GDPR: are you ready for the change?

By now, you will almost certainly have heard about the General Data Protection Regulation (GDPR), but despite many businesses being aware of its existence confusion around the details of GDPR remains widespread.

Our dedicated Food & Drink team here at Cripps law firm has seen a significant increase in enquiries as to what to do in preparation for this new piece of legislation. To help, we have set out some key questions and answers to consider prior to the GDPR coming into force on 25 May 2018.

Q: The business I operate is relatively small – do I need to care about the GDPR?

A: The GDPR will affect businesses of all sizes which process personal data – it is simply a question of degrees. The impact is more obvious for businesses which deal with individual customers (and make use of personal data in doing so), but all businesses process personal data to some extent (for instance in relation to their employees or the staff of their suppliers).

Q: Will Brexit mean that I don’t need to consider the GDPR?

A: The GDPR is a European regulation. Although it may not apply directly to the UK following “Brexit-Day”, the government has published UK legislation which closely mirrors the obligations of the GDPR. In addition, the GDPR will still apply to businesses outside of the EU which deal with EU residents’ personal data. So in practice, Brexit will not affect the changes brought about by the GDPR.

Q: Can I only process personal data if I have consent?

A: Consent is just one of several lawful bases for processing personal data. Other lawful bases which are likely to be relevant to your business concern the performance of contracts and the use of data for “legitimate interests” when balanced against the rights and interests of the individual. These lawful bases, like consent, are similar to those contained in current data protection laws.

Q: I already have consent to process data, do I need to do anything under the GDPR?

A: The GDPR will impose a higher standard of consent, requiring any indication of consent to be “unambiguous” as well as freely given, specific and informed. You will need to review the consent you have in place (and the process for obtaining and recording it), as well as any mechanisms for withdrawal of consent.

Q: What will happen if my business fails to comply?

Current data protection law allows for fines up to £500,000, but this will be increasing to £17m, or 4 per cent of your businesses worldwide group turnover (whichever is higher).

As headline grabbing as these figures may be, it’s unlikely that these levels of fines will be imposed from day one. The increased fines are intended to act as a deterrent however, and the average level of fines will probably increase. The focus is likely to be on organisations which intentionally misuse data, or negligently ignore their responsibilities.

Q: What steps can I take towards compliance?

A: Your first step should be to identify and map the flow of personal data in, around and out of your business. Then you can determine why you hold or use that data, and what procedures, policies and contracts apply to it so you can establish whether your activities are compliant or not, and what steps need to be implemented to achieve compliance.

You should put in place privacy policies to make clear how you use individuals’ data (and set out other information required by the GDPR). As the GDPR applies to employee data as well, you may need to implement an internal and external privacy policy. You should also put in place an internal data protection policy setting out your data protection procedures, acting as a roadmap to compliance.

Any contracts under which you obtain or share personal data should be reviewed and may need amending. Any contracts in which you appoint a “data processor” (essentially a service provider who processes data on your behalf and doesn’t exercise control over it) will need to contain certain provisions and information under the GDPR.

Q: What should I do if I need further information or advice?

A: We can help you to figure out what your business needs to do. We’ve recently launched a GDPR hub on our website which puts the new legislation into user-friendly language and helps you understand what GDPR means for you and your business. In particular, our five-step approach to compliance is designed to break down this potentially overwhelming requirement into achievable discrete tasks.

If you have any questions about the GDPR, please contact us at Cripps: Elliot Fry, or Victoria Symons

If you wish to keep up to date with issues affecting the food and drink sector, please sign up to our dedicate d blog at or follow us on Twitter @CrippsFoodLaw


Go Back