General Data Protection Regulation Briefing Note

The EU General Data Protection Regulations (GDPR) will come into effect on 25 May 2018 and will place greater obligations on how organisations handle personal data.

The Information Commissioner recently stated that GDPR is not intended to be another box-ticking exercise but as ‘an opportunity [for organisations] to commit to data protection and embed it in their policies, processes and people[1].

GDPR takes a risk-based approach to data protection which enables practices to decide what steps are appropriate and proportionate for them to comply with GDPR.

Practices that already comply with the Data Protection Act 1998 (DPA 1998) and that have effective data governance in place have a good starting point when preparing for GDPR. However, new elements have been introduced by GDPR and there are some significant changes that practices should be aware of.

The Information Commissioner’s Office (ICO) has produced a Guide to the GDPR which will be regularly updated along with a package of tools to help organisations prepare for GDPR:

We will be issuing a practice note shortly.



Does my practice need to appoint a data protection officer (DPO)?

GDPR sets out criteria when a DPO must be appointed. Most CLC regulated practices are unlikely to come within these criteria although practices may still wish to appoint a DPO.

The ICO has produced guidance on DPOs and when they need to be appointed.


How does GDPR impact file storage?

We are seeking clarification from the ICO regarding how GDPR may impact file storage.

In the meantime, practices should continue to store files as stated in the CLC Transaction Files Code as well as reviewing their file retention policies.


What should I do if I discover a personal data breach?

Any personal data breach which could impact an individual or cause harm must be reported to the ICO without undue delay, and no later than 72 hours after detection. If the breach is likely to result in a high risk of adversely affecting individuals’ rights, practices must also inform those individuals without undue delay.

The ICO has produced guidance on personal data breaches.


Do I need to pay a fee?

The Government has announced a new charging structure for data controllers. It is yet to be approved by Parliament but the ICO has produced a Guide to the Data Protection Fee to help explain why there’s a new funding model and what payments will be required from 25 May 2018.


Will Brexit impact the implementation of GDPR?

No. GDPR comes into effect before the UK leaves the EU and the UK government has committed to fully implement it.


What is the Data Protection Bill and how does it relate to GDPR?

The Data Protection Bill (Bill) will replace the DPA 1998 and is currently going through Parliament. The Bill will update data protection laws in the UK, supplementing GDPR, implementing the EU Law Enforcement Directive and extending data protection laws to areas not covered by GDPR.

More information can be found on the ICO website: Data Protection Bill.


March 2018