GDPR Summary: Everything You Need To Know

In May 2018 the new General Data Protection Regulation (GDPR) came into force, changing the way data about people is collected, stored and used across the EU. It turned out to be one of the most wide-ranging pieces of legislation of recent times, brought in to standardise data protection law across the single market and give people better control over how their personal information is used by players in the digital economy.

Here's a summary of GDPR revealing everything you need to know in plain, simple terms.

Who needs to take note of the GDPR?

In a GDPR context the word 'processing' actually covers almost every type of data usage including data collection, storage, retrieval, alteration, removal, and destruction. If your business processes personal data and either operates in the EU or sells there, you'll be affected by the GDPR.

Data Controllers decide the purpose and manner in which data is processed. Data Processors are usually third parties who process data on behalf of a Controller. The GDPR is equally important for data controllers and data processors.

What happens after Brexit?

The GDPR and the Data Protection Act 2018 are designed to be considered together. It's important to know that the Data Protection Bill, which ensures we'll remain a ‘world-class regime protecting personal data’, will continue to enforce GDPR standards after Brexit.

Can you define 'personal data'?

Article 4 of the GDPR says personal data is ‘any information relating to an identified or identifiable natural person’. For most businesses it means you have to put in place 'appropriate measures' to protect the information you collect and keep about employees, customers and partners.

The GDPR's definition of personal data is wider than the Data Protection Act (1998), including as it does information that can indirectly identify individuals, for example ID numbers, location data and online identifiers like cookies and IP addresses.

Examples of personal data

Under the GDPR rules personal data includes Human Resources records and customer contact details, health records including any biometrics, your CV, images, and recorded conversations.

What are the six key principles of the GDPR?

Here are the main principles all organisations need to comply with around the collection, processing and retaining of personal data.

Personal data must be:

  1. Processed lawfully, fairly and in a transparent way

  2. Only collected for specified, explicit and legitimate purposes

  3. Adequate, relevant and limited to what's necessary

  4. Accurate and up to date

  5. Only kept for as long as necessary

  6. Processed in a way that ensures security

How is GDPR different from the Data Protection Act 1998?

  • An expanded definition of 'personal information'

  • Increased sanctions and bigger fines

  • Some types of organisation need to nominate a Data Protection Officer

  • The consent rules have been tightened up around the use of personal information

  • There's a new Right to be Forgotten, where people can get information erased from the records

  • Privacy by design means data protection is considered at every stage in a product or service's development

Do you need support with GDPR?

As a start-up or new business, have you taken the GDPR into account at every appropriate stage? As an existing business, are you 100% sure you're GDPR compliant, safe from fines? Either way we'll be glad to help.



St Bride Foundation

14 Bride Lane




Free Tools

©2019 by Forensic Control  All Rights Reserved.      

This site uses cookies to enable certain functions. By using this site, you consent to the use of cookies.