The General Data Protection Regulation (GDPR), widely regarded as the biggest shake up of data protection law in 20 years, comes into force on 25 May 2018 and regardless of size, will affect every business located in the EU or trading with EU businesses which collects, stores or uses personal information. There are therefore very few (if any) businesses in the UK for whom the GDPR will have no effect.

The new Regulation enhances individuals' data protection rights and introduces a greater obligation for businesses to be transparent in how they use personal data. All affected businesses are required to have appropriate policies and procedures in place to ensure that personal data is collected and processed lawfully. They will also need procedures to deal with Data Subject Access Requests (requests from individuals to provide details of all data held about them) and data breaches. Under the new Regulation, individuals will have the right to ask data controllers to erase all data held on them and to obtain a copy of their own personal data in a structured and machine-readable format. Organisations will also be required to notify the Information Commissioner's Office (ICO), the GDPR supervisory authority, and the related individuals within 72 hours of a harmful data breach. Greater data protection rights for individuals will inevitably increase the regulatory burden for organisations. However, it is also an excellent opportunity for organisations to be proactive and get the personal information they hold in order. A compliance programme can also be used as a positive differentiator in dealings with customers and suppliers, since the non-compliance of competitors will quickly become apparent and a compliant organisation is self-evidently a better organisation to deal with.

Organisations must not ignore the GDPR. Action needs to be taken now to minimise the risk of breaches, which can result in fines being imposed by the ICO. These fines will vary depending on the seriousness of the breach but the maximum fine is the higher of €20 million or 4% of worldwide turnover of the business. Alongside the financial impact of such a fine, a business will also face

serious damage to its reputation. Our Collyer Bristow survey* shows that 55% of UK small businesses** are still not familiar with the GDPR despite its introduction being now less than a year away. The survey further reveals that the knowledge of GDPR is higher in larger businesses. However, 30% of executives at companies with over 1,000 employees, say they are still not familiar with the GDPR. Our research also found that 18% of businesses said they would be at risk of becoming insolvent if they were forced to pay the new, higher maximum fines allowable. Previously, fines were set at a maximum of £500,000. Lack of knowledge of the GDPR across all businesses is still high, with over a quarter (27%) of senior decision makers at all UK businesses not familiar with the upcoming changes.

The worst performing sectors -  include real estate and construction, where 35% of senior decision-makers across all real estate businesses admit they are not familiar with the GDPR.Further findings from the research reveal:

  • 57% of businesses' senior management have little or no direct involvement with data protection
  • 34% of businesses have no plans to perform a data risk assessment in 2017
  • 23% of business have no data breach contingency plan in place
  • 20% of businesses have still taken not steps to prepare for the GDPR

Patrick Wheeler, Partner and Head of Intellectual Propertyand Data Protection at Collyer Bristow, comments: "Our Survey shows that a lot of UK businesses - particularly SMEs -still have a long way to go to be GDPR-compliant by May, and the clock is ticking. This is despite all the recent publicity."

"It cannot be overstated just how far-reaching a change the GDPR will be to the data protection landscape in the UK. It impacts any business that deals with personal data anywhere in the EU - no matter how small." "The financial penalties and reputational risks of noncompliance mean that no business can afford to treat its data protection policies and procedures as a low priority."

"With nearly one in five businesses saying they would be at risk of going insolvent if they had to pay the maximum penalty, data regulation compliance should be a Board-level priority."

"The new regime comes at a time when data is becoming increasingly important to businesses. Owning and exploiting customer data legally is now a key part of a business' competitive strength - meaning the GDPR really has raised the stakes." "The good news is that businesses still have time to gettheir data protection in order, so long as they act quickly. A business can quickly identify its most urgent data privacy risks and priorities and begin to address them. We are currently helping a number of businesses to grasp the nettle. Every business that starts working on this today can make very significant progress in becoming a fully compliant business by day one of the GDPR."

Collyer Bristow provides a range of compliance audit, legal advice, policy drafting and training services for businesses to help them in their programme to achieve GDPR compliance. We also work with cyber security and data management organisations which can provide the

necessary technical tools for such a programme. If you would like to discuss your own requirements, please email us at

Or visit us at

*Survey of 460 senior decision makers at British businesses

**Companies with fewer than 250 employees