GDPR Awareness Statement - November 2017 - 02/11/2017

GDPR, expands and clarifies, the rights of data subjects and the ways in which organisations, which hold and process the personal data of EU citizens, must protect and conduct personal information. As part of European law, compliance with the GDPR is not optional, and McLays is fully committed to ensuring that it meets all of its GDPR requirements.

Within its one hundred and seventy-three recitals and ninety-nine articles, the GDPR contain some significant changes over previous data protection law (which varied between the different states of the EU). The data protection principles, as set out in the DPA remain, but they have been condensed to six principles (as opposed to eight) under Article 5 of the GDPR. In addition, the GDPR now includes mandatory data breach notification, increased fines of up to four percent of global turnover, a statutory role of an appointed data protection officer (DPO) and the use of data protection impact assessments. 

Like the DPA, the GDPR will require data controllers to have a legitimate reason for processing personal data. If they rely on the consent of the data subject, they must be able to demonstrate that it was freely given, specific, informed and unambiguous for each purpose for which the data is being processed. Consent may be given by a written, including electronic, or oral statement. This could include the data subject ticking a box when visiting a website, choosing technical settings for social network accounts, or any other statement or conduct which clearly indicates their acceptance of the proposed processing of personal data. Silence, pre-ticked boxes or inactivity will no longer constitute consent. In addition, Article 8 of GDPR has specific requirements in the use of personal data of children for the purposes of marketing, or creating personality or user profiles, and the collection of child data when using services offered directly to a child.

Data subject rights has been widened within Section 2 of GDPR and Article 17 includes the "right to be forgotten" online, with obligations on the data controller, who has made the personal data public, to inform other data controllers which are processing the data to erase any links to, copies, or replications of, that data.

McLays are presently incorporating GDPR requirements and management processes, into our existing ISO27001:2013 controls. McLays are confident of meeting the GDPR requirements, so this will be a smooth transition. 

McLays will be engaging with our Customers, early in 2018, as with the long standing Data Protection Act:1998 being superseded by the GDPR, McLays will need to advise some amendments / addendums to existing contracts and terms and conditions to ensure current data protection legislation is referenced. 

If you wish to learn more:

If you have any questions in how McLays is preparing to meet GDPR obligation, please contact Jonathan Thomas at