GDPR (the General Data Protection Regulation) is now in force, and that means organisations have greater obligations on how they handle personal data. That includes personal data on customers, staff and suppliers.

The new law is designed to harmonise data privacy laws across the EU – including the UK Data Protection Act (1998), which has now been repealed.

In a nutshell, GDPR gives individuals more rights regarding their personal information. It also puts more requirements on you as an organisation to meet those rights.

So for example, you must now:

  • Put adequate processes and security in place to protect personal data
  • Let individuals know what data you hold on them if they ask to see it
  • Amend or delete the data if asked to by the individual
  • Inform individuals – and the Information Commissioner’s Office (ICO) – within 72 hours if they’ve been affected by a data breach

The ICO website gives more details of your requirements under GDPR and the penalties for non-compliance. It also gives examples of recent prosecutions.

Here at Johnston Kennedy, we don’t provide specific advice on GDPR. We do though recommend that you put appropriate processes and systems in place to comply with it.


For more information on our services – call us on +44 (0) 28 9045 6333 or

This blog post provides general information only and may not apply to your particular circumstances.