7th May 2018 - 12:58 7th May 2018
Leanne Pogson
Leap HR Ltd


There are lots of stories about the new data protection legislation at the moment, a lot are simply scaremongering, a lot making part with your hard earned cash and getting nothing much out of it. I wrote this blog a few weeks ago, and I believe it still applies now. Put yourself in the shoes of the individual, your data is personal information would you feel? Keep it simples! 

New Data Protection Regulations (GDPR) – a practical overview  
I see and hear comments daily from businesses large and small of genuine surprise that there are fairly significant changes coming into force that will impact them.  

In reality this key piece of EU law was passed back in 2016 and they have allowed businesses until 25 May 2018 to get ready. That said the Information Commissioners Office (ICO) have only published an overview. The finite detail is still being worked on. But irrespective of the lack of detail, common sense can be applied to start getting your house in order. 

Who does it affect? 


That’s the reality.  

There is not one business who doesn’t hold some form of information about others. Whether it’s a customer, a supplier or an employee, you will have some sort of data. The obvious things are email details, addresses, phone numbers but it will also include IP addresses, employee numbers …...basically anything that can is used to identify an individual. Every business will be different, so every business will need to review what they have. 

Data Protection (DP) isn’t new. As business owners and managers, you should already be aware of DP, and you should already have processes in place to protect people.  

But the reality is that many businesses don’t. And that is why this key change is having such an impact now. There is great rushing around to see what is needed, and some are raking it in on the cash cow that invariably comes with something new that everyone is responsible for. 

Don’t forget you are also a person – so before arguing that the law is ridiculous, stop and think how you would feel as if your personal information was shared. How do you feel when you get numerous calls offering to sort out your PPI? Most hate it. So why as a business owner would you let it go on in your own Company.  

What will I happen if I don’t do anything? 
Potentially there are fines, and they are not small. Up to 4% of your global turnover or £20million whichever is the highest. Most of us don’t have that sort of turnover but suffice it to say there is an impact.  

The ICO don’t particularly want to fine people, that solves nothing. What they want to ensure is that personal information is secure, and not shared willy-nilly around. They want to stop some of the harrowing tales of constant harassing calls asking for money, people being on lists for goods that they don’t want or need, to stop people’s data being published “out there” when it is personal and not needed. The legislation is there to protect all. 

Convinced yet? 
In 2015, Olivia Cooke, a Poppy Seller aged 92 received hundreds of letters asking for donations. She parted with a lot of money and in the end committed suicide.  

Many of us have common sense, but some do not and those prey on the vulnerable in such a way that is quite frankly wrong.  

What do I need to do? 

There are 12 steps you need to take. These are all listed on the ICO website in a document “Preparing for the General Data Protection Regulation (GDPR) 12 steps to take now.” 

Essentially you should do an audit. Review and challenge the information that you hold. Why do you have it? how long do you hold it for? is it necessary? Some things have to be retained for statutory purposes, that’s ok, just ensure you are consistent.  

Make sure that everyone knows your Policy; and if people work for you are trained on the legislation and how to respond to questions. So, create a Policy, which will need to be published on a website and available to anyone who ask.  

Make sure you understand individual’s rights – there are 8 to consider.  
1. The right to be informed

2. The right of access

3. The right to rectification

4. The right to erasure

5. The right to restrict processing

6. The right to data portability

7. The right to object

8. The right not to be subject to automated decision making including profiling. 


If you hold lists, such as customers information and you cannot verify when you obtained their data and consent, then you MUST contact them all and ask them for their express consent. If you don’t hear back, then you MUST delete their information. This is big for those of you that rely on lists and I am aware of people with tens of thousands of names. Yes, you may have to contact them all. Some will view that you have a list for a legitmate purpose, and that could be true. No one case is the same so check and don't do the same as the person in the same job, it might not be right. 

Gone is the ability to pre-populate a tick box. People must fully understand what their information is being held for. Employers need to make sure that employees are aware of data held. Look, they can’t ask you to delate everything, some things have to be held for legal purposes, just make sure that you do genuinely need what you have. Just because, is not an acceptable reason.  
Make sure that your systems are all checked and secure, and that passwords set and reset on a regular basis individually. Cyber security and awareness of the possibility of hacking is critical these days.  
As the business owner it is YOUR responsibility personally for this. 

Will it cost you anything? Time to do some housekeeping, and to review the impacts for your business. The bigger or more complex your business, you may need to get some expertise in to ensure that you comply. There is a lot of scaremongering out there…..but it could cost you a lot if you don’t act now. 

I don't pretend to know all the answers, I don't think anyone does. The ICO are there to support any questions and I have heard some random ones in the past few weeks. 

Ultimately this is about becoming a transparent business, acting with integrity and respect, a business people want to deal with. 

Ultimately its COMMON SENSE.

  8th May 2018 - 05:48 8th May 2018
Ian Grey
WADIFF Consulting

Many of the questions I answer on GDPR are actually to do with email marketing, which is covered by the PECR (Privacy and Electronic Communication Regulations) and is not changing for now. The ICO has a guide to the PECR.

If you want a checklist of the documents you *should* have go to

  8th May 2018 - 06:17 8th May 2018
Leanne Pogson
Leap HR Ltd

PECR is becoming ePrivacy Reform next year. However PECR had to comply with the changing data protection regulations so will still have to comply with GDPR. I agree this has added to the confusion out there. The ICO do have a guide but they have also published the draft ePrivacy Reform guide. Going through change is tough, and perhaps bringing everything up to date at the same time will help you be ahead of the game next year. #forwardthinkingbusiness

  8th May 2018 - 06:48 8th May 2018
Ian Grey
WADIFF Consulting

Yes - definitely think ahead.

The ePrivacy Regulation was due to be in place by 25 May 2018 but they are still discussing what it should cover. The most recent amendments were issued on 4 May 2018, the ICO pages are not updated in line with the amendments. There is still a lot to debate on this and there is a lot of lobbying going on by business bodies across the EU. If they go ahead with only allowing Consent to do B2B electronic marketing (unless you have an existing business relationship - and that is unlikely to include talking to someone at a networking meeting) we could be in for major changes. 

  8th May 2018 - 14:33 8th May 2018
Leanne Pogson
Leap HR Ltd

Hi Ian, I know you know this, but for anyone reading this, the ICO specifically says:

How does this (PECR) fit with the Data Protection Act?

The Data Protection Act still applies if you are processing personal data. PECR just set out some extra rules for electronic communications. You must still comply with the Data Protection Act (being replaced by GDPR) as well. In fact, regulation 4 explicitly says:

“Nothing in these Regulations shall relieve a person of his obligations under the Data Protection Act in relation to the processing of personal data.”

Naturally, there is some overlap, given that both aim to protect people’s privacy. Complying with PECR will help you comply with the Data Protection Act, and vice versa – but there are some differences and you must make sure you comply with both.

In particular, it’s important to realise that PECR apply even if you are not processing personal data. For example, many of the rules protect companies as well as individuals, and the marketing rules apply even if you cannot identify the person you are contacting.

For more information on your other obligations under the Data Protection Act, see our separate Guide to data protection.



To reply to this topic please sign in or register.