Data Protection Reform and GDPR

In May 2016, the long-discussed General Data Protection Regulation (GDPR – Regulation (EU) 2016/679 to give it its official nomenclature) entered into force. Don’t panic though – it won’t apply until 25 May 2018. Although that’s soon enough, given what it requires.

As a European regulation, it applies automatically to all countries in the European Union. And for the time being at least, that includes the UK.

Here FOIMan brings you free resources, links and suggestions as to how to prepare for GDPR. There’s more to come, so make sure you bookmark this page. Most importantly, there’s no time to wait – begin your preparations now.

GDPR is coming, BREXIT or not

Time to Prepare

Transparency, Conditions & Consent

Planning & Change

How FOIMan can help

GDPR Resources

GDPR is coming, BREXIT or not


There are 4 key reasons why you need to prepare for GDPR whatever happens in the UK:

  1. if you do business in Europe or handle information about those who live in the EU, you will have to comply with GDPR.
  2. if the UK joins the European Economic Area (EEA) – the “Norway option” – it will remain subject to GDPR when it leaves the EU.
  3. if the UK adopts another flavour of BREXIT, businesses and others will face extra hurdles every time they want to exchange data with institutions in the EU unless the European Commission judges its data protection regime to be “adequate” (i.e. substantially similar to the GDPR).
  4. the timing of BREXIT means that GDPR will apply in the UK at least until the UK leaves the EU – and probably beyond. The graphic opposite illustrates why (you can click on it to see a larger image). The latest indications from government (see answer to Q.72) confirm that GDPR will apply up to and beyond the UK’s departure.

Time to Prepare

Whilst the underlying principles of the Data Protection Act will remain (if worded differently), GDPR brings significant changes to the way that you are expected to apply them. Amongst the big changes on the way are:

  • enhanced data subject rights including shorter deadlines for answering subject access requests
  • more emphasis on demonstrating your compliance through processes and techniques used to manage personal data
  • mandatory data protection officers, privacy impact assessments and data breach reporting
  • more powers for the information commissioner including the ability to impose bigger fines of up to €20m or 4% of global annual turnover.

If you are going to be ready for the new rules, you need to start preparing now (or yesterday if possible). Here are some hints and tips on where and how to start.

Transparency, Conditions & Consent

what to tell people about your use of their data

The conditions in schedules 2 and 3 of the Data Protection Act are used to justify organisations’ use of personal data. Before you collect or use data for the first time, you need to identify a condition in schedule 2. If it falls under the “sensitive data” category, a further condition from schedule 3 is required.

consent under GDPRThere are similar conditions in the GDPR, though there are some changes. Public sector bodies will be particularly affected by the way that the “legitimate interests” condition works under the regulation. The most significant development though relates to the use of consent to justify use of data, which will affect most organisations. If you rely on this to support your use of people’s data – perhaps for marketing or other purposes – there will be stricter rules in future. The graphic opposite summarises the new rules on consent (again, click on the image for an expanded view). A key point to remember is that individuals can withdraw consent – and that you have a duty to remind them of this. It’s all about giving them control over the data that you hold about them.

If all of this seems daunting, the information commissioner has published new guidance on privacy notices, transparency and control which provides recommendations of best practice in meeting these requirements in a range of circumstances – online, over the phone, and even where data is collected by objects in the home in this era of the “internet of things”.

Planning and Change

There are many other things that you need to be working on. If you haven’t already, you should consider setting up a programme board to oversee a change management programme. The Information Commissioner’s Office (ICO) has identified 12 steps that will help you to prepare your initial programme plan. A few things that you should prioritise are listed below. I’ll be providing more information on these in due course, but in the meantime, where possible, I’ve indicated where else you can look for guidance.

You might not get all of this done by May 2018, but you should get as much done as possible. Improving and demonstrating how you handle personal data will be a continually evolving process that won’t stop on 25 May 2018.

How FOIMan can help

FOIMan can provide the following to help you to prepare for GDPR:

  • free resources, such as the graphics above, to help you understand GDPR and explain it to your colleagues – you’ll be able to access these via this web page so make sure you bookmark this page
  • in-house training courses and workshops tailored to your organisation
  • surveys to identify what information you hold
  • audits of your data protection compliance
  • drafting of policies and procedures
  • and more…

GDPR Resources

The following are resources available from other organisations that may help you to understand what GDPR means for you.

General Data Protection Regulation – the text of the regulation as published by the European Union

The European Data Protection Supervisor (EDPS) has produced an App that allows you to read the GDPR (and the separate crime and justice data protection directive) and compare its various drafts which is available for download from App stores.

Information Commissioner’s Overview of GDPR

This page will be expanded and resources added over time, so please keep visiting for further information about the GDPR and data protection reform.