// Home / / /

General Data Protection Regulation (GDPR)

Data protection will change substantially on 25 May 2018. The changes will result in a huge increase in regulatory risk and in turn can result in a severe penalty. It will apply to all UK businesses irrespective of Brexit. This briefing sets out what’s new, what you should be doing, and how we can help.


  • The changes contain many additional and more onerous obligations, including detailed record keeping and documentation requirements, and some significant new data protection concepts. In addition, the penalties for getting it wrong are much more severe.
  • The concepts are similar to the current data protection laws, but with added detail and accountability.

What’s new?

  • Significantly larger fines if you get things wrong – up to 4% annual worldwide turnover or 20 million euros (whichever is greater)
  • Requirement to carry out a data protection impact assessment
  • Requirement to appoint a data protection officer
  • Direct obligations and liability on data processors
  • Accountability requirement, increased record keeping obligations
  • Mandatory data breach reporting
  • Higher standard for consent
  • Increased requirements for privacy notices
  • Principle of data protection “by design” and “by default”
  • Right of consumers to “be forgotten” and to data portability
  • Concept of pseudonymous data
  • One stop shop for multinationals, with a lead supervisory authority
  • Extended territorial scope – non-EU businesses directly subject to the GDPR.

What should you be doing

Start now

With the potential for high fines, as well as the fact that good data protection practice helps build trust and can act as a competitive differentiator, businesses need to start work now on becoming compliant with the GDPR.

How can we help?

We provide clear, commercially pragmatic advice on data protection compliance and preparation for the GDPR. We will carry out a comprehensive GDPR readiness assessment, with gap analysis and recommendations to help determine which business processes you will need to review and implement in preparation for the GDPR.

In particular we provide strategic advice on:

  • Drafting privacy policies, data retention policies, and incident response plans
  • Data processing arrangements, including due diligence on vendors, and drafting data processing agreements
  • Data protection and HR, including drafting staff data protection polices, communications monitoring, recruitment and selection
  • International data transfers, including implementation of Model Clauses, Privacy Shield and Binding Corporate Rules
  • Advising on personal rights, including the right to be forgotten, data portability, subject access requests
  • Compliance with e-marketing and cookie regulations
  • Carrying out a data protection impact assessment or compliance audit
  • Provision of data protection training to staff
  • Dealings with the ICO and other regulatory authorities, investigations and proceedings.
  • Checking post-implementation changes.

In the event of a data security breach incident we provide rapid legal support to mitigate legal risk including compliance with reporting requirements, communications to data subjects, service providers and other stakeholders, and handling legal claims.

Follow Fox Williams’ UK and EU Data Protection and Privacy law blog at www.idatalaw.com.

If you would like more detailed GDPR guidance do please contact us.

Recent news, articles and deals:

Six data protection steps for returning to the workplacemore
Returning to the office: what part will testing for Covid-19 and contact tracing play?more
Supreme Court absolves Morrisons of liability for rogue employee data breachmore
Data Protection and Covid-19 – ICO Guidancemore
Happy Data Privacy Day! And what's coming up in 2020?more
An update on the implications of a no deal Brexit on data protectionmore
10 top tips for DSARs: What do employers need to know when responding to Data Subject Access Requests?more
No-deal Brexit - the effect on data flowsmore
GDPR’s territorial reach: How far does it go?more
€50m fine for Google: Transparency and valid consent both lackingmore
GDPR six months in - the story so farmore
Brexit and your business contracts: maintaining data flows between the UK and the EUmore
The use of location data by mobile apps post-GDPRmore
The consent trap - one month after the GDPR took effectmore
Helen Farr quoted in City AM - Have companies underestimated the impact of GDPR?more
Eight weeks to go until the GDPR comes into force - are you ready? And if not what should you be doing?more
The General Data Protection Regulation (GDPR) is changing Data Protection in the UK and EU more
Are you up to speed with the GDPR?more
Jonathan Segal writes for Peer2Peer Finance News: Personal data: Handle with caremore
GDPR for HR departments: questions and answers by Reward Strategy and Helen Farrmore
Nigel Miller quoted in Drapers on the challenges fashion retailers face to protect customer datamore

articles archive

news archive

Who should I contact?


Nigel Miller
Direct dial: +44 (0)7973 641 158


Laura Monro
Senior Associate
Direct dial: +44 (0)7734 857 695


  • Top Ranked Chambers UK 2014 - Leading Firm
  • Ranked in Chambers Europe 2013 - Leading Individual
  • Ranked in Chambers Global 2014 - Leading Firm
  • Legal 500 - Leading Firm
  • The Lawyer UK 200 - Listed Firm
  • The Law Society Excellence Awards 2012 - Shortlisted
  • Investors in People - Bronze