What is the GDPR?

What is the GDPR?

General Data Protection Regulation (GDPR) has taken 4 years to create by the EU. The legislation has been devised to give people more say over what companies do with their personal data.

In place at the moment in the UK there is the Data Protection Act 1998. Once the new legislation comes in to effect, the 1998 Act will be superseded. The idea is that data protection rules throughout the EU are practically identical.

As of 25th May 2018, companies must ensure that all personal data is processed lawfully, transparently, and for a specific purpose. Once that purpose is fulfilled and the data is no longer required, it should be deleted. Under GDPR they have also added IP addresses, economic, cultural and mental health information as part of a person’s personal data.

GDPR requires that companies must be transparent about how they collect data, what they do with it, and how they process it, and must be clear in explaining this.

Individuals also have the right to demand that their data is deleted if it’s no longer necessary to the purpose for which it was collected. This is known as the ‘right to be forgotten’.

If companies do not adhere to the new legislation and are found in breech or non-compliant, then tougher and stricter fines of up to €20 million or 4% of your global annual turnover, whichever is greater, will be incurred.

Why was GDPR Created?

The current legislation was created before the internet and cloud technology found ways of exploiting peoples personal data. In order to use services such as Facebook and Google, you are asked to give personal information. This information is then used and exploited. By strengthening the data protection legislation and enforcing tougher rules, the EU hopes to improve trust in the ever growing digital world.

Who will be affected by GDPR and who does it apply to?

Because GDPR is a regulation, it will automatically apply by law to all members of the EU as of 25 May 2018.

‘Controllers’ and ‘processors’ of data need to abide by the new legislation. A data controller states how and why personal data is processed, while a processor is the party doing the actual processing of the data. So the controller could be any organisation, from a profit-seeking company to a charity or government. A processor could be an IT firm doing the actual data processing.

Regardless if the company handling the data is outside of the EU, anyone dealing with EU resident’s data, GDPR will apply.

If anyone fails to comply with the new legislation, they will be far more liable under the GDPR then they were under the Data Protection Act 1998.


Despite the UK Government leaving the EU, Article 50 has not been triggered yet. Due to the two year timeframe in which the UK will have to leave the EU fully, GDPR will already be in effect meaning that the UK will still have to abide by the new legislation.