Lawgistics: GDPR – what was all the fuss about?

This month’s partner blog post comes from legal consultancy firm Lawgistics

Lawgistics provide specialist motor trade law advice and support to a range of clients within the retail motor industry.

Nona Bowkis is a Solicitor at Lawgistics Ltd, and this month Nona has written this informative piece on GDPR for the Spidersnet blog…

The General Data Protection regulations (GDPR) came into force in May 2018. Prior to its implementation, GDPR warnings were everywhere, people were killing off their marketing databases and seeking consent regardless of whether they needed to or not. Since May, it’s all gone rather quiet, or has it?

Well no, the scare tactic marketing may have calmed down but GDPR and its lesser known UK equivalent namely the Data Protection Act 2018 (DPA) which came in to force on the same day, are alive and very much kicking. Here we take a look at some of the issues and fines which have already been raised and look at what you can do to avoid them.


First and foremost, if you are processing personal data (and you are likely to be if you deal with consumers), you need to register with the Information Commissioner’s Office (ICO) at:

There is a fee to pay which is dependent on the size of your organisation and starts at just £40 for micro enterprises. For SMEs, its £60 and for those with over 250 staff or a turnover of over £36 million, it is a fee of £2900. Payment by Direct Debit gets you a £5 discount – don’t spend it all at once!

A more useful benefit of paying by Direct Debit is that you won’t forget to renew as failure to pay the fee (and this includes renewals) is a civil offence and can attract a fine of up to £4350.

Within just 6 months of GDPR coming into force, the ICO had issued over 900 notices of Intention to Fine and over 100 penalty notices. And they will carry on issuing fines, as these fines help fund their ongoing work which is now undertaken by 670 staff.


Subject Access Requests or SARs are not new. However, where you used to able to slow the process down by requesting a £10 fee, you now only have one calendar month to respond to any request and, you can no longer charge a fee. This means you must have a system in place enabling you to retrieve data pretty quickly in response to a request.

Since GDPR we have seen an increase in the number of SARs being made and mostly they are from the sort of pesky consumer who just wants to be a pain, because they can.

GDPR and the DPA give any data subject, that’s you and me, the right to get a copy of all the personal data held by a company. This can include emails, CCTV footage and copies of recorded telephone conversations..

Nona Bowkis, Solicitor at Lawgistics Ltd

Now if you have a Privacy Policy in place (more on this later) which states that you keep CCTV footage for 6 years, then you need to think about what you will do if a consumer asks for a copy of any footage 5 years after their visit. If you have it, you need to be able to hand a copy over. Do you have a system in place to do that within the required 30 days?

This may sound like an onerous task but nonetheless, it is something you need to think about when putting your policies in place.

If a SAR is complex, you can extend the response time by a further two months. If a person did ask for CCTV footage from 5 years previous, it is a legitimate response to go back to them and ask for specific dates and times to make it easier to find.

By now, everyone should have all their privacy policies in place. People visiting your website need to know what you do with their data

Nona Bowkis – Lawgistics

It is also possible to refuse to provide the data if you consider the request to be ‘manifestly unfounded’ or ‘excessive’. Now in the case of consumers asking for data just to cause grief because they cannot get what they want, we feel it is justified to say the request is manifestly unfounded. However, there is very little guidance on this matter and so ultimately it may fall to the ICO to decide in the event the consumer complains to them about a request refusal on that basis.

Lastly on the topic of SARs, you should not provide any data relating to a third party, as an individual is only entitled to a copy of their own data. You can seek the express consent of any third party or you can decide if it is reasonable to disclose the information without their consent, but the general rule is that people can only have their own data. This has already been an issue with consumers asking for copies of phone calls with sales people, usually because they want evidence of something which they say was promised to them. 

Strictly speaking you can simply provide a copy of the consumer’s voice or a transcript of what they said as a SAR is simply a request for a copy of their data and not a backdoor way of getting evidence to support any complaint they may have.


By now, everyone should have all their privacy policies in place. People visiting your website need to know what you do with their data. A cookie policy goes some way to explaining that, but it is not enough. Consumers need to know how you treat their data, how long you keep it for and how they can access copies. Your employees also need to know how you treat their data. In addition, you need a written contract in place with any third parties you use to process your customer’s data.

If you are missing any of these, you can get a FREE GDPR pack complete with templates for all the above by emailing And, if you are a member of Lawgistics you get free access to which in addition to helping you manage all of your employment obligations, and your Health and Safety compliance checks, it will also help you with your ongoing obligation to comply with GDPR and the DPA.