It goes without saying that data privacy is one of the most important issues facing businesses today.

As a business owner you are probably familiar with the Data Protection Act and the obligations that you have when handling someone’s personal data.

The rules on data protection are changing. The Data Protection Act will be replaced by the General Data Protection Regulation (GDPR) on 25 May 2018, meaning that businesses still have a few months to prepare and implement processes to comply with the Regulation.


GDPR places greater accountability on businesses that process personal data and it extends the rights of individuals over their personal data. Other changes include new rules for dealing with subject access requests and breach notifications as well as enhanced obligations for data processors. 

Businesses will need to be compliant with the new rules, as the penalties for breaching the Regulation will significantly increase. Certain breaches will now cost businesses up to €20 million or 4% of global annual turnover, whichever is higher. You can imagine that a fine even close to the maximum will undoubtedly have disastrous consequences for a small business. This is in stark contrast to the maximum penalty under the existing Data Protection Act, which is £500,000 for data protection breaches.

What should businesses do now?

Here are a few practical examples of steps that you need to take:

  • Train your staff on GDPR and the new policies that you create
  • Create policies and procedures for all data security, handling and processing arrangements
  • Create policies and processes for handling subject access requests and breach notifications 
  • Review and amend your privacy policies 
  • Evaluate and review your data consent processes in preparation for GDPR.

The Information Commissioner’s Office (ICO) will be implementing and enforcing the rules in the UK. Their website has up to date guidance and information on all elements of the GDPR. The ICO has also launched a GDPR helpline to assist small businesses with their preparations for May 2018.

If you fail to implement preventative measures for the introduction of GDPR, your business runs the risk of facing both reputational and financial damage in the long run. 

You're on our blog and updates site, which is hosted by Markel Law Hub, a digital hub powered by the award-winning lawyers at Markel Law, bringing you real law, made easy. 

Find out more about Law Hub here

This post on Markel UK offers more GDPR advice for small businesses and freelancers