Website Cookie Policy

We use cookies to give you the best possible online experience. If you continue, we’ll assume you are happy for your web browser to receive all cookies from our website.
See our cookie policy for more information.

Practice Areas

More Information

Leeds: 0113 244 6100

Sheffield: 0114 267 5588


Send us an enquiry

Wrigleys Solicitors' advice on data protection and GDPR

The law on data protection changed on 25 May 2018 when the General Data Protection Regulation comes into force.

What is the GDPR?

The European Union has adopted the General Data Protection Regulation ('GDPR') to update the current data protection regime (which is incorporated into UK law by the Data Protection Act 1998 ('DPA')).

The GDPR strengthens the rights of data subjects and updates the legislation in order to take account of advancements in technology since the previous regime was brought into effect. It regulates the storage, use and destruction ('processing') of personal data.

The GDPR will come into effect on 25 May 2018 and will be fully in force from that date.

What are the key changes the GDPR will make to the current DPA regime?

The GDPR makes several important changes to data protection provision. Some of the key changes include:

- The definition of personal data has been expanded to include online identifiers such as IP addresses and cookies;

- A higher standard of consent must be obtained prior to processing personal data using this basis;

- Reporting requirements to the Information Commissioner's Office ('ICO') and, in some circumstances, the data subject in the event of a breach of the GDPR have been strengthened;

- The maximum fines the ICO can impose for data security breaches have been substantially increased.

Who does the GDPR apply to?

The GDPR applies to all 'processors' and 'controllers' of personal data. Broadly, a controller directs how and for what purpose personal data is processed, whilst a data processor acts on the controller's behalf. Personal data is any information relating to an identifiable living person.

The GDPR applies to Wrigleys in the same way it applies to many other organisations. We consider ourselves to be data controllers in relation to our processing of the personal data of our clients and employees.

Additionally, there are special categories of personal data (such as ethnic origin, political opinion or health data) which have further protections afforded to them under the GDPR.

What are Wrigleys doing to prepare for the implementation of the GDPR?

We already have policies, procedures and security software in place in order to ensure compliance with the DPA. In order to ensure we are fully compliant with the GDPR, we have taken steps to analyse and improve our current procedures and policies:

- We have established a GDPR working party, which meets on a monthly basis, to provide strategic oversight of our review and assessing the firm's readiness for the GDPR;

- We have analysed all our data processing activities to understand what data we receive (and where it comes from), what we do with data and what data we send to others (and where it goes to);

- We have undertaken a review of all our data processing activities in order to establish and record the lawful basis for each processing activity;

- Each department has undertaken its own review of processing activities which are specific to that department. This has been undertaken with the help of the data protection committee in order to ensure that all data processing activities have been captured and recorded;

- We refreshed the consents we rely upon to process personal data so as to ensure they are fully compliant with the GDPR;

- We are reviewing all our contracts with third parties to ensure that the provisions we have put in place to protect personal data in those contracts will satisfy the requirements of the GDPR;

- We are developing revised privacy policies and updating our terms of business to ensure our clients are fully informed of the processing we undertake;

- We are revising our data protection policy to ensure that it covers all of our data processing activities and is fully compliant with the GDPR; and

- We have developed a comprehensive training package for our employees to ensure that they all receive appropriate training on the impact that the GDPR will have on our procedures.

What does this mean for our clients and employees?

We take our responsibilities under the GDPR very seriously. As we review our current policies and procedures we will be in touch to notify you of updated policies and procedures we put in place in light of the GDPR.

Find out more

If you would like to know more about our approach to the GDPR, please get in touch with Malcolm Lynch, Peter Parker or another member of our data protection committee on 0113 244 6100.

GDPR Articles:

Article: "What will the EU’s new data protection regime mean for UK charities?" Peter Parker considers how charities can comply with changes to data protection law (Published by Civil Society in March 2017)

Article: "What should charities and social enterprises be doing to prepare"

GDPR Podcasts:

Data protection and GDPR: an overview.

What you should be doing to get ready for the GDPR and when should you be doing it? Some practical steps.

How do you know what data you're holding and what should you be doing with it?

Are your data protection consents fit for purpose?

Do you have a "legitimate interest" to process data?

Transferring data to third parties. Keeping it legal.

What happens if you're in breach of the GDPR?

GDPR Documents:

Data Mapping Questionnaire: Undertaking a data mapping exercise is one of the first exerises an organisation should undertake in preparing to become GDPR ready. We have produced a questionnaire to help charities and social enterprises to identify the personal data held by them and the types of processing activities carried out in relation to that data.

Peter Parker View Biography

Peter Parker

Direct Line: 0113 204 5792


Sue King View Biography

Sue King

Direct Line: 0113 204 5708


Meet the team

29 Feb 2024

Revisions to the National Planning Policy Framework – A step in the right direction for community-led housing?

Here we examine the latest planning policy revisions in England and Wales and their implications for community-led housing proposals.

29 Feb 2024

Neuroinclusion at work – a new resource from the CIPD

New guidance highlights need to embed inclusive practices to support neurodiverse staff.

28 Feb 2024

EHRC releases menopause in the workplace guidance for employers

Guidance is latest in line of efforts to raise awareness of the impact of the menopause at work.