Guest blog: Martin Norfolk

The General Data Protection Regulation (GDPR) passes into UK law on 25th May 2018. It is a considerable advancement on the Data Protection Act (1998) and it affords significant new rights to individuals and places significant obligations on those holding personal data.


New concept of personal data ownership

The central theme of this regulation is that EU citizens shall own data about themselves. It gives the EU citizen rights over their personal data, even if the organisation that holds that data is based outside of the EU.

Any organisation (commercial or charitable) holding personal data shall be obliged to respond to requests from individuals wishing to inspect their data. The individual (described as a ‘data subject’) will have the right to inspect, correct, transfer or delete all data about themselves, held by the organisation (termed ‘data controller’).

Organisations will be responsible for the security of all personal data they hold, even when that personal data is held or processed on their behalf by a third party (a ‘data processor’). The data must be protected on systems which are ‘secure by design’ and there may be significant fines in the event of a data breach.


Reasons to hold personal data

An organisation must have a good reason for holding personal data, and it must be in line with the purpose of the organisation, and it may only be kept for a reasonable period. Importantly, the organisation may only hold personal data for one of the following reasons.

  1. CONSENT – The data subject should have given consent for their data to be held, for example on a marketing database; or
  2. CONTRACTUAL REQUIREMENT – The organisation may hold personal data if it is a necessary part of a service provided to the data subject; or
  3. LEGITIMATE INTEREST – The organisation may assert that it has a legitimate interest in the personal data it holds. This purpose is likely to be subject to legal challenges because of its potential for ‘flexible definition’.

There are exceptions to these requirements for certain government, security and archival purposes.


The full text of Regulation 2016/679

The full 88 page GDPR text is published by the EU, in each official European language, following this link.

This ‘60 second summary’ – too long to be read realistically in 60 seconds – is only intended as a crude executive summary for anyone who has deliberately avoided the whole subject over the past few years. Many, many articles have been written offering guidance on the subject and ultimately the best advice must be to read the original text.


Outside of GDPR

A company providing business to business (B2B) services may decide it has very little exposure to GDPR, because it holds no personal data other than that of its staff and perhaps stakeholders. It may yet be a risky strategy to ignore it completely, particularly if the corporate cybersecurity profile is weak and previously unidentified data is leaked.

The leadership team of all organisations holding any personal data should undertake a serious review of their IT landscape and all data silos, before deciding to ignore GDPR. Even then, such an organisation will need to be able to respond promptly to data requests made under the auspices of GDPR.


The UK regulator

Credit: Tim Clements & IAPP

Each EU country shall have its own data protection regulator to enforce GDPR in that jurisdiction. In the UK, the Information Commissioners Office (ICO) will have the power to inspect and fine organisations in the event of a data breach. Prior to the deadline, the ICO has taken a supportive approach, publishing materials including a useful guide to GDPR for small businesses, although significant data breaches after the deadline are likely to be pursued earnestly. As another resource, the IAPP has released a useful infographic summary of GDPR and it is available here.



Opinion from commentators and observers seems to be that the ICO will not take punitive action in the prosecution of offending ‘data controllers’ or ‘data processors’ on day one. Realistically, it is unlikely that every affected organisation will have the best possible data protection measures in place on 25th May.

However, it would be unwise not show executive commitment to the development and deployment of a comprehensive information security program, and to consider all the obligations and requirements imposed upon organisations under this new law.

This regulation is a milestone in the development of the rights of the individual and the protection of their data.