Mishcon de Reya page structure
Site header
Main menu
Main content section

What is GDPR?

Posted on 27 March 2018

GDPR stands for General Data Protection Regulation, an EU wide overhaul of data protection law which applies across the EU, including the UK, since 25 May 2018. This short film explains what GDPR is and what it means for companies and individuals.

For more information see GDPR and Data Protection.

Mishcon de Reya

What is GDPR?


Nina O’Sullivan

Legal Director, Mishcon de Reya

I am Nina O’Sullivan, Legal Director at Mishcon de Reya.


What is GDPR?  GDPR, or the General Data Protection Regulation is an EU wide overhaul of data protection law which will apply across the EU, including the UK, from 25 May 2018.  It builds on existing principles of data protection but it enhances privacy protection, promotes transparency and gives individuals more control over their personal data.  Personal data could be anything from customer’s contact or bank details, to employee data such as sickness or holiday records.  It also includes online identifiers such as an IP address.  GDPR imposes new and more onerous obligations on controllers, those who determine how and why personal data is processed, and processors who act on the controller’s behalf.  Two key themes in GDPR are transparency, you must tell people in clear language what you will do with their data through concise and easily understood privacy policies.  And accountability, you must be able to show that what you have done is in accordance with the law.  A controller must have a lawful basis to process personal data.  This could include processing where it is necessary for its legitimate interests, where consent is obtained the bar has been set much higher.  Pre-tick boxes are no longer allowed.  A data breach may lead for a fine of up to 4% of the worldwide turnover of the business or Euros 20,000,000, whichever is the greater.  The bigger concern for business may be private enforcement, claims for damage or distress and damage to their reputation.  Certain types of breaches must be reported to the UK Information Commissioner within 72 hours.  Breaches can be deliberate or accidental but most frequently stem from mistakes – employees leaving laptops on trains, sending emails to the wrong recipients or failing to keep passwords secure.  GDPR may seem disruptive but it could strengthen customer relationships.  How have you embraced the opportunities?


Mishcon de Reya 

It’s business.  But it’s personal.

How can we help you?

How can we help you?

Subscribe: I'd like to keep in touch

If your enquiry is urgent please call +44 20 3321 7000

Crisis Hotline

I'm a client

I'm looking for advice

Something else