The new and much more stringent Data Protection regulations which came into force in 2018/19 changed the way companies gather and keep data, going far beyond the scope of the current Data Protection Act.

The EU’s new General Data Protection Regulations (GDPR) came into force on 25 May 2018. The new Regulations will levy greater fines than ever before, with a game-changing maximum of €20 million or 4% of the company’s global turnover.


Other changes in your processes that GDPR will require you to make:

  • The right to be forgotten will have greater prominence.
  • The definition of identifiable personal information will be broadened.
  • Individuals will have to give their explicit consent for companies to keep their data, meaning that data retention could become a major headache.
  • Businesses will be required to report data breaches within 72 hours. You will, therefore, have to ensure your company has a positive reporting culture in order to remain compliant.
  • Companies over a certain size will have to appoint a data controller. Data controllers and regulators will have legal obligations under the Regulations and could be held personally liable. 

Data Protection Bill

Whatever happens with Brexit, all UK companies will have to comply with the GDPR laws as they will come into force before the UK is predicted to leave the EU. The UK will subsequently bring in the new Data Protection Bill (DPB), which will replace the current Data Protection Act.

There will be few differences between the new DPB and GDPR, although the Bill will go further on the issue of the right to be forgotten on social media posts posted before someone turned 18. It will also be a criminal offence to alter records following a Subject Access Request.