GDPR: 12 key changes

Chris Cook explains the 12 key changes to data protection law you need to know.

The General Data Protection Regulation is new legislation governing the way organisations collect, process and protect the personal information of individuals. Here are the key changes that will apply from 25 May 2018 onwards. If you haven’t already done so, you may also benefit from reading our article on how to prepare for GDPR.

  1. Jurisdiction
    The Regulation will now apply to every organisation or individual who processes the data of EU citizens, whether they are ‘data controllers’ that decide how personal data is processed in order to deliver goods and services, or third party ‘data processors’ that process it on behalf of a data controller. This covers all organisations within the EU, and those outside it that offer goods or services within the EU.

  2. Penalties
    The fine for breaching GDPR is significantly harsher. In the UK, it rises from a maximum of £500,000 per breach to a maximum of €20 million or 4% of annual worldwide turnover.

  3. Data breaches
    Any theft, loss or misuse of personal information where it is likely to result in a risk to the rights and freedoms of individuals must be reported to the relevant Supervisory Authority within 72 hours.

  4. Consent
    Personal information can only be used if consent has been freely and unambiguously given by the individual. ‘Generic’ consent, or acquiescence (reluctant acceptance without protest) will no longer be acceptable. Parental consent is required for children below the age of 13.

  5. Right to be forgotten
    Individuals have the right to ask an organisation to erase any data they hold about them. That organisation has the responsibility to inform any data processors they use.

  6. Subject access requests
    Individuals also have the right to ask for details about any information that is held about them, and how it is processed. This request must now be fulfilled within one month instead of 40 days, and this service cannot be charged for.

  7. Data protection policy
    Organisations with over 250 employees must now provide an easily understandable data protection policy that is accessible to customers, and practical for employees to put into practice. The policy should include information such as the details of the appointed data protection officer, the legal basis for processing, retention periods, the right to complain, whether the provision of data is obligatory or voluntary, and the consequences of not providing data.

  8. Data processor documentation
    Data processors now have to maintain full documentation of all processing they undertake for data controllers, and must also nominate a data protection officer.

  9. Genetic data
    Genetic data has been added as a type of sensitive personal data, and health data now includes anything related to the provision of health services, such as prescriptions and hospital appointment letters.

  10. Privacy impact assessments
    A privacy impact assessment must now be carried out for all high-risk data processing, such as sensitive personal data, public CCTV, and data relating to children, who are defined as anyone under the age of 18.

  11. Regulator
    There will now be one EU data regulator, which prevents the need to deal with separate regulators in each member state.

  12. Consistency
    A special organisation is to be set up by the European Commission to ensure consistency in the application of GDPR. 

Visit our dedicated GDPR page to read the latest insight and commentary about the General Data Protection Regulation.


If you would like more information or advice relating to this article or an Employment law matter, please do not hesitate to contact Chris Cook on 01727 798089.

Read our latest views & insight about the GDPR
GDPR Numbers Image SA Law
Views & Insights
GDPR one year on

Subject access requests and complaints have been commonplace since the GDPR came into effect. Find out more about the trends and traps.

Read More
SA Law Red arrow neon light image
Views & Insights
What to expect in Data Protection Law in 2019

Our Data Protection Team highlight what we can expect to see from the Data Protection Act in 2019 and the potential impact of E-Privacy Regulations.

Read More
SA Law Red arrow neon light image
Views & Insights
Google issued with £44m fine over GDPR breach

Head of Employment and Data Protection, Chris Cook, explains Google's GDPR breach that led to landmark £44 million fine.

Read More
SA Law Red arrow neon light image
Views & Insights
What is the difference between a controller and processor under the Data Protection Act 2018?

Partner and Head of Employment & Data Protection, Chris Cook describes how to distinguish between a processor and controller under GDPR.

Read More
SA Law Red arrow neon light image
Views & Insights
GDPR - 6 Months On

Partner and Head of Employment & Data Protection Chris Cook comments on the impacts of GDPR over the past 6 months.

Read More
SA Law Red arrow neon light image
Views & Insights
ICO publishes passwords and encryption guidance

Partner, Chris Cook, identifies the new ICO guidance on passwords in online services and encryption under GDPR.

Read More
Stained glass window Employment SA Law
Views & Insights
GDPR and SARs; staying compliant and protected

Partner and Head of Employment & Data Protection, Chris Cook writes in Education Executive about the GDPR and SARs.

Read More
Red arrow light
Views & Insights
Divorce and the GDPR

In the Financial Times Adviser, Marilyn and Chris discuss the implications of being jointly instructed by one party in the proceedings.

Read More

© SA LAW 2019

Every care is taken in the preparation of our articles. However, no responsibility can be accepted to any person who acts on the basis of information contained in them alone. You are recommended to obtain specific advice in respect of individual cases.