European Union: The GDPR: What You Need To Know

Last Updated: 28 June 2017
Article by Sara Johns and Laura Shirreffs
Most Read Contributor in Jersey, September 2019

The new General Data Protection Regulation (the GDPR) is the first major revision of Europe's data protection laws for almost 20 years, and takes account of the explosion of technology and social media in that time. The GDPR takes effect on 25 May 2018, and will represent a fundamental change in the relationship between members of the public and anyone who holds information about them – whether it is a business, a government department or a charitable organisation.

Familiar features

Many people are now familiar with the "right to be forgotten", which will allow people to ask for the erasure of personal data, the mandatory reporting of "data breaches" (a term found in the existing Data Protection Directive that refers to all manner of offences) to regulators within 72 hours of their discovery, the appointment of qualified data protection officers and fines of up to €20 million or 4% of global annual turnover (whichever is greater) for the most serious transgressions.

The gravity of SARs

However, there will also be changes to "Subject Access Requests" (SARs), through which anyone can apply to a data controller (a government, business or charity that holds information on people) to see the data it holds on them.

Not many people make SARs under the existing law and most of those who do are plaintiffs - a SAR is useful as a "pre-action discovery tool" in a contentious claim.

SARs can represent a problem for organisations great and small. This is not necessarily because firms are reluctant to answer them – it is simply because organisations rarely hold data in such a way that allows them to extract it easily upon request. One of the cornerstones of GDPR is that businesses must understand what data they have and be able to access it with ease when asked to do so. An increase in the scope of SARs is expected under the new legislation, and the holders of data must be able to deal with those requests efficiently and in a shorter time period than today. Proper preparation is vital if firms want to keep the process cheap.

The current situation

Under the current Data Protection law (DPL), an individual's request for their personal data must be made in writing by letter, e-mail or fax. A request should include the requester's full name, address and contact telephone number. If the organisation in question has a dedicated data protection officer, the request may be made directly to them or to the organisation's website.

Once the SAR is received by the organisation, data controllers must carry out a search that is "reasonable and proportionate" to locate the individuals' personal data. The directive does not, unfortunately, offer its own interpretation of the word 'proportionate' for the benefit of compliance officers. Some people – perhaps most – that that a SAR that asks for "all the information about me" is disproportionate. The requester should therefore state the nature of the personal data they want in order to assist the data controller's search.

The statutory time limit is currently 40 calendar days in the UK and Jersey, and 60 days in Guernsey which starts to run from the date the data controller receives the request and any other information they may require, including the fee, identity documents and any further details to enable the data controller to locate the personal data.

Under the existing legislation, data controllers can charge a prescribed fee for responding to an SAR, with the maximum fee being £10. Different fees apply to requests for educational records, paper-based health records and to requests made to credit reference agencies. The individual should ensure that they has included a request for all of the information they require, as they may be charged an additional fee for any further request.

The future

The GDPR will take effect from 25 May 2018, replacing the Data Protection Directive, and will automatically come into force in all EU member states. Article 15 of the GDPR deals with SARS and introduces a number of changes that enhance individuals' rights and widen the definition of "personal data"; the most significant of which are listed below:

1. Free of Charge

The GDPR requires a data controller to respond to every SAR request for free (which may pose the risk of greater volumes of requests). Whilst the first copy of an individual's data should be provided free of charge, the data controller may charge a reasonable fee based on administrative costs for any further copies requested by the data subject.

2. Refusal where excessive

It is possible to refuse to respond to an SAR if it is manifestly unfounded or excessive (or alternatively a reasonable fee for administration costs may be charged). Where large volumes of personal data are processed, the individual should specify exactly what information or processing activities their request relates to. The onus is on the data controller to prove that the request is manifestly unfounded or of excessive character. Only then can they refuse the request or charge an administration fee.

3. Electronic access and data portability

The GDPR requires the data controller to communicate the personal data undergoing processing to the data subject, together with any available information with regard to its source. If the data subject makes the SAR electronically (i.e. by email), the information must be made available to them in a commonly used electronic form, unless the individual requests otherwise.

This right is closely related to the new right under the GDPR to data portability, which is designed to permit the individual to quickly establish what types of data controllers hold about them and to extract that personal data in a compatible format for their own further use. They may put extra pressure on data controllers to put in place technical and organisational measures to ensure personal data can be extracted quickly and efficiently from systems and databases. The cost for this may well be significant.

4. Time periods for response

Data controllers will now only have one month to respond to an SAR. They may be able to extend this by a further two months taking into account the complexity of the request and the number of requests, but it seems likely that extensions of time will not be normal.

5. Right to withhold data

Under the GDPR an individual's right to obtain a copy of their data must be balanced against the rights and freedom of others. In cases where a third party's rights would be infringed, the firm can withhold data. While this provision is similar to an existing one under the Data Protection Law, the rights and freedoms that are recognised in the EU will change under the GDPR. Furthermore, EU member states are likely to introduce national derogations for personal data that benefit from legal privilege or that would prejudice law enforcement.

Whilst we are still waiting for local legislation to be drafted to understand the precise impact across the Member States, the UK government has commented that burdens on data controllers must be proportionate. They believe that the removal of the fee currently payable for subject access requests under the DPA would likely lead to an increase in repeated and vexatious requests that would ultimately be costly for businesses. It therefore appears that the UK government would favour retaining the current right of controllers to charge a small fee, but this is yet to be confirmed.

Next Steps

Businesses should start to plan for the GDPR now with the following action points:

  • Review your records management systems and processes, both electronic and paper-based, to ensure they are consciously designed to support the efficient discovery of information
  • Test your organisations ability to quickly isolate data relating to a specific individual in the necessary time period provided under the GDPR
  • Identify a point of contact within the organisation that will deal with SARs and ensure that their contact details are easily available
  • Roll out training to the necessary members of staff so they are able to quickly recognise and respond to an SAR
  • Create procedures or review any existing procedures regarding responding to SARs and governing the refusal of requests
  • Develop template response letters to ensure that all elements of a response to a SAR under the GDPR are being complied with
  • Whilst not for all organisations, consider putting a subject access portal in place to allow individuals to access their information easily online

Although fines under the current legislation are comparatively low and enforcement has arguably been light, the GDPR will significantly increase the maximum fines. Currently, the ICO can issue fines of up to £500,000 for serious breaches of the DPA. Under the GDPR it will have the power to serve fines of up to 4% of a business' annual worldwide turnover of the preceding financial year, or €20 million (whichever is the greater), making compliance more important than ever.

A version of this article first appeared in Compliance Matters.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
Bedell Cristin Cayman Partnership
In association with
Practice Guides
by Mondaq Advice Centres
Relevancy Powered by MondaqAI
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Bedell Cristin Cayman Partnership
Related Articles
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions