Not long to go now! The General Data Protection Regulation (GDPR) will be enforced across the European Union and beyond from 25 May 2018. Tim Musson, Convener of the Law Society of Scotland’s Privacy Law Committee, explains why the General Data Protection Regulation (GDPR) is all-important for law firms.

It is not just the headline figures of potential penalties from the Information Commissioner’s Office (ICO) of up to €20M, or 4% of global turnover, which are of importance.  ‘Data subjects’ will not only have enhanced data protection rights, but also a much greater awareness of those rights. Complaints to the ICO will result in enforcement, and any enforcement activity will have a major impact on reputation, which is all-important for law firms.

Most organisations haven’t started taking serious steps towards compliance: it’s not yet time to panic, but it is time to start planning and putting measures in place. 

The underlying principles of the GDPR are essentially the same as the Data Protection Act 1998 (DPA), but it incorporates a great deal of what is currently seen as best practice as mandatory obligations. 

The problem is that very few organisations have made a genuine attempt to be compliant with the current DPA set up.  This is why GDPR compliance is likely to be challenging.

As with any new legislation, much is clear but a great deal is still unclear – guidance is slowly emerging from the Article 29 Working Party (the relevant EU committee) and the ICO. So there are some very useful activities, such as personal data audits, which can usefully be carried out now. 

The ICO has made it clear that they will expect organisations to have taken suitable steps towards compliance by May, and that there will be no ‘honeymoon period’ for those that haven’t.

Tim Musson has been delivering a number of Law Society of Scotland CPD & Training events on data protection and the GDPR. Find out more about upcoming CPD courses.

Useful links

More information on the GDPR can be found on the ICO website:

… and on the European Commission’s websites:

Finally, you can find the official text of the General Data Protection Regulation at