GDPR – What’s it all about?

You’ve probably heard the acronym “GDPR” floating around a lot recently. The rules surrounding data protection are set to change significantly when the GDPR (or the General Data Protection Regulations) come into force in May 2018. So what’s it all about and what can you do to make sure you’re prepared?

Firstly, here’s some context.

The amount of data collected and used by businesses, particularly customer data, has increased exponentially year on year, however, data protection legislation hasn’t been able to keep up with it, with most data protection laws not being updated since the turn of the century (when the Spice Girls were at the height of their popularity). As a result, the European Parliament, council and commission came together to strengthen data protection for all individuals in the EU, giving them more control over how their data is used, as well as “the right to be forgotten” – the right to withdraw consent to businesses storing their data.  From May 2018, all EU companies will need to have a strong data protection policy that protects personal data. If they fail to meet this standard, they could face fines of up to 4% of their turnover.

I know what you’re thinking. “This is a minefield” or “I don’t know where to begin.” But don’t fret! Here at Rocket Lawyer, we consider ourselves navigators of the legal landscape. Our aim? Guiding you through the maze that is data protection compliance.

Getting to know you

The main purpose of the GDPR is to allow people to regain control of their personal data.

Personal data is any information relating to an identified or identifiable natural person. An “identifiable person” is one who can be identified directly or indirectly, in particular by reference to an identifier, such as a person’s name. 

Being able to take control of your personal data is incredibly important; especially in this day and age when everything can be done online. Over the past week, I’ve:

  • done my grocery shopping via an online shopping website;
  • ordered take-away and had it delivered to the office;
  • managed my finances online; and
  • booked a train ticket via an app.

Just think of all of the personal data currently swimming around in cyber-space. It’s a lot isn’t it? The fact is that every time somebody goes online, they share information about themselves. And the more they go online, the more important it is that their personal data is protected. The changes being implemented by the EU seek to strengthen protection online, putting individuals back in control of their own information. This, the EU hopes, will lead to greater trust and confidence when people share their data.

Getting to know all about you

Also at the crux of the GDPR is transparency.

Consent to process data will only be obtainable through clear and accurate explanations about what precisely is being collected, why, where it will be used, shared or stored and for how long. Importantly, individuals must be given the right to easily withdraw consent should they change their minds.

The GDPR is set to be the definitive authority on data protection in the EU, meaning it’ll give the same protection to personal data everywhere in the EU. Data will also be protected outside of the EU, so there will be a high level of protection, regardless of where that data is stored or handled. This is good news for individuals, for businesses and for the economy.

The GDPR’s territorial scope covers organisations outside the EU offering goods or services to EU residents. This means that companies are directly responsible for data protection compliance wherever they are based, as long as they are processing EU citizens’ personal data. 

For all the Mario Costeja Gonzalezs out there, there is also good news. With the new rules, it’ll be much easier for individuals to take back their data under the right to be forgotten (now called “erasure”).

Individuals are entitled to require a company to delete their personal data if the continued processing of those data is not justified. 

Ready your battle plan

So as a business, how can you prepare for the onslaught of change being brought about by the GDPR? Here are a few suggestions:

  • Ensure that all personal data is stored responsibly and securely. This means distinguishing between ordinary business data and its personal equivalent.
  • Consider using a central vault for personal data with effective security protocols. If you own a mobile application, your developers should encrypt and secure any data that moves between your app and the server, in addition to adequate hashing of user passwords.
  • Prepare a security framework and an emergency preparedness plan outlining how personal data is to be handled and secured (plus what employees should do in the event of a breach).
  • Develop and articulate a clear Privacy policy. Under GDPR, companies must provide notice to their customers of the purpose for which their data is being collected. In that policy, you’ll need to indicate what personal information is being requested or collected. Individuals have to be given a choice of whether or not to provide personal data and any data that is collected needs to be clearly marked for the specific purpose for which it was collected. In addition, any data that is collected for a stated purpose can only be used for that purpose and for which consent was obtained.
  • Prepare for the new data breach reporting requirements. The GDPR requires companies to inform individuals about data breaches impacting their personal information within 72 hours. The key to preparedness here is a good understanding of the threats against your organisation, as well as the ability to describe how well you are able to defend against those threats.
  • Implement controls for tracking and managing data. The GDPR gives individuals the right to ask companies holding data about them to erase that data upon request. As a result, organisations should be asking themselves whether they’re able to erase data if someone requests them to do so, or better yet, whether they can provide tools for people to do this on their own.

I get it … but what about Brexit?

“We won’t be part of the EU so surely the GDPR won’t apply to us?” Wrong. Britain’s decision to leave the EU is not a get out clause for the GDPR. Come May 2018, the UK will still be a part of the EU. Plus, Britain must comply with the GDPR when operating within the EU. These factors, plus the significant role Britain played in creating the legislation makes the choice to comply with the GDPR a no brainer.


The GDPR is set to impact a huge number of organisations within the EU, therefore, it is vital to be prepared sooner rather than later. Businesses will need to take responsibility for the way they collect and process personal data and will have to take immediate action to align their business systems with the requirements of the GDPR. For further information on the GDPR, you are always welcome to speak to one of our On Call lawyers.

Lauren Delin

Solicitor at Rocket Lawyer
Lauren is a solicitor at Rocket Lawyer UK. She is a passionate law enthusiast and particularly interested in intellectual property and commercial law. She is committed to producing useful legal templates and making legal services accessible to everyone.