GDPR - The EU General Data Protection Regulation

What you need to know for your business.

Time left until the GDPR comes into force...









What is GDPR?

The General Data Protection Regulation (Regulation (EU) 2016/679) is a European Parliament regulation which aims to unify data protection rules across the whole of EU, it also controls the export of personal data from the EU. It was issued on 27 April 2016, and becomes enforceable from 25th May 2018. GDPR covers personally identifiable data about any “living person” in the EU (or stored by an EU-based business), and it is designed to provide rights and protects for that person – the “data subject“.


Does it affect me?

You don’t have to be within the EU for GDPR to apply. If you are processing personal data relating to any living person within the European Union, you must comply with the regulations in the way that you handle that data. Complying with the requirements of GDPR is not optional and people can not waive their rights to protection under GDPR.


What are the Penalties for Failing to Comply?

The penalties are much more significant than with previous data protection and privacy legislation. Organisations found in breach can be fined up to 4% of their annual global turnover or €20 million, whichever is greater. This makes it even more important that you understand the GDPR and how it affects your business.

Brexit and the GDPR

UK organisations handling personal data will need to comply with the GDPR, regardless of Brexit. The GDPR comes into force before the UK leaves the European Union and the government and the Information Commissioner have confirmed that the regulation will apply, and that the UK will continue to follow a compatible regime.

Useful Guidance

There are six data protection principles which form the basis for the processing of personal data, they can be found in Article 5(1) GDPR:

  1.  Lawfulness, fairness and transparency. Data processing should be lawful, fair and transparent. Transparency implies communication about the processing of personal data must be easily accessible and understandable, and that you ensure the data subject (the person who’s data you are processing) receives information on the identity of the data controllers (who are managing the data) and the purposes that data is being processing for.
  2. Purpose limitation. Data collection should only be for specified, explicit and legitimate purposes, further processing incompatible with the stated purpose is not allowed, although this is subject to some of the other provisions of GDPR (for example because of public interest or legal obligations).
  3. Data minimisation. Data used must be required and relevant, and limited to what is necessary for the specified purpose.
  4. Accuracy. Data must be accurate, and kept up to date. Inaccurate data should be erased, or rectified without delay.
  5. Storage limitation. Data must not be kept in a form that makes it possible to identify data subjects for longer than is necessary. Data can be stored for longer periods, subject to specific conditions and adequate technical and organisational safeguards to protect the data subject.
  6. Integrity and confidentiality. Technical and organisational measures should be in place to ensure protection from unauthorised or unlawful processing, and protection from any data loss or damage.

The final overriding principle, sometimes called the seventh principle, is the accountability of the data controller, stated in Article 5(2) GDPR, to demonstrate compliance with the principles. Unlike previous legislation, if you make use of personal data, you need to demonstrate that you do so in a way that is compliant with the regulations.



You must have a valid, lawful basis in order to process personal data. Within GDPR there are six bases for lawful processing outlined. Specifically they are that you have one of the following:

1.  Consent, which freely given by the data subject. You will need to record evidence of this consent.

2.  Performance of a contract with the data subject, where you need the data to perform that contract.

3.  Legal obligation of the controller. A law requires you to collect or process the data.

4.  Vital interests of the data subject or another (natural) person. For example, access to medical information in an emergency.

5.  Public interest, or official authority. The covers uses such as journalism and specific forms of research.

6.  Legitimate interest, subject to the rights of the data subject. Your right to process the data must be balanced with the data subject’s rights and freedoms.

For further guidance the ICO has published some helpful material. Different basis for processing confer different rights for the data subjects, for example the right to object, and the right to withdraw consent. You should choose your basis for processing before you start collecting and using data, and other than in exceptional circumstances, you should not change the basis you are using.

Useful Resources

GDPR - Full Text

Full text of the GDPR and its recitals (173).

GDPR Overview (ICO)

An overview of the General Data Protection Regulation from the UK Information Commissioner’s Office.

A Risk-Based Approach to GDPR

The Fair Data approach to GDPR compliance.

The Benefits of GDPR

A benefits analysis researched by London Economics, for the UK Department for Culture, Media & Sport.

NCSC- 10 Steps to Cyber Security

National Cyber Security Centre (UK) guidance on Cyber Security.

Privacy Impact Assessment Guidance

Privacy Impact Assessment guidance and resources from the UK Information Commissioner’s Office.

Privacy by Design

The original approach to privacy by design, from the Information and Privacy Commissioner, Canada.

Privacy Shield

The US response to EU and Swiss data protection regulations, to enable data transfers under EU law (see the adequacy determination) and  Swiss Law.

ICO self assessment toolkit

Checklists from the UK’s Information Commissioners office, to assess your compliance with the Data Protection Act and find out what you need to do, including guidance on getting ready for GDPR

Accountability and Governance

UK Information Commissioner’s Office guidance on provisions for accountability and governance, including “he accountability principle” and guidance on records of processing activities.

Documentation for GDPR

UK Information Commissioner’s Office guidance on how you should document your processes, and what records you should keep to demonstrate your compliance with GDPR.

The Data Protection Act 2018 – Still time to have your say

GDPR in the UK – The Data Protection Bill


Using our suite of tools you can prepare for and stay compliant with the GDPR.  Ask us about our:

  • GDPR action list generator
  • compliance timeline plan
  • GDPR audit questionnaire
  • GDPR systems audit and mapping
  • GDPR risk assessment
  • GDPR staff training tool and training log
  • GDPR records processing tool
  • GDPR supplier and vendor assessments
  • DSAR handling tool
  • breach notification handling tool
  • policy handling for GDPR
  • staff offboarding questionnaire