bto solicitors - Corporate & Commercial Business Lawyers Glasgow Edinburgh Scotland

  • "really fights your corner..."
    "really fights your corner..." Chambers UK
  • "Consistently high-quality work and client-friendly approach."
    "Consistently high-quality work and client-friendly approach." Chambers UK

Data Protection and GDPR – Are we nearly there yet?

24 October 2017

The Holyrood Connect Conference – GDPR The Future of Data Protection - attracted a large crowd in Glasgow on 18 October 2017 and BTO Solicitors were one of the main sponsors with BTO presenting on GDPR breach tactics and taking part in a lively panel session.

The large number of delegates, primarily from the public sector, was testament to the challenges and volume of work facing some organisations but also demonstrated a desire by those attending to “get it right”.

Lynn Richmond
Lynn Richmond, Partner

While organisations will undoubtedly have to devote a significant amount of time and expense to ensuring compliance with GDPR, the view is clearly that the penalties and implications of failure to comply are such that GDPR simply cannot be ignored. The timely publication of the Article 29 Data Protection Working Party’s guidelines on personal data breaches earlier this week also underlined the importance of data management and the importance of having policies in place when things don’t quite go to plan.

Despite, the warnings and words of caution about failure to comply, the mood was generally upbeat with Maureen Falconer, the ICO Regional Manager for Scotland, reassuring audience members that if they were getting data protection right under the current legislation, GDPR compliance should not be too burdensome. One welcome theme was the discussion of sector specific guidance addressing the particular challenges that may be faced by public sector bodies. Article 40 of the GDPR encourages representative organisations to prepare codes of conduct in to relation several aspects of processing and significantly provides that draft codes should be submitted to the ICO who must provide an opinion on whether the draft complies with the GDPR and will approve it if it finds that it provides sufficient appropriate safeguards.

The publication of the draft Data Protection Bill in September 2017 assists in relation to drafting such codes but it may be the case that a representative body would struggle to get the ICO to approve a code until the Bill has become an Act and we have clarity on the final terms.

The Bill contains the provisions required to bring the Law Enforcement Directive into UK law and this must be in force by 6 May 2018; the rest requiring to be in force by 25 May 2018. With the GDPR deadline looming Parliament cannot afford to drag its feet to allow the ICO to get to grips with any nuances, not to mention the organisations who have to comply – including the ICO.

The first amendments to the DP Bill will be debated in the House of Lords on 30 October 2017 and that is likely to set the tone for the progress of the Bill.

The new e-Privacy Regulation will also have an impact on data processing for those organisations involved in direct marketing. Europe is still indicating that the new Regulation will also come into force on 25 May 2018 but it appears to be recognised that this is unachievable given the amount of disagreement in relation to some of the terms.

One of the GDPR headlines has been the power awarded to the ICO to impose fines of up to €20million or 4% of annual turnover, whichever is the highest, for personal data breaches. BTO reminded organisations of their obligations and the policies which they should have in place to deal with breach notification. BTO emphasised some important factors which have tended to be lost in some of the noise surrounding the level of fines, including the fact that not all breaches require to be reported. While organisations will need to act quickly to notify relevant breaches, the importance of taking professional advice before notifying the ICO or data subjects of a breach cannot be underestimated.

The Conference interactive sessions proved that there is a good level of engagement among public sector organisations but GDPR is only one part of the puzzle. The Data Protection Act, when passed, and the e-Privacy Regulation will also have an effect on how personal data should be processed. Organisations must ensure that they have new policies and procedures in place and, after 25 May, ensure ongoing compliance and best practice.

BTO are here to take the pressure off you and have a developed a GDPR Implementation Process which we believe can be adapted to all organisations, depending on their requirements and which also provides clarity in relation to costs in advance. More about this product can be found here.

For more information visit our GDPR updates page or contact the Data Protection team.

Contact: Lynn Richmond, Partner T: 0131 222 2939


“The level of service has always been excellent, with properly experienced solicitors dealing with appropriate cases" Legal 500

Contact BTO


  • 48 St. Vincent Street
  • Glasgow
  • G2 5HS
  • T:+44 (0)141 221 8012
  • F:+44 (0)141 221 7803


  • One Edinburgh Quay
  • Edinburgh
  • EH3 9QG
  • T:+44 (0)131 222 2939
  • F:+44 (0)131 222 2949