25th of May 2018 it became law. Are you compliant?


This regulation replaces all data protection legislation in EU member states. Companies need to be complying with this now, and SMP Risk Managed can help you with Data Privacy Policies.

The GDPR, or General Data Protection Regulations, are new EU regulations which make the current Data Protection regulations much stronger.  The GDPR came into force in May 2018 and, if breached, could result in a fine of up to 4% of global turnover.


The data protection principles, as set out in the Data Protection Act 1998 (DPA) remain, but they have been condensed into six, as opposed to eight principles. Article 5 of the GDPR states that personal data must be:

  1. Processed fairly, lawfully and in a transparent manner in relation to the data subject.
  2. Collected for specified, explicit and legitimate purposes and not further processed for other purposes incompatible with those purposes.
  3. Adequate, relevant and limited to what is necessary in relation to the purposes for which data is processed.
  4. Accurate and, where necessary, kept up to date.
  5. Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.
  6. Processed in a way that ensures appropriate security of the personal data including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.


Like the DPA, the GDPR requires data controllers to have a legitimate reason for processing personal data. If they rely on the consent of the data subject, they must be able to demonstrate that it was freely given, specific, informed and unambiguous for each purpose for which the data is being processed.


The preamble to the GDPR states: ‘Children deserve specific protection of their personal data, as they may be less aware of risks, consequences, safeguards and their rights in relation to the processing of personal data. This concerns especially the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of child data when using services offered directly to a child.’

Data Subjects’ Rights

The list of rights that a data subject can exercise has been widened by section 2 of the GDPR. In addition, article 17 introduces a ‘right to be forgotten’, which means data subjects will be able to request that their personal data is erased by the data controller and no longer processed. 

Data Protection by Design

Data controllers are expected to include data protection controls at the design stage of new projects involving the processing of personal data.


The GDPR stipulates a requirement for data controllers to keep an internal record in relation to all personal data they process (Article 28).

Security breaches

Article 31 of the GDPR requires that, as soon as the data controller becomes aware a personal data breach has occurred, it should, without undue delay and, where feasible, not later than 72 hours after becoming aware of it, notify the personal data breach to the Information Commissioners Office (ICO).


The GDPR introduces much higher fines.

Data Protection Officer

Section 4 of the regulation introduces a statutory role of Data Protection Officer (DPO). Most organisations handling personal data, both data controllers and data processors, will require a DPO who will have a key role in ensuring compliance with the GDPR.

There are a lot of things that need to be taken into consideration and if you need specific help or need someone to discuss your requirements with, please contact SMP Risk Managed, by using our contact form, and we will call you right back.