The General Data Protection Regulation (‘GDPR’) replaces the existing Data Protection Act (‘DPA’) and came into effect on 25 May 2018.

How is GDPR different to DPA?

GDPR places greater emphasis on the way in which businesses process personal data, whether they are clients, prospects, employees, contractors or suppliers, including:

  • Increased requirements on businesses to keep records and implement policies.
  • Changes to the procedure and time frame for data retention, reporting data breaches and responding to subject access requests.
  • A requirement to be more transparent in relation to how personal data is used.
  • More rights for the individuals whose personal data is processed.
  • The requirement to appoint a data protection officer in certain circumstances.

How does GDPR affect businesses?

All businesses need to be compliant, as such you may need to implement, change or review:

  • The personal data you collect, store and how you use such data.
  • The legal basis for using the personal data and if consent is required.
  • How  long you retain personal data.
  • Your data protection policy, privacy policy and privacy notices.
  • Employment contracts.
  • Your procedure for the investigation, recording and reporting of data breaches.
  • GDPR compliant clauses within agreements with third parties who process personal data on your behalf.
  • Agreements for the sharing of data with third parties.
  • Safeguards for the transfer of data outside the European Economic Area.
  • A designated data protection officer.
  • Processes in place to, amend, delete and transfer personal data to third parties.
  • Privacy impact assessments for ‘high risk’ areas.
  • Organisational and technical measures (including appropriate I.T. systems) to ensure personal data is kept secure.
  • Staff awareness and understanding.

To discuss your GDPR requirements, then please contact us on 0113 227 0300 or email