GDPR to be Enshrined in UK Law

The principles of the EU General Data Protection Regulations (GDPR) are to be enshrined in UK law under proposal released by the Department of Culture, Media and Sport (DCMS).  The Data Protection Bill follows a statement of intent from Matt Hancock in April and subsequent public consultation on GDPR, which has found that 80% of people do not feel they have complete control over their online data.

Matt Hancock, Minister of State for Digital, has said

“Our measures are designed to support businesses in their use of data, and give consumers the confidence that their data is protected and those who misuse it will be held to account.

The new Data Protection Bill will give us one of the most robust, yet dynamic, set of data laws in the world. The Bill will give people more control over their data, require more consent for its use, and prepare Britain for Brexit. We have some of the best data science in the world and this new law will help it to thrive.”

For Consumers, this means crucially that “the right to be forgotten” and the “portability of data” will be protected by statute.

For Government, it means the Information Commissioner’s Office (ICO) will have the ability to inflict punitive damages on defaulting firms, the larger of £17m or 4% of global turnover; a leap from the current £500k under the Data Protection Act 1998.

For Business, this means accepting what might be an uncomfortable reality for many, that the UK will not escape the scheduled implementation of GDPR on 25 May 2018.  Current estimates are that 2/3rds of employers are not ready for GDPR, with 57% of respondents indicating that they had not even agreed a budgetary or resource allocation to GDPR in a study by the Centre for Innovation Policy Leadership.

What can I do to prepare for GDPR?

Data Protection Officer.  An accountable DPO is a stipulation of GDPR and will need to be in place by May 2018; ensure you have one appointed.

Data Protection Plan.   Although many businesses will already have an existing plan, this will need to be reviewed in light of GDPR.

Data Breach Plans.   Breaches need to be reported within 72 hours under GDPR.  Robust and rehearsed plans will enable an effective response in the event of an incident and will directly affect the your risk of fines. Ensure you have tested your ability to report and respond within the time period.

Risk Assessment.   Understand the data you record on EU citizens and the associated risks.  Plan your mitigation and implement that mitigation early.

Compliance.   Assuring these plans remains critical and you will need to monitor and improve to ensure you remain in compliance.


Adam Gibson is a global leader in Workforce Planning, creator of the Agile Workforce Planning methodology and a popular keynote speaker.  He has successfully implemented and transformed workforce planning and people analytics in businesses across both the public and private sector. As a consultant, he advises company executives on how to create a sustainable workforce that increases productivity and reduces cost; he is also the head of CIPD’s workforce planning faculty.