If you saw the Queen's recent speech, you may have overheard Her Majesty talking about the General Data Protection Regulation (GDPR).

The GDPR is an EU-wide piece of legislation replacing the more well-known Data Protection Act (DPA) and will affect many UK businesses. The GDPR will apply in the UK from 25th May 2018.

Who does the GDPR apply to?

The GDPR applies to 'controllers' and 'processors'. The controller says how and why personal data is processed and the processor acts on the controller's behalf. The obligations for processors are a new requirement under GDPR and processors will have significantly more legal liability if responsible for a breach. However, GDPR also places obligations on the controller to ensure that their contracts with processors comply with GDPR.

What information does the GDPR apply to?

  • Personal Data - GDPR's definition of personal data is more detailed than the DPA and reflects the changes in technology to include such things as IP addresses, email addresses, usernames etc.
  • Sensitive Personal Data - Special categories of data which now include genetic and biometric data to uniquely identify an individual.

For many organisations who already comply with the current Data Protection Act, the changes to definitions should make little practical difference.

The new legislation is designed to extend the data rights of individuals so that people are a lot more aware of how their information is being used. It also requires organisations to develop clear policies and procedures to protect personal data. There will be considerably tougher penalties and reputational damage for those companies who do not comply.

If you want any further information regarding General Data Protection Regaulation and how this will affect you, please contact us.