The 25th May 2018 has been and gone… we are still here… businesses haven’t fallen to the ground and the ICO hasn’t fined every organisation that was not compliant in time…

But the General Data Protection Regulation (“GDPR”) is not over, it is an ongoing process which businesses will need to ensure is incorporated into their ongoing practices.

The GDPR requires all those who take data for business reasons comply with the seven key principles:-

● Lawfulness fairness and transparency

● Purpose limitation

● Data minimisation

● Accuracy

● Storage limitation

● Security

● Accountability

Businesses should incorporate these principles into their practices and as a minimum:-

– Confirm a lawful basis for processing all data (i.e. Contractual, Consent, Legitimate Interests, Vital Interests, Public Interest or Legal Obligations)
– Prepare appropriate Privacy Notices, Data Protection Policies, Contracts and records to put into place and communicate to relevant persons
– Ensure security of data is proportionate to the data being held.

However, this is not the end of a business’s obligation when it comes to data protection. Businesses may also need to ensure compliance with the Privacy and Electronic Communications Regulations (“PECR”) which regulate matters such as the need for cookie notices and specifically how a business can market electronically.

There are strict consent requirements under the PECR with regards to e-marketing. It is, in fact, the consent requirements under the PECR that are often confused with the lawful basis of consent under the GDPR. This has in turn meant that many companies have sought consent from all of their database of contacts to ask to continue to contact them when they may well have been able to rely on other lawful reasons.

Companies should make sure they are aware as to their obligations under the PECR. The ICO is keen to try and stamp out abuse of data and is not afraid to fine companies significant amounts when it comes to issues such as unsolicited calls or texts, as can be seen by their published ‘Action We’ve Taken’ page.

And still to come; Companies and indeed individuals should keep an eye out for the new E-Privacy Directive which is on its way. The E-Privacy Directive is more concerned with the use of data to track a person’s ‘metadata’ (i.e. the information that is taken behind the scenes of a user for purposes such as tracking their likes, location etc). It is an extensive Directive that is likely to have a significant impact for large social media presences, but there may also be implications for smaller businesses when it comes to matters such as cookies, spam and e-marketing to name but a few.

Watch this space…

If you would like to discuss ensuring your company’s compliance with our commercial team please do get in touch on 01626 202404 or email,

*This information has been prepared based on general advice only and may vary depending on your own circumstances.  If you would like any specific advice please do not hesitate to contact us*