Brexit or no Brexit, 25 May is the date from which organisations that do not comply with the EU General Data Protection Regulation (GDPR) may face heavy fines of up to 4% of annual global turnover, or €20 million, the maximum level that can be imposed for the most serious infringements. The regulation applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. It’s likely that, even after Brexit, the UK government will implement an equivalent legal mechanism. The regulation applies to both digital and paper-held data. Anyone can issue a subject access request (SAR) which gives companies 30 days to list the data they hold. A detailed SAR will ask for a copy of all personal information; details of how it has been used; a list of the third parties with whom it has been shared; how long it has been stored; and details of any data breach.

The main issue here is consent: to comply with the new regulations, companies must be able to provide clear requests for consent to use their personal data for communications. GDPR should mean that organisations are no longer able legally to send out unsolicited marketing material. Opt-out boxes will no longer be enough; you will need to build into your marketing communications an opt-in process, by which a recipient is required to give their consent to being communicated with. This consent, it’s worth noting, can be withdrawn.

In the UK the GDPR will be ‘policed’ by the UK Information Commissioner’s Office (ICO). While the ICO has said there will not be any ‘grace period’, it is unlikely to stamp hard on any organisation that can show it is putting the appropriate measures in place to enable compliance.