General Data Protection Regulation Briefing Note

The EU General Data Protection Regulations (GDPR) will come into effect on 25 May 2018 and will place greater obligations on how organisations handle personal data.

The Information Commissioner recently stated that the GDPR is not intended to be another box-ticking exercise but as ‘an opportunity [for organisations] to commit to data protection and embed it in their policies, processes and people[1].

It is important to understand the impact of the GDPR and determine a clear approach to compliance. The GDPR takes a risk-based approach to data protection which means that practices will have to interpret many of the measures internally and apply them according to their particular circumstances.

Practices that already comply with the Data Protection Act 1998 (DPA 1998) and that have effective data governance in place have a good starting point when preparing for the GDPR. However, new elements have been introduced by the GDPR and there are some significant developments that practices should be aware of.

The Information Commissioner’s Office (ICO) has produced a Guide to the GDPR which will be regularly updated along with a package of tools to help organisations prepare for the GDPR:

We will be issuing a practice note shortly.



Does my practice need to appoint a data protection officer (DPO)?

The GDPR sets out criteria for when a DPO must be compulsorily appointed. It is unlikely that the majority of CLC regulated practices will fall under these criteria however practices may still wish to appoint a DPO.

The ICO has produced guidance on DPOs and when they need to be appointed.


How does the GDPR impact file storage?

We are seeking clarification from the ICO regarding how the GDPR may impact file storage.

In the meantime, practices should continue to store files as stated in the CLC Transaction Files Code as well as reviewing their file retention policies.


What should I do if I discover a personal data breach?

In the event of a personal data breach which could impact the individual or cause harm, the breach must be reported to the ICO without undue delay and no later than 72 hours after detection. If the breach is likely to result in a high risk of adversely affecting the individual, practices must also inform the individual without undue delay.

The ICO has produced guidance on personal data breaches.


Do I need to pay a fee?

The Government has announced a new charging structure for data controllers. It is yet to be approved by Parliament but the ICO has produced a Guide to the Data Protection Fee to help explain why there’s a new funding model and what payments will be required from 25 May 2018.


Will Brexit impact on the GDPR?

No. The GDPR comes into effect before the UK leaves the EU and the UK government has committed to fully implement the GDPR.


What is the Data Protection Bill and how does it relate to the GDPR?

The Data Protection Bill (Bill) will replace the DPA 1998 and is currently going through Parliament. The Bill will update data protection laws in the UK, supplementing the GDPR, implementing the EU Law Enforcement Directive, and extending data protection laws to areas not covered by the GDPR

More information can be found on the ICO website: Data Protection Bill.


March 2018