Back to overview

Commercial Question

Businesses line up to prepare for data protection reforms

updated on 10 May 2016


What steps will businesses need to take to prepare for the implementation of the General Data Protection Regulation (GDPR)?


Now that the text for the GDPR has been agreed, businesses must turn their minds to changing the way they deal with consumer customer data before the GDPR is implemented in 2018. They will need to use the next two years to ensure that, among other things, their data protection policies, processes and systems are made GDPR-compliant and that all of their customers (or "data subjects" as they are referred to in the GDPR) are informed of the new and enhanced rights which the GDPR gives them. This article focuses on how the GDPR will affect:

  • what consent businesses need to obtain from data subjects to collect and use their personal data;
  • businesses' use of marketing emails; and
  • the penalties that data protection authorities may impose for breaches of the GDPR.

It is important to note that as the GDPR will require non-EU businesses to comply with its provisions if they (i) offer goods or services to EU citizens, or (ii) monitor EU citizens' behaviours (such as their shopping habits), it will still affect UK businesses which rely on trade in Europe, whether or not we vote yes to Brexit.


For many years businesses have had to obtain data subject consent before collecting and using personal data. However, the threshold businesses have had to meet to satisfy this requirement has to date been relatively low. For example, data subjects are deemed to have consented to their personal data being collected and used by failing to untick a check box. It is likely that you have come across this when shopping online. The GDPR is, however, much stricter on the level of consent needed from subjects. Consent must be unambiguous, given through a clear affirmative action, and distinguished from other matters (eg, pulled out and highlighted from a business' standard terms and conditions of sale). Therefore, businesses will need to state exactly what customer personal data will be used for and who they will be sharing it with. Failing to untick a box will no longer be deemed as adequate consent. Data subjects will now have to carry out the clear, affirmative action of ticking a box next to a business' unambiguous consent wording. Businesses will also need to make sure that they keep clear records of any consent given on their IT systems, so that they can prove that they obtained the adequate consent from subjects if challenged.

One of the biggest issues that this poses for businesses is the effect that it has on their existing customer databases. These databases will have been collected under the existing data protection legislation, which (as mentioned above) has a much lower consent threshold. Fortunately, it is unlikely that businesses will need to delete their existing databases. Commentators have suggested that circulating an email to existing subjects with new, GDPR compliant consent wording accompanied by a tick box should be sufficient. This will likely mean, however, that some personal data will need deleting if some data subjects fail to respond to such an email.

Direct marketing

Currently, businesses may use personal data for direct marketing (such as marketing emails) where:

  • they have obtained a subject's details in the course of a sale or negotiations for a sale of a product or service;
  • the messages are marketing similar products or services to that business; and
  • the data subject is given an opportunity to refuse marketing when their details are collected, and if they don't opt out at this point, are given a simple way to do so in future messages.

This is known as the soft opt-in. As a result of the new consent provisions mentioned above, this will no longer be permitted. While this will likely be good news for data subjects, with spam emails becoming fewer and further between, businesses will need to comply with much stricter rules to continue sending marketing emails.

New, higher penalties

The new competition law style penalty provisions imposed by the GDPR will raise the stakes for businesses and will mean that ensuring compliance becomes a board level issue. As it stands, the highest fine that may be awarded by the UK Information Commissioner's Office (ICO) is £500,000. To date, the highest penalty actually awarded by the ICO is £350,000. Under the GDPR, businesses falling foul of its provisions will be subject to fines of up to €20,000,000 or 4% of total worldwide annual turnover for the preceding financial year, depending on the severity of the breach.

Final thoughts

The GDPR poses a number of key challenges to UK businesses, irrespective of how the British public decides to vote on 23 June. There is much discussion in the legal and commercial press as to which challenges will prove to be the greatest for businesses caught by the GDPR. However, what is clear from the long awaited final text is that this will certainly be a busy two years for any business wishing to avoid the prospect of potentially huge fines.

Hannah Duke is a fourth-seat trainee at Travers Smith