What does GDPR mean for businesses?

New obligations for data processors

Under the GDPR, both data controllers and data processors are responsible for compliance with data protection legislation – meaning that not only the owners of personal data are responsible for meeting the requirements of GDPR, but those holding or using that data (such as external marketing or IT suppliers) also have responsibilities. 

Affirmative consent requirements for processing 

A key principle for processing data is that the procedure must be fair and lawful. The bases on which data is processed are a key area of reform. The previous rules were often interpreted too widely by data controllers.

One basis for fair and lawful processing is gaining the individual’s consent. Under previous legislation, practice arose in many industries whereby consent was implied by the actions or inactions of the data subject. Under GDPR, this practice is no longer acceptable. Consent must be freely given, specific, informed and unambiguous.

Privacy by design implications

Under GDPR, organisations are obliged to adopt an approach that promotes privacy and data protection compliance from the outset. All businesses in high-risk situations should consider carrying out Data Protection Privacy Impact Assessments.

Potential fines for security breaches

There is stronger enforcement action under GDPR where there is a breach of the data protection rules, including fines of up to 4% of an organisation’s turnover. Enforcement action is unified across the EU with each national supervisory authority authorised to take action.

Enhanced rights of data subjects

The rights of individuals in relation to their personal data have been enhanced under GDPR. This impacts on the information which should be included in privacy policies and procedures and the way in which Subject Access Requests (SARs) from individuals should be handled.



Appointment of Data Protection Officers

A properly equipped Data Protection Officer (DPO) can prove invaluable to an organisation dealing with vast amounts of data. Certain organisations, due to their size or business operations, are required to appoint a DPO to oversee compliance with data protection law.

In the UK, this is a new requirement for those dealing with personal data, however some EU member states already require some organisations to have a DPO in place.

International reach

The GDPR applies to the personal data of all individuals within the EU and to organisations processing their data, regardless of whether those organisations are based within the EU themselves. In the age of data sharing, personal data may be processed in a number of different jurisdictions and GDPR makes provision for identifying which data protection authority will supervise cross-border organisations.

  • "They are responsive and efficient, and there is a good depth of knowledge within the firm."


    Chambers UK Guide to the Legal Profession
  • MacRoberts LLP’s ‘excellent’ team is noted for its ‘quick turnaround time’ and ability to ‘deal with complex issues in an efficient manner’.

    Legal 500
  • "They are very good and very supportive - it feels like they are an extension of the business."

    Chambers UK Guide to the Legal Profession
  • "Let me thank you and your team for your time. Clearly, you present well, show mastery of your subject area and think on your feet."

    Major US Law Firm
  • "Their standards have been excellent - they are responsive and know the legal solutions but also the commercial considerations."

    Chambers UK Guide to the Legal Profession

GDPR & Cyber Security

Cyber security and key changes under the GDPR and UK Data Protection Act 2018 affect almost all businesses. Our online hub contains a wealth of information and insights on what your businesses should be doing to ensure full compliance with the law.

Latest updates from @MacRoberts