GDPR: 12 key changes

Chris Cook explains the 12 key changes to data protection law you need to know.
Mon 2nd Oct 2017

The General Data Protection Regulation is new legislation governing the way organisations collect, process and protect the personal information of individuals. Here are the key changes that will apply from 25 May 2018 onwards. If you haven’t already done so, you may also benefit from reading our article on how to prepare for GDPR.

  1. Jurisdiction
    The Regulation will now apply to every organisation or individual who processes the data of EU citizens, whether they are ‘data controllers’ that decide how personal data is processed in order to deliver goods and services, or third party ‘data processors’ that process it on behalf of a data controller. This covers all organisations within the EU, and those outside it that offer goods or services within the EU.

  2. Penalties
    The fine for breaching GDPR is significantly harsher. In the UK, it rises from a maximum of £500,000 per breach to a maximum of €20 million or 4% of annual worldwide turnover.

  3. Data breaches
    Any theft, loss or misuse of personal information where it is likely to result in a risk to the rights and freedoms of individuals must be reported to the relevant Supervisory Authority within 72 hours.

  4. Consent
    Personal information can only be used if consent has been freely and unambiguously given by the individual. ‘Generic’ consent, or acquiescence (reluctant acceptance without protest) will no longer be acceptable. Parental consent is required for children below the age of 13.

  5. Right to be forgotten
    Individuals have the right to ask an organisation to erase any data they hold about them. That organisation has the responsibility to inform any data processors they use.

  6. Subject access requests
    Individuals also have the right to ask for details about any information that is held about them, and how it is processed. This request must now be fulfilled within one month instead of 40 days, and this service cannot be charged for.

  7. Data protection policy
    Organisations with over 250 employees must now provide an easily understandable data protection policy that is accessible to customers, and practical for employees to put into practice. The policy should include information such as the details of the appointed data protection officer, the legal basis for processing, retention periods, the right to complain, whether the provision of data is obligatory or voluntary, and the consequences of not providing data.

  8. Data processor documentation
    Data processors now have to maintain full documentation of all processing they undertake for data controllers, and must also nominate a data protection officer.

  9. Genetic data
    Genetic data has been added as a type of sensitive personal data, and health data now includes anything related to the provision of health services, such as prescriptions and hospital appointment letters.

  10. Privacy impact assessments
    A privacy impact assessment must now be carried out for all high-risk data processing, such as sensitive personal data, public CCTV, and data relating to children, who are defined as anyone under the age of 18.

  11. Regulator
    There will now be one EU data regulator, which prevents the need to deal with separate regulators in each member state.

  12. Consistency
    A special organisation is to be set up by the European Commission to ensure consistency in the application of GDPR. 

Visit our dedicated GDPR page to read the latest insight and commentary about the General Data Protection Regulation.


If you would like more information or advice relating to this article or an Employment law matter, please do not hesitate to contact Chris Cook on 01727 798098.

Read our latest views & insight about the GDPR

© SA LAW 2024

Every care is taken in the preparation of our articles. However, no responsibility can be accepted to any person who acts on the basis of information contained in them alone. You are recommended to obtain specific advice in respect of individual cases.