Data laws in the UK are changing. Get the GDPR lowdown below.


GDPR is an acronym for the General Data Protection Regulation, an EU regulation that will come into practice on May 25, 2018. The GDPR will replace the 1995 Data Protection Directive and build upon data protection laws. Essentially, the way that public and private entities handle customer information is changing. This means that all UK business, including recruitment, will be affected.


Will these laws affect my business?

Anyone who controls or processes information within EU member states will be affected by the GDPR. If the Data Protection Directive already affects you, then GDPR will affect your business too. As the Information Commissioner’s Office says, ‘if you are complying properly with the current law then most of your approach to compliance will remain valid under the GDPR’


How will these laws affect my business?

The fundamental change is that companies storing and processing information will be more accountable. There are 3 main takeaways:

  1. New rights allowing people access to information stored on them
  2. New laws on business’ data management
  3. New powers to fine companies for their refusal to follow these new data regulations.

If someone asks for personal information held by your company about themselves, you must provide it within one month, free of charge. Individuals can even ask to have their data erased if their data’s storage is considered unnecessary, non-consensual, or unlawfully processed.


Most of the changes will affect larger companies. For instance, companies with more than 250 employees will need to document why they are storing information and how long they are securing it for.


More scrutiny of data collection from authorities aims to reduce the chance of wide-scale data breaches — of which we have been seeing often recently.

These new regulations — which the ICO CEO Elizabeth Denham describes as ‘evolution in data protection, not a revolution’ —are nothing to be afraid of. They aim to increase the level of trust between customers and businesses.


Will Brexit play a role?

As the GDPR is an EU regulation, it only applies to EU member states — so wouldn’t be enforced in a post-Brexit Britain. However, there is an alternative Data Protection Bill ready to be implemented by the UK government post-Brexit. This bill mimics the GDPR and would operate in largely the same way. This means there should be little change.


What kind of information is covered?

Personal and sensitive personal data both fall under the GDPR. 

  • Personal data is information that can identify a person — such as an IP address, real address, or name
  • Sensitive personal data covers religious, political, and sexual orientation alongside things like genetic information.


Who is implementing it?

The Information Commissioner’s Office (ICO) is charged with implementing the GDPR. The ICO has created a dedicated phone service to help small companies through the process of implementing the GDPR. They can be contacted through their existing public helpline on 0303 123 1113.


Have any other questions?

The Information Commissioner’s Office official 12-step guide to preparing for GDPR expands upon many points made in this article in more detail. Additionally, the ICO has prepared a checklist for companies preparing for the GDPR.


This article has explained what GDPR is, how it may affect you, and how you can go about putting the compliance in place if any actions are needed. Are you prepared for GDPR changes? Let us know any thoughts you have!


Follow Atkinson Moss for further articles on recruitment, topical information, news, and opinion pieces. Like us on Twitter or Facebook, and subscribe to our mailing list! Vacancies can be found here.