Trading legally with GDPR

AMMay20Features - dibble1
AMMay20Features - dibble1

Suzanne Dibble of The Small Business Law Expert is an award-winning business lawyer and the best-selling author of GDPR For Dummies following the success of her Facebook group, GDPR for Online Entrepreneurs.


The General Data Protection Regulation (GDPR) has been in force for nearly two years, so hopefully you are already compliant. As a reminder, here are the ten most important actions you need to take to comply with the GDPR.

1) Prepare a data inventory to map your data flows so that you can understand exactly what personal data you’re processing and what you’re doing with it; 2) Work out the lawful grounds for processing each type of personal data for each purpose for which you’re processing it; 3) Ensure that your data security strategy is robust and that you have implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk of a data breach or other security incident: 4) Ensure that an appropriate safeguard is in place whenever you transfer personal data outside of the European Economic Area (EEA): 5) Update your privacy notice to ensure that you’re being transparent about the means and purposes of your data-processing; 6) Update your cookie policy to ensure that you aren’t relying on implied consent, that browsers of your website are taking affirmative action to consent to non-essential cookies being used, and that the cookies are fired only after consent is obtained; 7) Ensure that your staff are appropriately trained in relevant areas of the GDPR; 8) Ensure that you have reviewed the grounds on which you process employee data, and issue a revised employee privacy notice where necessary; 9) Determine whether you need to appoint a Data Protection Officer (DPO). If you do, take the necessary steps to hire a suitable candidate; 10) Review all of your processor and subprocessor arrangements and ensure that appropriate contracts are in place. Ensure that the data processors (and subprocessors) are compliant with the GDPR and that they have adequate security in place to protect the personal data.

Although the UK has left the EU, the UK’s version of the GDPR which is very similar to the GDPR will apply. There are however three areas of potential change that should be considered well ahead of 31 December 2020, the expiry of the Brexit transition period:

  • You will need to check any international transfers of personal data are compliant and a lot of what you will need to do will depend on whether the UK is granted ‘adequacy’ by the EU or not.

  • You may need to appoint a Representative in the EU if you if you are established in the UK, without an EU establishment and you offer goods or services to or target people in the EU. Law firms and other providers offer Representative services.

  • If you are established in the UK and in more than one EU member state (or your processing is likely to substantially affect individuals in EU member states) then you need to think about who your Lead Authority might be going forwards.
GDPR For Dummies (Wiley, 2020)

After 31 December 2020, the Information Commissioner’s Office (ICO) can no longer act as Lead Authority, so you will have to deal with the ICO and your EU Lead Authority. If you are solely established in the UK but your processing is likely to substantially affect individuals in any other EU member state, you will, post-Brexit, have to deal with the ICO and each supervisory authority in each EU member state where individuals are located whose personal data it processes in connection with those activities.

In theory, you could be fined by the ICO and by the supervisory authority in every EU member state where data subjects are affected. If you are affected by this, it would be a good idea to start considering the impact of this and whether it would be worth forming establishments in certain EU member states in order to take advantage of the One Stop Shop.

Related Articles

Digital traceability key to cementing aerospace reputations

Being able to trace and guarantee parts down the supply chain has always been a crucial demand of end-users and regulators, but the way manufacturers go about providing that data is now hopelessly outdated, at a time when they face unprecedented challenges from counterfeiters and legitimate low-cost competitors.
6 years ago Features

The way forward

With the effects of Covid-19 taking hold of the aerospace sector, Meredith Hurst, partner in the employment department of specialist law firm, Thomas Mansfield looks at how companies can restructure their workforce in the coming weeks and months.
2 years ago Features
Most recent Articles

Login / Sign up