Latest News

The GDPR countdown has begun

12 February 2018

General Data Protection Regulation coming into force in May will mean fundamental changes in how businesses handle personal data - so if you don't already have a plan in place, now is the time to be thinking about one. Read More...

Scottish Government to consult on LBTT relief for first time buyers

12 February 2018

The Scottish Government have announced that they are to consult on Land and Buildings Transaction Tax (LBTT) exemption for first time buyers on properties under £175,000. Read More...

OnTheMarket goes live on London stock exchange

09 February 2018

All eyes have been on OnTheMarket plc today as it finally launched on the London Stock Exchange. Read More...

First time buyers queue for houses

08 February 2018

Camping chairs and blankets in hand, eager first time buyers queued through the night to snap up their future homes. Read More...



General Data Protection Regulation is coming

Monday 17 July 2017

As of May 2018, General Data Protection Regulation (GDPR) will apply to all UK businesses.

After four years of preparation and debate, the EU General Data Protection Regulation was finally approved by the EU Parliament on 14 April 2016. Replacing the 1998 Data Protection Act, GDPR will come into force on 25 May 2018 and will directly apply to all European Union members states. 

The GDPR has been designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.

With new elements to contend with, it could take months for UK businesses to get ready. That is why it is important to start putting measures into place now, to ensure that you and your business are prepared. Those who are non-compliant by the implementation date will face heavy fines.

What you need to know

This is the biggest shake up to Data Protection since the introduction of the Data Protection Act in 1998, and whilst May 2018 may seem a long way off, it will be here before you know it. The key articles of the GDPR to be aware of are:

  • GDPR will apply to all UK businesses despite Brexit.
  • All companies are required to appoint a Data Protection Officer who is responsible for internal record keeping.
  • Existing or prospective customers will have to give consent for the information to be held and used.
  • Companies will no longer be able to use long illegible terms and conditions full of legalese. T&C's must be in an intelligible and easily accessible form.
  • Customers will have the right to request confirmation as to whether or not personal data concerning them is being processed and for what purpose. When requested, companies are required to provide a copy of the personal data, free of charge, in an electronic format.
  • Customers have the right to request their data be removed and further distribution ceased.
  • The collection of online identifiers such as IP address, cookies and tags also fall under the remit of 'personal data'.
  • The use of external marketing agencies will require you to have an official written contract to ensure they are fully compliant with the new law.
  • Loss of data needs to be reported to a data protection authority and the people affected within 72 hours.

Companies that are not GDPR-ready by May will face a fine of up to four per cent of their global annual turnover; if a breach takes place and your agency does not inform the supervisor authority within 72 hours, it faces a two per cent of global annual turnover fine.

What you need to do

Map out which parts of the GDPR will have the greatest impact on your business model and give those areas due prominence in your planning process. Here’s 11 steps to take now -

  • Inform the decision makers and key people in your organisation that the law is changing.
  • Document what personal data you hold, where it came from and who you share it with.
  • Review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
  • Check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically in a commonly used format.
  • Update your procedures and plan how you will handle access requests and provide any additional information within the new timescales.
  • Identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
  • Review how you seek, record and manage consent and whether you need to make any changes. You will need to refresh existing consents now if they don’t meet the new GDPR standard.
  • Make sure you have the right procedures in place to detect, report and investigate a personal data breach.
  • Familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation.
  • Designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer.
  • If your organisation operates in more than one EU member state (ie you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.

Whatever stage of implementation you are at, the ICO has created a self-assessment toolkit to help you evaluate your level of compliance with the new data protection regulations, and find out which areas within your business you need to develop to get ready for GDPR.