The Information Commissioner’s office have now confirmed that the UK will have to enact the General Data Protection Regulation (GDPR) by May 2018 given this implementation date will occur before the expiry of the two-year period from the giving of the UK’s Article 50 notice to leave the EU.

The introduction of the GDPR is the biggest overhaul of data protection legislation in 18 years; 18 years which have seen a major boom in data and advancements in technology which the previous legislation has failed to keep pace with. Furthermore, the introduction of the GDPR will impact, to some degree, every single business and organisation in the UK.

Under the current legislation only public bodies, via a voluntary arrangement, have a positive obligation to report data breaches to the Information Commissioner. As such when a data breach occurs many private sector organisations simply batten down the hatches and hope no-one traces a data breach back to them, and in most cases they will get away with this.

However, the GDPR introduces a new positive notification requirement where certain types of breaches (i.e. those likely to result in a risk to the rights and freedoms of individuals) have to be reported to the Information Commissioner within 72 hours of becoming aware of the breach. If the breach is likely to result in a high risk to the rights and freedoms of individuals (e.g. the data lost could result in identity theft), then the individuals whose data has been breached, which could be customers or employees, must be informed without undue delay.

The thought of having to write, on a firm’s headed paper, to individuals telling them your firm has lost their data constitutes a significant reputational risk, especially in today’s era of social media where that letter could be photographed, published online and shared thousands of times. This, combined with the threat of fines for not reporting breaches of up to €10m or 2% of global turnover, should firmly put data protection compliance and the introduction of the GDPR on the boardroom agenda of every organisation in the UK.

Rather than waiting until May 2018 and then trying to get everyone in an organisation up-to-speed on the new legislation, every business should be taking steps now so that when May 2018 arrives they are already up-to-speed with the new legislation. This will significantly reduce the risk of having to report data breaches to the Information Commissioner and possibly customers, employees and other third parties, from May 2018 onwards.

Whilst a lot of the press attention has been on high profile data breaches caused by hackers and cyber-attacks, the one area that often gets overlooked, and is traditionally the weakest link in any data protection system, is the human element.

The vast majority of data breaches occur due to human error. This is someone such as an employee or sub-contractor doing something they shouldn’t be doing, or simply making a mistake; perhaps sending a fax or e-mail to the wrong recipient, losing a memory stick or failing to encrypt data or destroy data properly.

Any business can have a superb written data protection policy, however that policy is not worth the paper it is written on unless employees are trained so they understand: the reason there is a policy in the first place; the personal consequences on them from an employment/disciplinary perspective in not complying with that policy; the wider financial and reputational damage consequences to the organisation itself, and how practically that policy impacts on them as they go about their day-to-day tasks.

Without the benefit of rolling out a comprehensive system of staff training (both initially and on an on-going basis) businesses will continue to put themselves at risk, both from a financial and reputational point of view, as employees go about their daily task oblivious to how their actions can have serious consequences down the line.

Christian Mancier, partner and data protection officer, Gorvins Solicitors

Find out how to ensure that your company is fully prepared for the implementation of GDPR by attending the GDPR Summit Series, designed to help businesses prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.

In addition to marketing teams, this conference will ensure representatives from across the public and private sector including: C Suite (CEO, CIO, CTO, CMO), Heads of Legal, HR & Finance Teams:

  • Understand the implications of the General Data Protection Regulation
  • Get to grips with new obligations and ensure their organization is compliant
  • Start preparing for and Implementing the General Data Protection Regulation
  • Gain invaluable instruction and insight on the General Data Protection Regulation
  • Learn how to avoid heavy fines and loss of reputation
  • Discover if they need to appoint a Data Protection Officer
Further information and conference details are available at