From the 25 May 2018, the GDPR will be fully enforceable throughout every member state within the European Union. This means all small and medium sized enterprises (SMEs) worldwide need to ensure that their data processing activities comply with the obligations of the new data protection regime ahead of this deadline.


The data protection landscape has changed enormously since the Data Protection Act 1998 (DPA) and the European Data Protection Directive 95/46/EC (DPD) it implemented were introduced. These changes mean that the DPA / DPD regime are no longer fit for purpose. The new General Data Protection Regulation 2016/679 (GDPR) will replace the DPA / DPD regime with a new and up to date set of data protection regulations.

The GDPR was adopted by the European Commission and brought into force in May 2016 with a post-adoption grace period of 2 years. From the 25 May 2018, the GDPR became fully enforceable throughout every member state within the European Union. But the GDPR also has an international dimension and it is therefore of the utmost importance that all small and medium sized enterprises (SMEs) worldwide ensure that their data processing activities comply with the obligations of the new data protection regime ahead of this deadline.

Mewburn Ellis will be issuing a series of practical recommendations and advisory notes each month (January to May) to guide you in your efforts to review and revise your current data protection practices in order to ensure their compliance with the GDPR ahead of 25 May 2018.

  • January – Performing a data and information audit of your company to identify precisely what personal data you currently process. This will be an ongoing obligation under the GDPR. But the first audit will need to be exhaustive. It will also need to establish these review procedures for the future.
  • February – Based on the results of the data audit: updating or drafting new GDPR-compliant data protection policies and internal practice policies and procedures for your company.
  • March – Carrying out internal staff training in respect of your new GDPR-compliant policies and procedures. This will ensure that relevant members of staff have the necessary knowledge of the company’s data protection obligations under the GDPR. It will also raise the general education level on data protection across all employees.
  • April – Communicating the relevant updated or new policies to your data subjects, including your customers, clients and subscribers.
  • Post GDPR – We will be running a webinar that aims to recap on our GDPR guides, discuss key challenges of implementing the regulation and answer any questions that you may have. Sign up for our GDPR webinar here.

Here we briefly set out an introduction to some of the key differences between the old and the new regimes that SMEs in particular will need to be aware of.

Key changes under the GDPR

The fundamental principles of personal data protection and safeguarding the rights of data subjects remain, in essence, the same. However, the way the GDPR ensures the principles are realised has undergone substantial changes. A few of the key differences between the old and new data protection regimes are set out below.


The most material change introduced by the GDPR is the significant uplift in sanctions for breaching data protection requirements. A tiered approach will apply, such that the level of fine will depend on the category of obligation breached. But non-compliant companies could receive fines of up to the higher of 4% of their annual worldwide turnover or €20 million.

Extra-territorial application

The GDPR applies to data processing activities regardless of territorial boundaries. Companies and their activities no longer have to be based or established in the EU to be subject to the European data protection rules. Instead the obligations under the GDPR connect with the EU resident data subjects themselves. The result of this change means that a company whose activities relate to either: (i) the offering of goods and services to EU citizens (whether these are offered for free or not); or (ii) the monitoring of behaviour that takes place within the EU, will be subject to the GDPR.


The rules around data subject consent have also undergone substantial changes and have been dramatically strengthened to ensure that all requests for consent are made clearly and in intelligible and easily accessible forms. For example, pre-ticked boxes to indicate consent boxes will no longer be acceptable.

Data Subject rights

Data subject rights have also been revamped, with brand new rights being introduced and the enhancement of existing rights, including the following:

  • The right to erasure/right to be forgotten. An entirely new right which allows data subjects to require data controllers to: (i) erase their personal data; (ii) stop any further use or sharing of their data; and (iii) stop third parties from processing their data. There are a number of conditions that the data subject will need to establish in order to exercise this right. For example that the data is no longer relevant for the original processing purpose. But it nevertheless means that data subjects will have substantially more power in relation to controlling the use of their personal data.
  • Notification of a breach. If there is a data breach, this enhanced obligation requires that the company must notify the relevant Information Commissioner Office within 72 hours of first becoming aware of the breach. If the breach leads to the loss of highly sensitive data which poses a high risk to data subjects, the company must also notify the individual data subjects impacted.

How can we help you?

The Mewburn Ellis legal department offers a comprehensive suite of advisory services in relation to data protection and GDPR compliance. Contact Emma Gallacher or Sean Jauss to discuss what your business needs to do to become GDPR compliant.

Useful sources of information

More information is available on the Information Commissioner’s Office webpages: