On 25 May 2018, new rules governing the way in which organisations collect, use and process personal data will be introduced under the EU General Data Protection Regulation (GDPR).

This new legislation will have direct effect on all member states of the EU which include, for the time being, the UK. However, it is important to note that the GDPR will affect countries outside the EU as well as member states – it will apply to all organisations in the EU which control or process personal data and to all organisations outside the EU which control or process personal data of EU Citizens. Brexit will in most cases not affect the way in which the GDPR will apply to UK businesses.

While some aspects of the current data protection legislation will remain largely unchanged, there are some important new concepts and certain tasks from an operational and administrative perspective that are going to need to be handled differently or perhaps for some businesses, in a completely new way.

Broadly speaking if your business is subject to the Data Protection Act now, the GDPR is likely to impose increased liabilities and new, more onerous obligations from May 2018.

The new rules mean that organisations should be acting now to prepare for these new rules – there are significant steps that need to be taken to ensure organisations will be compliant by May 2018 – the Information Commissioner has already indicated that there will be no grace period for compliance after the GDPR comes into force.