GDPR update

12 Mar 2018

Written by Alice Smithson

With the new GDPR regulations set to go live in the EU on May 25, UK Businesses are being warned to ensure they have policies and systems in place to make sure they comply with the extensive law that is coming into play.

The General Data Protection Regulation(GDPR) of the EU is a new regulation designed to enhance data protection for all EU citizens by helping regulate data protection measures within the EU as well as data accessed by EU Citizens within non-EU organisations. Here we look Part 1 of  the key changes to the data protection regulation and what you need to know.

Increased Territorial Scope

This applies to all companies who process personal data of individuals who reside in the EU, regardless of the companies location.  Previously, territorial applicability was ambiguous and referred to data process in ‘context of an establishment.’ This topic had come to light in many high profile court cases hence the change. It also applies to the processing of personal data irrespective of whether payment is required.


The conditions of consent have been strengthend, and companies will no longer be able to use illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data procession attached to that consent. This must be clear and concise.

Breach Notification

Whenever there has been a data breach, the ICO must be notified and action/investigation taken forward within 72hours of the breach happening and submitting to the ruling authority.


In breach of GDPR, a company can be fined up to 4% of annual global turnover or €20million – whatever is greater. Please note this is the maximum fine that can be imposed for the most serious infringement. There is a tiered approach to the fines, with many companies receiving several warnings before being officially fined.