ICAEW.com works better with JavaScript enabled.

GDPR and Privacy Shield

Background information on the General Data Protection Regulation legislation and Privacy Shield (formerly Safe Harbor).

General Data Protection Regulation (GDPR)

- updated content as of 3 May 2017

This article is not intended to constitute legal advice. Specific legal advice should be sought before taking or refraining from taking any action in relation to the matters mentioned in this article.


The EU has introduced the GDPR to update and harmonise data protection practices across the EU. It will apply to all EEA countries and any individual or organisations trading with them. As it comes into force on 25 May 2018 (before the UK leaves the EU), UK individuals and organisations must ensure compliance with the new regime by then.

The Information Commissioner’s Office (ICO) and the government have confirmed that they expect UK individuals and organisations to adhere to the GDPR, as post-Brexit the UK’s data protection legislation (currently the Data Protection Act 1998 (DPA)) must meet the GDPR standard.

Why the change?

The GDPR is partly an update to meet the new challenges of the 21st century. It has done this by increasing protection for consumers and placing the onus on individuals and organisations to handle personal data correctly and securely.

What is the same?

  • The definitions of "processor" and "controller".
  • The ICO as the UK’s regulator.
  • The eight principles still apply.
  • International data transfers (excluding self-assessment).

What has changed?

  • Data processors - must now maintain records and are directly liable if responsible for a breach.
  • Data controllers - new obligations including a duty to ensure that your contracts with processors comply with the GDPR.
  • "Accountability principle" - you must show how you comply eg document what you have done and why.
  • Privacy impact assessments - must be carried out to assess the risk to individuals' rights, eg when using new technology.
  • Higher standards for consent.
  • Enhanced rights for individuals, including the right to be informed, object and be forgotten as well as rights regarding access, rectification, erasure, restrictions on processing, data portability and automated decision making.
  • Data protection officer - not mandatory for all organisations but an appropriately senior individual must be responsible for GDPR compliance.
  • The duty to report a breach quickly will apply to all and failure to report will result in a fine.
  • Increase in maximum fines (4% of global annual turnover).

What should ICAEW members do now?

Doing nothing is not an option, because if the UK were subsequently to repeal the GDPR, very many organisations would still have to comply with the GDPR. GDPR applies to processing of personal data where the controller or processor (i) is in the EU, and/or (ii) offers goods and services (even if free) to, or monitoring activities of, EU data subjects.

As a start, you must evaluate whether your existing practices and procedures meet GDPR standards and then plan how you will address any shortcomings. This must be done in relation to any personal data you process or hold, whether on behalf of clients or your business. As a minimum, contract clauses on the sharing of data with others should be reviewed to check for compliance with the GDPR.

Your clients will also have to comply so it might be worthwhile checking that they are aware of these changes; supporting them in this may be an "added value" opportunity for you.

What next?

The ICO has promised detailed guidance soon. In the meantime, our advice is to check whether the GDPR applies to you and to regularly check the ICO's Data Protection Reform website for updates.


Privacy Shield (formerly Safe Harbor)

- updated content as of 13 July 2016

This article is not intended to constitute legal advice. Specific legal advice should be sought before taking or refraining from taking any action in relation to the matters mentioned in this article.

On 12 July 2016 the European Commission announced that the EU-US Privacy Shield framework had been adopted.

However it is likely that this new framework will shortly be legally challenged by those that feel it does not go far enough to protect EU citizens rights. As soon as more information is available this website will be updated.

This framework replaces Safe Harbour, which was deemed invalid in the autumn of 2015. The new framework attempts to provide strong consumer protection rights in light of concerns over privacy violations.

This new framework will ensure that the personal data from EU citizens is protected when processed by US companies.

The framework is based on a number of principles:

  • Obligations on US companies to provide privacy protection in-line with EU data protection act legislation.
  • Companies that commit to the regulation face exclusion if they fail to comply with the regulation.
  • Safeguards and transparency obligations on U.S. government when accessing EU data.
  • Effective protection of individual rights, including dispute resolution.
  • Annual joint review of the functioning of the framework.

If you operate in a multinational or work a US based organisation you should consider joining the Privacy Shield framework. US companies will be able to self-certify against the framework from 1 August 2016.

Further updates and information can be found on the Information Commissioner's Office website.

Useful links: