Karen Holden, founder of A City Law Firm details what employers need to know about the changes General Data Protection Regulation (GDPR)  will bring

Businessman hand pressing button data protection picture id649163830

The General Data Protection Regulation (GDPR) will take over the Data Protection Act 1998 (DPA) this year from the 25th May. The new regulation will bring with it important changes to the ways that data is stored and processed by businesses, its introduction is designed to set clear rules for businesses when collecting and storing personal data, it will also allow everyone to understand their rights relating to the information that is held about them. The regulation was introduced as a response to the increased number of active internet users, and the sales of personal information, allowing consumers more power over their personal data.

The new law will bring the UK in line with the rest of the EU in regards to data protection, nothing (not even Brexit) will slow or stop its implementation – It is best to start preparations now, if you haven’t already! Your business should have strong policies in place to avoid scrutiny and potential fines.


What are the Key Principles of GDPR?

GDPR has a similar general framework to DPA, but the level of compliance is dependant on how much data is collected and processed and what data is being collected. In short – the more data you collect, the more compliant to GDPR you must be.

However, no matter the size of the business you must still afford privacy protection, notification, consent and protect the information by secure storage. GDPR places a larger focus on protecting the rights of the public over their data, therefore when a company collects and process any data, they must also be able to justify why they are collecting it.

What is meant by ‘Data’?

When discussing ‘Data’ in relation to GDPR and DPA, it is can relate to an individual’s name and address. However, it can also be spread further and include fingerprints, DNA, recorded calls, date of birth – and has now become more stringent to include any information that can be tracked to a single person. All of this information will be covered and protected by GDPR.

An individual’s personal data can relate to their name and address, but can also include fingerprints, DNA, recorded calls, date of birth and now has become more stringent, including any information that can be traced back to a single person. All of this information will be covered and protected by the GDPR.

Does this impact how we record phone calls?

If you record phone calls for your business, it is important to ensure you are complying to the following conditions:

1. Have consent from all on the call to record the call.

2. Make sure it is necessary to record the call, and that is clearly explained i.e. to fulfil a contract, or for legal requirements.

3. Make sure it is protecting the interests of one or more participants.

4. Recording the call is in the public interest, or is necessary for the official authority to perform their job.

5. The recording must be in the direct interest of the recorder, but this can be overridden should there be a conflict of interest with the other members of the call.

When the business is recording calls to monitor customer service, they must still ensure that they are fulfilling the first condition to be fully compliant. However, the final condition may still apply, as it can be argued that the participant’s privacy outweighs staff quality assurance.

If you want to continue recording phone calls, this is what you need to know. Under the DPA, if phone call is recorded, the individual must be informed of the purpose and how the information will be processed. If the participant continued with the call their consent was assumed, however under the GDPR there are tighter regulations, so implied/assumed consent is no longer enough. Express consent must be given, either by recording verbal consent, or having AI terminate the call if consent is not given.

An individuals Rights to Access their Data has Changed

The GDPR allows individuals to now have absolute access to any information that is stored about them, and companies must have an efficient process of identifying and providing this information on request. In addition, should the individual request to have their details removed, it must happen with immediate effect. Any policies that are put into place to ensure your compliance must be co-ordinated with your IT and call recording provider, to ensure that all claims are fulfilled.


With the introduction of the ‘Principle of Accountability’, businesses must now actively be able to display their compliance to the new rules. The GDPR regulations stress the importance of data protection systems, stating that businesses must implement them with immediate effect. It is important to make sure any policy that is introduced is honest and realistic, this will help it be easier when you need to prove your compliance. Having an extensive policy may appear more impressive, however will not be useful if your staff and providers are unable to fulfil the obligations.

In order to successfully implement any policy, there are several steps that must be completed:

1. Policies and Protocols must be drafted.

2. Staff must be trained fully so that they are aware of and comply to the new provisions.

3. Finally, these new provisions must be implemented and carefully managed for complete compliance.


Should any company fail to comply to the rules of the GDPA there are new penalties in place, designed to punish and deter organisations fro committing further breaches. Under the DPA, there was a fine of up to £500,000 companies would have to pay should they not follow the rules. The new GDPR brings with it a new penalty, companies are now required to pay a fine ranging from 2-4% of their global turnover – base on the severity of the case. These fines are designed to have a large impact on non compliant companies, therefore it is important for business to act sooner rather than later!


How Can Your Lawyer Help?

At A City Law Firm, we believe that when deciding what improvements and changes need to be made you need to have a full understanding of your business, its operations and the data you really need to be collecting. There is no ‘one size fits all’ template that can fit all companies, and therefore businesses must work with their lawyers to decide what can be accomplished based on the following:

  • · Size
  • · Budget
  • · Suppliers
  • · Compliance

Your lawyer should not attempt to provide a template document to help with GDPR compliance, rather they should provide actual guidance so that necessary changes can actually be implemented. Talking to providers will also help you identify if you will be compliant by the time GDPR comes into effect.

We provide regular workshops on GDPR, particularly on how to deal with the third parties that are essential to your business. We can also specifically discuss your business and GDPR requirements on a personal basis.