Beyond the Data Protection Act – What is GDPR? – Professional GDPR

To run a successful business, you must be able to quickly adapt to regulatory changes. One such change is the upcoming General Data Protection Regulation (GDPR), which comes into effect on the 25th of May 2018.

The GDPR is a set of regulations designed to protect the data of people living in the European Union. Businesses will have to comply with GDPR regulations if they handle the data of any EU citizen. Businesses or organisations in non-compliance with the GDPR may face heavy fines.

This article will provide an easy-to-understand overview of the GDPR and explain how Professional GDPR can help your business prepare for this regulatory change.

What Is GDPR All About?

The General Data Protection Regulation (GDPR) has been designed to strengthen data protection for individuals living in the EU. It supplements the UK’s Data Protection Act 1998 (DPA) – adding new kinds of protections and harmonising data privacy laws across Europe. The GDPR also gives EU citizens more control over their own data and compels businesses to notify users of data breaches.

The GDPR was created because the ways that data is used have greatly changed in the past decade. Large companies can now swap user data frequently and gather huge amounts of data on individuals. Individuals often feel like they have little control over the personal data that companies have collected.

The EU hopes that strengthening data protection legislation will protect EU citizens and help to build trust in the digital economy. They also hope that the GDPR will simplify the complex data protection laws currently in existence. The EU estimates that businesses will save more €2.3 billion a year by having identical data protection laws across Europe.

While the GDPR came into force on the 24th of May, 2016, businesses and organisations have until the 25th of May, 2018 before they must comply with all regulations.

Who Does The GDPR Apply To?

Any EU business or organisation that is a controller or processor of data belonging to an EU citizen will have to abide by the GPDR. A data controller is an organisation that collects data from EU citizens, while a data processor is an organisation that processes data on behalf of a data controller.

That means every business in the UK that collects data from EU citizens must abide by the regulations in the GDPR. If the same business stores data with a cloud service or another third party company, they must ensure it also complies with GDPR regulations.

But Isn’t The UK Leaving The EU?

When the UK government triggered Article 50, it started the process of leaving the EU – a process which takes two years. That means the legal consequences of GDPR will take affect before the UK has officially left the European Union. Politicians in the United Kingdom have also stated that any new data protection legislation in the UK will resemble the GDPR.

What Are The Principles Of the GDPR?

The GDPR sets out a number of different data protection principles. Many of the principles have a basis in the Data Protection Act 1988, but are expanded upon. The most important data protection principles include:

  • Data controllers must only obtain data ‘lawfully, transparently, and with fairness’
    This means that data must be obtained with the consent of an informed user. The GDPR adds a stipulation that the controller must be transparent about how the user’s data will be used.
  • The ‘purpose limitation’ principle
    Data obtained for specific purposes cannot be processed and used for other purposes. There are some additional exemptions to this rule in the GDPR, including scientific purposes and the public interest.
  • The ‘accuracy’ principle
    The data controller should take ‘reasonable steps’ to ensure the data held is accurate and kept up to date. The GDPR rules on accuracy are similar to those outlined in the DPA.
  • The ‘storage limitation’ principle
    This principle states that data should not be held for any longer than necessary. The GDPR places a couple of additional exemptions on this principle, allowing data to be kept when it benefits the public interests or is used in scientific research.
  • The ‘integrity and confidentiality’ principle
    The GDPR covers the same ground as the DPA in this regard. Organisations must make every effort possible to keep data confidential.

It is up to businesses to create a data protection policy that enforces these data protection principles.

How Professional GDPR Can Help

Pro GDPR helps organisations in the UK develop data protection policies that are compliant with the data protection principles of the DPA and GDPR. The services that we provide include:

  • Reviewing and auditing of the internal policies of your organisation to ensure they are compliant with the GDPR
  • Auditing the data that your company has to ensure it is accurate
  • Updating documentation which specifies how data is obtained and processed, to ensure data protection principles are maintained
  • Ensuring your staff is appropriately trained in GDPR compliance
  • Developing data protection policies which are suitable for your organisation
  • Explaining the finer details of GDPR to your staff members

Contact Professional GDPR on or 0345 463 4637 for more information.


Article by channel:

Read more articles tagged: GDPR