The EU General Data Protection Regulation (GDPR) was the biggest ever shake up to data protection laws, and its sound core principles still apply under UK Law after our withdrawal from the EU.

Any company, big or small, will have to comply with the regulations regarding the secure collection, storage and usage of personal information. Failure to do may be met with heavier fines or other regulatory censure.  What’s more, individuals can sue you for compensation to recover both material damage and non-material damage, like distress.


The core objectives of the GDPR is to give individuals more transparency and control of their personal data and to unify the regulation within the EU.  It is making companies across the EU think seriously about data protection.

Key stipulations

  • Firms processing significant amounts of personal data, processing sensitive data, or undertaking large-scale monitoring must employ a Data Protection Officer (DPO).
  • The requirement to appoint a DPO will apply to small businesses  if the processing carried out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as defined in GDPR Article 9.
  • Breaches in data security must be reported within 72 hours to data protection authorities such as the Information Commissioner’s Office (ICO) in the UK. .
  • Individuals have more rights and control as to how businesses use their personal data. In particular, they have the ‘right to be forgotten’, enhanced rights of data access and rights to data portability.
  • Failure to comply with the GDPR will lead to heavier punishments than ever before: up to €20 million or 4 per cent of annual turnover (whichever is higher).

Does it apply to you?

If you’re unsure of whether or not GDPR applies to you, consider how regularly you deal with personal data. That includes present and past employees and suppliers, not just client data.

If it’s a routine occurrence, then you should abide by the GDPR.  In a nutshell, any businesses affected by the Data Protection Act (DPA) will also fall under the GDPR.   The key difference between the DPA and the GPDR is that the latter will be much stricter in what is defined as personal data, the scope and the requirements.

Understanding the type of data that will be affected under the GPDR is one thing, but having to find out where that data is held may not be as easy.  For example, think of personal emails sent and received by your staff that may have been lurking on your server for years. Every piece of personal information held by your business needs to be identified – even if it’s on a mobile device or in the cloud.

It’s a complex task, and data discovery technology can help. Many IT consultants are offering GDPR toolkits and the Information Commissioner’s Office offers some helpful guidance.

A big plus to all of this is that you will probably emerge with more structured data and be able to monitor and manage it easily in future. You’ll also be in pole position to respond to  Subject Access Requests (SARs) – when individuals ask to see a copy of the information an organisation holds about them – and the ’right to be forgotten’, which may require you to identify and erase all of an individual’s data.

Does GDPR apply in the UK after Brexit?

The Data Protection Act 2018 enshrines GDPR’s requirements in law and, post-Brexit,  the UK government issued a statutory instrument ‘The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019’ which is now in force.

This amended the original law and created a new data protection framework known as the ‘UK GDPR’. The good news is that there’s virtually no difference between the UK version of GDPR and the current EU regime. So, for the meantime at least, you should continue to comply with the requirements of the EU GDPR.

Of course, while the EU GDPR does not apply directly in the UK since the end of the Brexit transition period on 31 December 2020, any UK organisation that offers goods or services to, or monitors the behaviour of, EU residents will also have to comply with the EU GDPR, and should reflect this in its process documentation.


First published 2017

Updated 19 October 2021. 

The sole purpose of this article is to provide guidance on the issues covered. This article is not intended to give legal advice, and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and/or market practice in this area. We make no claims as to the completeness or accuracy of the information contained herein or in the links which were live at the date of publication. You should not act upon (or should refrain from acting upon) information in this publication without first seeking specific legal and/or specialist advice. Arthur J. Gallagher Insurance Brokers Limited trading as Deacon accepts no liability for any inaccuracy, omission or mistake in this publication, nor will we be responsible for any loss which may be suffered as a result of any person relying on the information contained herein.