New Data Protection laws on the way! "The General Data Protection Regulation (GDPR)"

27 Jul 2017

Just as many of us were getting used to and comfortable with the Data Protection Act 1998 (DPA), the regime is about to change. If you or your business handles personal or sensitive personal data, then you will need to be aware of the main changes on the way. This article highlights the key headings of the General Data Protection Regulation (GDPR) to help you get to grips with the new legal regime in the EU. I want to explain how the GDPR has similarities with the current UK Data Protection Act 1998 (DPA), and how it differs. I am writing for those who have day-to-day responsibility for data protection, it does not matter if you are in HR or in accounts or Customer relations – these regulations are on the way. I know that many will say “we are leaving the EU, what has this to do with us”. Well, I think, and many agree, that the UK legislative authorities will want to follow EU requirements so that we can continue to transfer data (and trade) across mainland Europe. Indeed, the government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.

The ICO (the UK’s independent body established to uphold information rights) is working to help information users and handlers to be ready for the new regulations. This article is heavily sourced from the ICO and the EU’s Article 29 Working Party. The Working Party includes representatives of the data protection authorities from each EU member state, and the ICO is the UK’s representative – for the next 17 months in any event.

The GDPR comes into force in this country from 25 May 2018.

The ICO is the first to acknowledge that there may still be questions about how the GDPR would apply post-Brexit, but it states: “This should not distract from the important task of compliance with the GDPR.”

Does the GDPR apply to you?

As with the DPA, the GDPR applies to ‘controllers’ and ‘processors’. Broadly, the definitions follow the DPA –  a Controller makes the decisions as to why and how personal data is dealt with - processed - and then Processor carries out those instructions. So, in short: If you are currently subject to the DPA, it is likely that you will also be subject to the GDPR. 

If you are a processor, the GDPR will place new and greater specific legal obligations on you:

You will be required to maintain records of personal data and processing activities

You will have significantly more legal liability if you are responsible for a breach.

(source ICO guidance)

Also, controllers have greater liability under the GDPR. You are not relieved of your obligations if a processor is involved; the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.

(source ICO guidance).

In short you will need to audit your contracts with processors to make sure that they are compliant with the GDPR. Processing within and outside the EU is covered by the GDPR. This is not so surprising. The GDPR also applies to you or organisations outside the EU if you or those organisations offer services or goods to people in the EU, but it does not apply to you if the processing is purely for personal/household activities.

What type of information is covered by GDPR?

Personal data

The GDPR, like the DPA, covers personal data. BUT, the definition of personal data in the GDPR is even more complex information, such as an online identifier. For example, an IP address is potentially covered. The GDPR has a much wider definition and “a wide range of personal identifiers to constitute personal data”, and is designed to meet developments in cyber and the mechanisms used by organisations to gather data about individuals.

The day-to-day business, such as keeping personnel details, lists of customers, their contact details etc, the change to the definition, ought to have little additional impact on you. A good working assumption is that if you hold information within the scope of the DPA, it will also be covered by the GDPR.

“The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This is wider than the DPA’s definition and could include chronologically ordered sets of manual records containing personal data.”

(source: ICO)

Sensitive personal data

In the same way as the DPA, the GDPR refers to sensitive personal data as “special categories of personal data” (see Article 9). But in effect the categories are more or less similar/pretty much the same as those in the DPA. Naturally, there are some small changes. One of the small differences, for example, is genetic data, and biometric data, if it is processed to uniquely identify an individual.

If you have any questions regarding General Data Protection Regulation contact:

Further reading

Is the end in sight for upward-only rent reviews?

Blog, Legal Updates
Are upward only rent reviews set to become a thing of the past? Cheraine Williams reflects on a Private Member’s Bill going through the House
Read more Read

Is the end in sight for upward-only rent reviews?

Blog, Legal Updates
Are upward only rent reviews set to become a thing of the past? Cheraine Williams reflects on a Private Member’s Bill going through the House
Read more Read

The meaning of vacant possession – useful guidance from the Court of Appeal

Blog, Legal Updates
Cheraine Williams considers the facts of a recent case but urges tenants not to rely solely on the outcome
Read more Read

Employer's question: the right to appeal a redundancy dismissal

It is common practice to offer the right to appeal against a redundancy dismissal. If you are considering not doing so, tread carefully.
Read more Read
  • Brighton Office

    1 Jubilee Street


    East Sussex

    BN1 1GE

  • Gatwick Office

    Griffin House

    135 High Street


    West Sussex

    RH10 1DQ

  • Guildford Office

    Wonersh House

    The Guildway

    Old Portsmouth Road



    GU3 1LR

  • Horsham Office

    Ridgeland House

    15 Carfax


    West Sussex

    RH12 1DY

  • London Office

    6 New Street Square

    New Fetter Lane


    EC4A 3BF

  • Get in touch