My Account
Basket (0)
Contact Us Email Newsletters

The General Data Protection Regulations (GDPR) Is Coming – Are You Ready?

By David Norris


As reported earlier in the year, the GDPR will come into force on 25 May 2018 and UK individuals and organisations must ensure compliance with the new regime by then. The comments from the Information Commissioner’s Office (ICO) indicates that the regulations will remain in place after Brexit and so firms need to start to get ready for these new rules.

The new regulations do not change the role of the ICO and the definitions of 'processor' and 'controller' but a number of detailed requirements will change:

> Data processors – must now maintain records and are directly liable if responsible for a breach.

> Data controllers – new obligations include a duty to ensure that your contracts with processors comply with the GDPR.

> Accountability principle – you must show how you comply e.g. documenting what you have done and why.

> Privacy impact assessments – must be carried out to assess the risk to individuals' rights, e.g. when using new technology.

> Higher standards for consent.

> Enhanced rights for individuals, including the right to be informed, object and be forgotten as well as rights regarding access, rectification, erasure, restrictions on processing, data portability and automated decision-making.

> Data protection officer – not mandatory for all organisations but an appropriately senior individual must be responsible for GDPR compliance.

> The duty to report a breach quickly will apply to all and failure to report will result in a fine.

> Increase in maximum fines (4% of global annual turnover).

So what do I do now?

This is a challenging question as while there is much to do, there is no sign of the final guidance from the ICO; so the first step might be to make a habit of visiting the ICO website. On that webpage there is some existing guidance that firms might find useful.

However even without final guidance form the ICO, firms should start on the road to compliance. This should involve looking at current practices and procedures to consider if they meet GDPR standards. If you have no written policies and procedures, start by writing down what you currently do. From that, you can consider how to address any shortcomings and what support you might need for this.

Take care to consider not just your internal procedures but also who you share data with, and contact them to confirm how they deal with data security issues and then document this understanding.

Where can I go for help?

As mentioned above, keep checking the ICO website and consider their documents in the “Preparing for data protection reform” section.

The ICAEW has some information and guidance which is free to members and they have indicated this will be updated as final guidance becomes available.

Mercia have a really useful document "What does GDPR mean for businesses" that can be downloaded here with some background and link to further help.

SWAT have a webinar “Getting to grips with the GDPR” which can be booked here.

The Mercia equivalent is here.

For more detailed help, SWAT and Mercia can provide in house courses for half a day using Andy Larkum who also recorded the webinar above. 

Larger firms and particularly those with more complicated IT and marketing system will probably need on site consultancy from an expert, and we recommend a company called IT Governance. They can also provide a range of detailed online training and certification for those looked for a higher level of training.

SWAT and Mercia will of course also be updating their procedures manuals to include references to the new regulations.


October 2017 


This article is published with the understanding that SWAT UK Limited is not engaged in rendering legal or professional services. The material contained in this article neither purports, nor is intended to be, advice on any particular matter. This article is an aid and cannot be expected to replace professional judgment. SWAT UK accepts no responsibility or liability to any person in respect of anything done or omitted to be done by any such person in reliance, whether sole or partial, upon the whole or any part of the contents of this article.