Open from 9am - 5pm, Mon to Fri |

5 min read.

May 25 2018 will mark a major divide in how businesses handle user data. This is because on this day, a new data protection bill, namely the EU General Data Protection Regulation (GDPR), will take full effect.

While it may seem like another legal formality, it is anything but and it will still apply after Brexit.

What’s the story?

The new GDPR regulations will widen the definition of personal data. Any information relating to a person or data subject, that can be used to directly or indirectly identify the person is affected. In addition to the usual suspects (name, picture, email address, contact number), GDPR also includes an individual’s computer IP address and mobile device identity making these protected under the bill.

What you can’t do anymore

Businesses cannot collect an individual’s data without their consent. This means that adding an individual’s information into your system via their business card for example is prohibited, unless you can demonstrate they have consented to it. IP addresses are explicitly mentioned as forms of data protected under GDPR. This means that you can’t store an individual’s IP address, unless of course, you have their consent. You are responsible for demonstrating their consent.

What are the penalties?

As with any legislative breach, businesses can expect to face a penalty if the regulations are not followed. A personal data breach is defined as being ‘a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data’. Larger fines for a serious breach will be up to four per cent of an organisation’s annual worldwide turnover or €20 million, whichever is greater.

Five things you need to do now

It’s easy for small companies to see the GDPR as a burden, but it applies to any business with personal data of EU citizens. This includes customer, supplier, partner and employee personal data.

It’s also important to note that even if you’re a small business, if you’re contracting with a larger company which conducts large-scale data processing you may be subject to the harsher end of the GDPR’s regulation.

Insolvency will be a real risk for non-compliant businesses as a result of these fines. But bear in mind the possibility that individuals can also sue you if they suffer as a result of your data management. This could be for material damage or non-material suffering, such as distress.

We can help you put your business in order ready for the May GDPR deadline. For a full presentation on GDPR Compliance or for advice on anything from drafting GDPR compliant record documents to privacy notices and employment advice contact our specialist solicitor Tim Wolley on 01782 200007 or email

For more information about the full range of legal services available here at Bowcock & Pursaill Solicitors call 01538 399199 or email

Our Insights

Enquiry Form

Please fill in the form below and we will call you to discuss your needs.