Latest News

Underinsurance – a hidden risk, how to protect your business

11 June 2021

Inadequate or insufficient insurance cover may result in serious financial loss and can affect organisations of any size, and the pandemic has resulted in many businesses reviewing their cover in a more challenging environment. Read More...

Capital Gains Tax review – recommendations for UK property tax return

10 June 2021

The Office of Tax Simplification (OCT) has published the second report of their review of Capital Gains Tax (CGT) that sets out what could potentially be done by HMRC to raise awareness among taxpayers to help them meet their CGT 30-day reporting and paying obligations. Read More...

Flagship First Homes scheme launches

04 June 2021

Housing Minister, Robert Jenrick MP, announced today, 4 June 2021, a new First Homes scheme of discounted houses for local people and key workers in England with the first properties going onto the market in Bolsover, East Midlands, as part of the first phase of an early delivery project. Read More...

SDL Property Auctions puts people first in a high-tech business

02 June 2021

Andrew Parker, MD and Auctioneer at SDL Property Auctions, a Propertymark Industry Supplier, is a strong proponent of technical innovation, however, believes human relationships are just as, if not more, important than ever in the 21st Century. Read More...



General Data Protection Regulation is coming

Monday 17 July 2017

As of May 2018, General Data Protection Regulation (GDPR) will apply to all UK businesses.

After four years of preparation and debate, the EU General Data Protection Regulation was finally approved by the EU Parliament on 14 April 2016. Replacing the 1998 Data Protection Act, GDPR will come into force on 25 May 2018 and will directly apply to all European Union members states. 

The GDPR has been designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.

With new elements to contend with, it could take months for UK businesses to get ready. That is why it is important to start putting measures into place now, to ensure that you and your business are prepared. Those who are non-compliant by the implementation date could face heavy fines.

What you need to know

This is the biggest shake up to Data Protection since the introduction of the Data Protection Act in 1998, and whilst May 2018 may seem a long way off, it will be here before you know it. The key articles of the GDPR to be aware of are:

  • GDPR will apply to all UK businesses despite Brexit.
  • You must have a valid lawful basis in order to process personal data.
  • Companies will no longer be able to use long illegible terms and conditions full of jargon.
  • Customers will have the right to request confirmation as to whether or not personal data concerning them is being processed and for what purpose. When requested, companies are required to provide a copy of the personal data, free of charge, in an electronic format.
  • Customers have the right to request their data be removed and further distribution ceased in specific circumstances (e.g. where the individual withdraws consent).
  • The collection of online identifiers such as IP address, cookies and tags also fall under the remit of 'personal data'.
  • The use of external marketing agencies will require you to have an official written contract to ensure they are fully compliant with the new law.
  • Notifiable data breaches need to be reported to a data protection authority and the people affected within 72 hours, where feasible.

Companies that are not GDPR-ready by May can face fines of up to four per cent of their global annual turnover, and if a notifiable breach takes place and your agency does not inform the supervisor authority within 72 hours, you could be fined up to two per cent of your global annual turnover.

What you need to do

Map out which parts of the GDPR will have the greatest impact on your business model and give those areas due prominence in your planning process. Here’s 11 steps to take now -

  • Inform the decision makers and key people in your organisation that the law is changing.
  • Document what personal data you hold, where it came from and who you share it with.
  • Review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
  • Check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically in a commonly used format.
  • Update your procedures and plan how you will handle access requests and provide any additional information within the new timescales.
  • Identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
  • Review how you seek, record and manage consent and whether you need to make any changes. You will need to refresh existing consents now if they don’t meet the new GDPR standard.
  • Make sure you have the right procedures in place to detect, report and investigate a personal data breach.
  • Familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation.
  • Designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer.
  • If your organisation operates in more than one EU member state (ie you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.

Whatever stage of implementation you are at, the ICO has created a self-assessment toolkit to help you evaluate your level of compliance with the new data protection regulations, and find out which areas within your business you need to develop to get ready for GDPR.