GDPR: The devil’s not in the detail, it’s somewhere else!

Kate Saunders
Marketing Executive | Jordans
25th September 2017
Member roleChamber member

The General Data Protection Regulation (GDPR) has, quite rightly, attracted a lot of press about how organisations need to comply with new data protection rules by 25 May 2018. However, GDPR compliance is only half the story for organisations operating in the UK.

Whilst the GDPR sets out the basic new data protection that will apply across the EU (Brexit will not have any effect on the applicability of GDPR to the UK), the GDPR allows EU member states discretion as to how it implements certain parts of the GDPR. Moreover, in many areas, GDPR requires supplemental laws and further clarification.

On 13 September 2017, the UK government published its Data Protection Bill which will supplement the GDPR. Whereas the GDPR covers some 90 odd pages of law, the Data Protection Bill covers over 200!  Therefore, it is clear that for UK organisations, high level GDPR compliance will not be enough. 

There is far more legal compliance required which will be detailed in a new Data Protection Act once the bill becomes law. Indeed, it is fair to say that basic compliance with GDPR could put organisations in breach of the law set out in the bill. We will give a practical example based on a real life matter we are currently advising on: ABC Limited seeks feedback about its employees’ performance from its customers.

That feedback is personal data about each employee. Under the GDPR, ABC Limited must inform the employee about the source of the feedback.

On the other hand, that feedback is the personal opinion of the source and therefore it is the personal data of the source. Under the Data Protection Bill, in most cases, it would be unlawful for ABC Limited to release the personal data of the source without the source’s consent. Hence, strict compliance with GDPR alone, can, as this example demonstrates, put an organisation in breach of UK national data protection law.

Therefore, GDPR compliance is not enough. Over the coming weeks and months, we shall publish a series of articles about steps that organisations should be taking to comply with not only GDPR but all UK data protection legislation. We hope to share with you some of the practical issues we have encountered in helping our clients prepare for and comply with the new law.

Written by Simon Bates and Helen Wright, Jordans Corporate Law.

Visit our General Data Protection Regulation (GDPR) page if you would like more information about how it will affect your business

  • Let us help you

    By registering your interest, we'll be equipped to help answer any questions you may have about the GDPR and provide further information about how it will affect your business

Do you want to join the conversation?

Sign up here
  • Quick professional advice

    Get 30 minutes of free advice over the phone from a local legal, accountancy or HR firm.

  • Join the Chamber

    Connect, share & grow - raise your business profile locally & nationally through the largest membership organisation in the South West.

  • More on GDPR

    Visit our GDPR hub to access more information, guides and advice.