From 25 May 2018, General Data Protection Regulation (GDPR) will be introduced in Europe. Despite leaving the EU, this still applies to the UK. GDPR is going to update the 1998 Data Protection Act, resulting in many changes within law firms, and many other businesses and institutions. GDPR aims to regulate how data is used and handled within a business to ensure greater protection and rights to individuals.

There are 99 articles within the GDPR highlighting the rights of individuals which include the right to request and access the data which a company may hold about you. Previously, a business was able to charge a fee for Subject Access Requests (SAR) but, under this new regulation, individuals are entitled to access their personal information for free and they must receive it within one month. Under the new regulations, individuals may also be able to request a business to erase personal information that they hold on them. This could be in circumstances where it is no longer necessary or unlawfully processed.

If a company fails to have a transparent data protection policy or are obliged to share data which they hold about individuals, then they can be heavily fined. The GDPR has introduced a new fine scheme where businesses (depending on their size) could face fines of up to 20 million pounds for failing to comply with the regulations.

In order to get your business ready for 25 May 2018, the Information Commissioner’s Office (ICO) has published 12 steps which every business should take to prepare. This includes awareness, and it is suggested that key people within an organisation understand that the law is changing, and that they are informed of how this will affect the business. Any personal data which is held by a business needs to be recorded, along with where it has come from and who it should be shared with. This needs to be revived and regularly updated to make sure it is efficient for your business. When requesting consent from a Client, it is important that this information is documented along with GDPR standards. A data protection officer should also be assigned. This is to ensure that all policies are regularly checked and maintained.