A brief guide to changes in data protection rules

Set for enforcement in May 2018, The General Data Protection Regulation (GDPR) is one of the most wide-ranging pieces of legislation passed by the EU in recent memory. It is being introduced to standardise data protection law across the single market and give people, in a growing digital economy, greater control over how their personal information is used.

Does the GDPR apply to my business?

All organisations that process personal data and operate within, or sell goods to, the EU are impacted by the GDPR. The definition of processing is designed to cover practically every type of data usage and includes collection, storage, retrieval, alteration, storage and destruction.

The GDPR applies to both data ‘controllers’ and ‘processors’. Data controllers determine the purpose and manner in which data is processed. Data processors are any third party undertaking data processing on behalf of a controller.

Will Brexit affect the adoption of GDPR?

The GDPR will be enforced in the UK from 25th May 2018 and apply until at least March 2019 – when the UK is expected to leave the single market. Upon Britain exiting the EU, The Great Repeal Bill is expected to copy the requirements of the GDPR into UK law.

The UK government is yet to firmly announce its long-term intentions to supersede the GDPR. In June 2017, the Queens speech made reference to new data protection legislation designed to ensure that the UK retains its position as a ‘world-class regime protecting personal data’.

To achieve an ‘adequacy decision’ needed to ensure that EU organisations are able to transfer personal information to the UK after
Brexit, any new UK data protection legislation will need to be on a similar level to the GDPR.

What is personal data?

Article 4 of the GDPR defines personal data as ‘any information relating to an identified or identifiable natural person’. For most organisations, this means implementing appropriate measures to protect information relating to employees, customers and partners.

The GDPR expands the definition of personal data beyond the current Data Protection Act (1998) to also include information that could be used to indirectly identify individuals, such as ID numbers, location data and online identifiers including IP addresses and web cookies.  Other examples of personal data protected by the GDPR include:

  • HR records
  • Customer contact details
  • Health records
  • Biometrics
  • CVs
  • CCTV and call recordings

How does the GDPR differ from the current Data Protection Act?

An expanded definition of personal information to include online identifiers such as IP addresses.

An increased level of fines for organisations that fail to comply and/or suffer a personal data breach.

The need for some organisations, such as public authorities, and those that process large amounts or special categories of data, to appoint a Data Protection Officer.

A tightening of the consent rules governing the collection and use of personal information.

The right for individuals to be forgotten, by requesting erasure from records.

Promotion of privacy by design - ensuring data protection is taken into account at every stage of a product development process.

There are six key principles to the GDPR

Article 5 of the GDPR lists the main principles all organisations should comply with. These outline how personal data should be processed, collected and retained.

Personal data shall be:

  • Processed lawfully, fairly and in a transparent manner
  • Collected for specified, explicit and legitimate purposes
  • Adequate, relevant and limited to what is necessary
  • Accurate and, where necessary, kept up to date
  • Retained only for as long as necessary
  • Processed in an appropriate manner to maintain security

Principle six of the GDPR, ensuring the security of personal data

In order to ensure ongoing data security, principle six of the GDPR states that personal data should be processed in an appropriate manner.

Protecting personal data against unauthorised processing, accidental loss and destruction forms an integral part of measures all organisations should take.


Need further information on our GDPR services?