The GDPR is fully enforceable throughout every member state within the European Union. This means all small and medium sized enterprises (SMEs) worldwide need to ensure that their data processing activities comply with the obligations of the new data protection regime ahead of this deadline.


From the 25 May 2018, the GDPR became fully enforceable throughout every member state within the European Union. But the GDPR also has an international dimension and it is therefore of the utmost importance that all small and medium sized enterprises (SMEs) worldwide ensure that their data processing activities comply with the obligations of the new data protection regime ahead of this deadline.

How can we help you?

Our team provide assistance on all aspects of achieving and maintaining compliance with the GDPR. This includes:


Carrying out a data audit or reviewing an existing or partial data audit which identifies:

  • precisely what personal data assets you hold
  • where the data has come from
  • who controls the data
  • why you have that data
  • the lawful basis on which you process the data
  •  how the data is stored and destroyed

These initial audits form the basis of the report.  This is a risk-based review of the results of the audit  setting out the GDPR compliance issues that have been discovered, the risks associated and recommendations on resolving the issues and moving towards compliance.


Putting in place the various solutions, strategies, policies and plans (including updating or producing data protection policies, updating data sharing and processing contracts, potentially appointing a Data Protection Office and carrying out any internal training that may be necessary), as identified by the report.

Support and Engagement

Ongoing support and engagement maintaining  GDPR compliance and depending on need, can consist of:

  • ad-hoc advisory services; and/or
  • appointment of Mewburn Ellis as your statutory or informal Data Protection Officer (if required under the GDPR.)

Please feel free to contact us to learn more about how we can help with any of the above.  Alternatively we are happy to offer tailored assistance based on your organisation’s needs.

Want to find out more about GDPR?

We will be running a webinar that aims to recap on our GDPR guides, discuss key challenges of implementing the regulation and answer any questions that you may have. Sign up for our GDPR webinar here.

What are the key changes under the GDPR?

Below we briefly set out an introduction to some of the key differences between the old and the new regimes that SMEs in particular will need to be aware of.

The fundamental principles of personal data protection and safeguarding the rights of data subjects remain, in essence, the same. However, the way the GDPR ensures the principles are realised has undergone substantial changes. A few of the key differences between the old and new data protection regimes are explained here.


The most material change introduced by the GDPR is the significant uplift in sanctions for breaching data protection requirements. A tiered approach will apply, such that the level of fine will depend on the category of obligation breached. But non-compliant companies could receive fines of up to the higher of 4% of their annual worldwide turnover or €20 million.

Territorial Boundaries

The GDPR applies to data processing activities regardless of territorial boundaries. Companies and their activities no longer have to be based or established in the EU to be subject to the European data protection rules. Instead the obligations under the GDPR connect with the EU resident data subjects themselves. The result of this change means that a company whose activities relate to either: (i) the offering of goods and services to EU citizens (whether these are offered for free or not); or (ii) the monitoring of behaviour that takes place within the EU, will be subject to the GDPR.


The rules around data subject consent have also undergone substantial changes and have been dramatically strengthened to ensure that all requests for consent are made clearly and in intelligible and easily accessible forms. For example, pre-ticked boxes to indicate consent boxes will no longer be acceptable.


Data subject rights have also been revamped, with brand new rights being introduced and the enhancement of existing rights, including the following:

  • The right to erasure/right to be forgotten. An entirely new right which allows data subjects to require data controllers to: (i) erase their personal data; (ii) stop any further use or sharing of their data; and (iii) stop third parties from processing their data. There are a number of conditions that the data subject will need to establish in order to exercise this right. For example that the data is no longer relevant for the original processing purpose. But it nevertheless means that data subjects will have substantially more power in relation to controlling the use of their personal data.
  • Notification of a breach. If there is a data breach, this enhanced obligation requires that the company must notify the relevant Information Commissioner Office within 72 hours of first becoming aware of the breach. If the breach leads to the loss of highly sensitive data which poses a high risk to data subjects, the company must also notify the individual data subjects impacted.

Read our GDPR blog series

Our blog series looks at four key steps you can take to achieve compliance:

Step 1 – Carrying out your first data audit

Step 2 – Updating and drafting new GDPR-compliant data protection policies

Step 3 – Getting staff up to speed with your new GDPR policies

Step 4 – Communicating your updated or new policies to your data subjects

Useful sources of information

More information is available on the Information Commissioner’s Office webpages: