issued at the time that the data is obtained. Key information will also include the identity of the controller, the purpose of the processing, the legitimate basis for processing, details or categories of any recipients of the data, how the data will be stored and details of the data subject’s individual rights (including the right to withdraw consent at any time, where this is the selected ground).

Steps to take now

Your organisation should review its privacy notice(s) alongside the ICO’s code of practice, to identify any required changes. Redrafting or amending may be required. There should also be a system in place for identifying where the data came from (the individual or a third party?), as this will affect the content of the notice. Communicative style will also need to be clear and easy to understand. In particular, draft the privacy notice with your audience in mind. Systems should also be in place to ensure that privacy notices are reviewed periodically.

Individual rights

These are more extensive under the new regime and include the following rights to:

Significant changes are being made to SARs. As a general rule, the £10 fee will no longer be allowed. The deadline for a response is also being reduced from 40 days to 1 month. Where the request is received electronically, the response should also be electronic. Responses will also need to be more detailed than currently.

“Data portability” means that individuals can now obtain and reuse their personal data from data controllers for their own purposes and/or request transmission from one data controller to another where the data has been processed automatically, provided to the controller by the individual and where consent is the legal basis for the processing.

Notable changes are also being made to the “right to be forgotten”. To date, this has been limited to processing that causes unwarranted and substantial damage or distress. However, under the new regime, a wider range of circumstances are available in which individuals will be able to request that their data is erased. For example, a request for erasure can be made where consent has been withdrawn (if applicable).

Increasingly, data is being automatically processed, particularly online, in order to obtain personal data which is often then used, for example, to obtain information for marketing purposes. In response to this, the Regulation introduces a new right of objection against this type of processing. It is currently unclear as to whether this right will apply from the outset. It is clear however, that this right will not apply where personal data has been automatically processed following receipt of valid consent, necessary in order to enter into a contract or to carry out contractual obligations with the individual or if authorised by law.

Steps to take now

For SARs, organisations need to appreciate the additional information that needs to be given. Audits should be carried out to see whether the current procedure will meet the new requirements. In particular, systems need to be in place to ensure that these requests can be dealt with efficiently, such as via an online portal enabling easy retrieval of stored information. Policies may also need to be amended and training provided to the relevant staff.

For data portability, we encourage employers to review the draft Article 29 Data Protection Working Party’s Guidelines on data portability. An audit should be conducted to identify which individuals this right could apply to. Again, systems should be in place, such as an online portal, to ensure that data is in a an easily ‘moveable’ format- can it easily be exported to work on other systems?

Where the “right to be forgotten” is requested, employers need to ensure that appropriate staff are adequately trained to deal with requests and also need to consider whether current systems are equipped to deal with these.

An audit should also be conducted to assess the extent of automated processing. To what extent does your business profile data subjects? If this is inherent to the nature of the business or a common occurrence, make sure you have a solid basis for this type of processing. This type of processing should be reduced where possible.


This is an entirely new concept. This is all about implementing technical and organisational measures (such as those discussed above) to ensure that the “Principles of Data Processing” (Article 5) are upheld. In addition to the above measures and steps to take, businesses should adopt an approach that seeks to protect privacy of data subjects from the outset and which is maintained for as long as the data is held.

Getting it right

The implications of falling foul of the new regime are potentially very serious. Businesses will need to report any suspected breaches to the relevant supervisory authority (the ICO in the UK) within 72 hours, and possibly the individual, if their privacy is seriously threatened or harmed as a result. Effective communication will also be needed between processors and controllers when breaches arise. Make sure your business is equipped to deal with this breach notification requirement – efficiency is key!

Fines are significantly increasing. The costs of getting it wrong are up to 4% of annual turnover for the preceding financial year or 20 million euros (which ever is greater).

We cannot therefore stress how important it is to get this right. If you have any questions, or require guidance or training for your business and/or management teams, please do get in touch with our team who will be more than happy to help.

Legal 500LexcelConveyancingChambers UK