Corporate law

The General Data Protection Regulation (GDPR) – implications for businesses

A virtual lock to illustrate GDPR

The GDPR came into force in the EU in May 2018. It replaced the existing data protection regime in force under the Data Protection Act 1998. This note briefly explains some of the implications of the GDPR for UK businesses.

GDPR – key changes

The key concepts and definitions of the DPA will remain largely unaffected by the GDPR. The Information Commissioner’s Office summarises the changes that: ‘If you are complying properly with the current law, then you have a strong starting point to build from. But there are important new elements, and some things will need to be done differently.’

Stricter and more prescriptive rules regarding processing and retention – the GDPR will leave less to the discretion of the data controller (e.g. more specific rules on record keeping to be provided to data subjects). Employers will need to be careful that they meet these requirements.
Increased enforcement powers - the current UK maximum fine is £500,000. Under the GDPR the maximum fine is the greater of 4% of annual worldwide turnover in the preceding financial year or €20 million.

A risk based approach - certain administrative and record-keeping requirements will not apply to SMEs (fewer than 250 employees) unless they are in a “high risk” area for data protection purposes.

A higher bar for ‘consent’ - under the DPA the data subject’s consent to processing is one of six general grounds that will render processing lawful. Under the UK regime, implied consent through behaviour may presently suffice.

  • The GDPR will require that consent is given by “unambiguous affirmative action”. Implied consent may not suffice.
  • The GDPR provides that consent must not be relied upon by a data controller where there is a clear imbalance of power between the parties – employers may not be able to rely on a clause of the employment contract for consent. 
  • The GDPR provides that data subjects must be able to withdraw their consent as easily as it is given.

Mandatory ‘privacy by design’ in data processing services - data processing services (e.g. HR IT databases) must be designed with ‘privacy by design’ principles in mind. Due diligence enquiries in corporate transactions may address the extent to which IT software complies with these principles.

Direct obligations on data processors - data processors will be subject to their own obligations (e.g. record keeping) and potential enforcement proceedings. Processors who act otherwise than on the specific instructions of the controller will become “joint controllers” of the data and subject to a controller’s obligations. It is likely to increase the costs of data processing contracts. Data processors will seek to strictly delineate responsibilities when negotiating contracts – likely to lead to more protracted negotiations.

Related categories

Tees coronavirus update

We’re open and here to help you. We’re running as normal with our employees all working from home.

Find out more Show less

You can call us as normal on 0800 013 1165 or email us:

You can also find contact details for all our advisers here. 

As a flexible and technologically-adept firm, we already had many home-working systems in place. We have now rolled this technology out to all our employees working for clients, so they can continue to work normally - and from home.

If you are a client, please be assured you can get in touch with Tees and we are still working on your case. To replace face-to-face meetings, we have the facilities to do video-conferencing, conference calls or just speak on the phone, as you need.

Due to the circumstances, please call us if you would have wanted a home visit, and we can organise the best and safest way of being in touch.

Designed and built by Onespacemedia