It’s a brave new world of clouds, artificial intelligence and virtual reality but it’s not science fiction.

It’s as real as the trees and grass, and with this newfangled digital age comes an increased threat to our online security. So it’s little wonder that the data protection laws have come to need a re-jig.

The new law takes effect as of 25th May 2018, comprising the General Data Protection Regulation (GDPR) – which governs the use of data – and the Data Protection Directive – which is the law enforcement element of the new ball game.

Though these new laws are being implemented under the umbrella of the EU, you’d be wrong in thinking that they won’t apply to us for much longer. The new legislation applies to any business which holds the data of any EU citizen, and the full weight of the new laws apply to us until Brexit is well and truly complete.

With just over a year to get our ducks in a row, here are some of the key changes worth taking note of.

You say data, I say data

First off, what exactly is “data”, and who’s responsible for it? Well, to use official language; it is any information by which “a person can be identified”.

This is pretty broad, but under the new laws anyone who has access to information fitting this definition becomes responsible for it, should there be a breach. This means that any third party partners are as liable under law as the company employing their services. So, as in all aspects of life, you’ll want to choose your partners wisely!

Costly mistakes

The most potentially painful of the changes about to come into play are the huge fines which can be levied, by regulators, against businesses who fail to comply with the new rules. We’re talking eye-watering sums of up to up to €100 million, or 4% of a business’s annual turnover – whichever is biggest – which could cripple, if not fatally wound a company.

If that weren’t enough, the compensatory claims process is being simplified for consumers which means that, on top of these fines, businesses could also find themselves at the short end of a sharp financial stick, wielded by an unhappy customer.

Whilst this might sound a little unfair, it’s a measure of protection which aims to make us all feel safe in the knowledge that businesses are taking care of our data.

A regulation, not a directive

Whilst these words are often used interchangeably, they’re not the same thing. The new law is a regulation – which means it automatically becomes law for all EU member states.

The situation we currently have is a directive, which gives each member country the freedom to invoke their own laws around data protection. Both sound relatively frightening but the new unified approach provides some one-rule-for-all clarity at least.


The way in which companies collect data is changing. Where there used to be fairly relaxed regulations around data capture in comparison, there must now be explicit and proven consent from the consumer for you to hold their personal information.

The customer must also be able to just as easily withdraw their consent for you to keep their details, under what’s being called “the right to be forgotten”.

So what counts as consent in this New World? Well, it means asking permission for all the things you currently take for granted. This might include;

  • Subscription to mailing lists and any other marketing communications
  • Using behavioural data gathered through analysing your customers shopping or browsing habits, to inform changes to your site or for targeted marketing

It’s important to note that consent isn’t only needed for new customers but existing ones too, and you need to be able to prove that they’ve given it.

OK, so there are two elements at play here; firstly, you must make it explicitly clear to new customers what you are acquiring their details for. And you can’t get away with hiding your agenda in a wordy and confusing set of Ts & Cs. For example, if you wish to track your customers online habits, to inform updates and improvements to your site; “We want to make sure that our website is always working as best it can for our customers, so we will use your information and preferences to make changes from time to time”.

In the case of existing customers, consent needs to be recent too. You might want to consider sending those customers a nice (but concise!) refresher email, letting them know that changes to the law have been made and that you’d like to make sure they are still happy for you to hold their details. Again, it’s important that you spell out the ways in which you might use them.

Third party vendors, and those who employ their services, might have a tough time proving consent, so any startup or SME sourcing data from these should ask to see proof that explicit and informed consent has been given by the customer.

In the case of cloud service providers, it might be worth sticking a clause in their contract which permits you to inspect their procedures, and even facilities, so that you can feel confident that their protection policy and measures are up to scratch.

Being the “little fish” isn’t so bad

As we move toward an increasingly digital existence – for better or for worse – the new legislation is heralded as being one of the key enablers of a Single Digital Market. And let’s face it, online has become a scarier place since the laws were last changed back in 1995, so a change isn’t a bad thing.

Daunting as all this might sound, new businesses and SMEs might have an easier time of it than existing or large companies, because these new practices can be put in place from the very beginning. At the very least, there shouldn’t be an insurmountable legacy of data to sort through. Lucky!