The General Data Protection Regulation

The General Data Protection Regulation

The GDPR (General Data Protection Regulation), which superseded the UK DPA (Data Protection Act) 1998 on 25 May 2018, marks a significant increase in responsibility for all organisations that process personal data.

The Regulation substantially extends the data rights of individuals, and, among other things, requires data controllers and processors to implement appropriate and proportionate technical and organisational measures to protect personal data.

Contact us

Personal data

The GDPR defines personal data as any information relating to an identified or identifiable natural person (known as a data subject).

Personal data

  • Name
  • Address
  • Email address
  • Photo
  • IP address
  • Location data
  • Online behaviour
  • Profiling and analytics data

Special categories of personal data

  • Race
  • Religion
  • Political opinions
  • Trade union membership
  • Sexual orientation
  • Health information
  • Biometric data
  • Genetic data



The Regulation is backed by a regime of considerably higher penalties than the DPA 1998 – administrative fines of up to €20 million (approximately £17.5 million) or 4% of annual global turnover (whichever is greater).

It also grants data subjects the right to lodge a complaint with the supervisory authority – the Information Commissioner’s Office in the UK – if they consider that the processing of their personal data infringes the Regulation, and the right to an effective judicial remedy against data controllers and processors if they consider their rights to have been infringed by processing that does not comply with the Regulation.

On top of this, the ICO has the power to “impose a temporary or definitive limitation including a ban on processing”, effectively shutting offending organisations down altogether. 


Key provisions of the GDPR

Data processing principles

Personal data must be:

  • Processed lawfully, fairly and transparently.
  • Collected for specified, explicit and legitimate purposes.
  • Adequate, relevant and limited to what is necessary.
  • Accurate and, where necessary, kept up to date. 
  • Kept in a form that allows data subjects to be identified for no longer than necessary.
  • Processed in a manner that ensures appropriate security, using appropriate technical or organisational measures.

Accountability and governance

You must be able to demonstrate compliance with the GDPR by:

  • Establishing a governance structure with roles and responsibilities.
  • Keeping a detailed record of all data processing operations.
  • Documenting data protection policies and procedures.
  • Performing data protection impact assessments (DPIAs) for high-risk processing operations.
  • Implementing appropriate measures to secure personal data.
  • Carrying out staff training and awareness.
  • Where necessary, appointing a data protection officer.

Data protection by design and by default

There is a requirement to build effective data protection practices and safeguards from the very beginning of all processing:

  • Data protection must be considered at the design stage of any new process, system or technology.
  • A DPIA is an integral part of privacy by design.
  • The default collection mode must be to gather only the personal data that is necessary for a specific purpose.

Lawful processing

You must identify and document a lawful basis for processing personal data:

  • Direct consent from the individual.
  • The necessity to perform a contract.
  • Protecting the vital interests of the individual.
  • The legal obligations of the organisation.
  • Necessity for the public interest.
  • The legitimate interests of the organisation. (Note that this basis doesn’t apply to processing carried out by public authorities in the performance of their tasks.)

Valid consent

There are strict rules for obtaining consent:

  • Consent must be freely given, specific, informed and unambiguous.
  • A request for consent must be intelligible and in clear, plain language.
  • Silence, pre-ticked boxes and inactivity will no longer suffice as consent.
  • Consent can be withdrawn at any time.
  • Consent for online services from a child under 13 is only valid with parental authorisation.
  • Organisations must be able to evidence consent.

Privacy rights of individuals

Individuals have:

  • The right to access their personal data via a DSAR (data subject access request).
  • The right to correct inaccurate personal data.
  • The right in certain cases to have personal data erased.
  • The right to object.
  • The right to move personal data from one service provider to another (data portability).

Transparency and privacy notices

Organisations must be clear and transparent about how personal data is going to be processed, by whom and why.

  • Privacy notices must be provided in a concise, transparent and easily accessible form, using clear and plain language.

Data transfers outside the EU

The transfer of personal data outside the EU is only allowed:

  • Where the EU has designated a country as providing an adequate level of data protection.
  • Through model contracts or binding corporate rules.
  • By complying with an approved certification mechanism, e.g. the EU-US Privacy Shield.

Data security and breach reporting 

  • Personal data must be secured against unauthorised processing and accidental loss, destruction or damage.
  • Data breaches must be reported to the supervisory authority within 72 hours of discovery.
  • Individuals impacted should be told when there is a high risk to their rights and freedoms, e.g. identity theft, personal safety

DPO (data protection officer)

Appointing a DPO is mandatory for:

  • Public authorities.
  • Organisations involved in high-risk processing.
  • Organisations processing special categories of data.

A DPO has set tasks:

  • Inform and advise the organisation of its obligations.
  • Monitor compliance, including awareness raising, staff training and audits.
  • Cooperate with data protection authorities and act as a contact point.


How can GRCI Law help you?

We offer a range of services that are designed to provide you with the GDPR support you need. Drawing on our extensive experience, we are well-placed to help you quickly, cost-effectively, and without the risk of conflicts of interest. Find out more about our GDPR solutions here:


Speak to an expert

If you would like more information about our services and what we can do to help you, please get in touch with our team of experts who will be able to assist with your enquiry and provide guidance options.

Contact us