What Is GDPR ?

What is the GDPR ?

GDPR stands for General Data Protection Regulation. It is the new EU Data Protection Regulation that comes into effect on the 25th of May 2018 for all the member states within the European Union.

In the UK, it will replace the Data Protection Act of 1988 regardless of the outcome of Brexit. The UK Government has confirmed that GDPR will apply to the UK well beyond the date when the UK eventually leaves the European Union.

The biggest change from the old DPA act of 1998 to the new GDPR is the massive increase in fines for Data breaches with some GDPR breaches carrying fines of up to 4% of Global company turnover or 20 Million Euros.

The GDPR also stipulates that companies and organisations will have to appoint a mandatory position of a Data Protection Officer (DPO) whose key role would be to ensure compliance with GDPR

GDPR Impact

A wider definition of personal and sensitive data:

  • Cookies
  • IP address
  • Health
  • Biometric
  • Genetic
  • EU based organisations that collect or process the personal data of EU residents.
  • Organisations outside the EU that monitor behaviour or offer goods and services to EU residents.

GDPR applies directly to service providers that process personal data on behalf of an organisation:

  • Cloud services
  • Call centers
  • Payroll services


  • Stricter rules for obtaining consent as a legal basis for processing.
  • The right to have personal data erased in certain cases.
  • The right to transparent information about what data is collected and how it is processed.
  • The right to personal data portability from one service provider to another.
  • The right to correct inaccurate personal data.
  • The right not to be subject to a decision based solely on automated processing.

Accountability: Demonstrate compliance by maintaining a record of all data processing activities.

Data Breaches: Report data breaches to the regulator within 72 hours.

Data protection impact assessment (DPIA): Mandatory if the processing activity is likely to result in a high risk to the rights of individuals.

Data Protection Officer mandatory if:

  • public authority
  • monitoring individuals on a large scale
  • processing sensitive data

Data Security: Keep personal data secure through “appropriate technical and organisational measures.”

Data Transfer: Transfer of personal data outside the EU only allowed if appropriate safeguards are in place.

  • Fines of up to €20 million or 4% global turnover.
  • Compensation claims for damages suffered.
  • Reputational damage and loss of consumer trust.

Who Needs a Data Protection Office (DPO) ?

Article 37 of the GDPR states that Data controllers as well as Data Processors are required to appoint a Data Protection Officer (DPO) in 3 situations:

1. Where the processing is carried out by a public authority or body:

Public authorities and bodies that are subject to the Freedom of Information Act will be covered by this requirement such as Councils, Government Departments, Hospitals, Schools and Emergency Services etc.

2. Where the core activities of the controller or the processor consists of processing operations which require regular and systemic monitoring of data subjects on a large scale

Companies involved in processing personal data on a large scale for the purpose of behavioural marketing, online tracking, detection of money laundering, fraud prevention, CCTV monitoring systems, loyalty programs etc. will have to appoint a DPO.

3. Where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.

Under this provision, companies that hold sensitive data such as ethnic origin, political opinions, religion, health data, membership clubs, trade unions, cloud storage providers that are storing patient records etc. will have to appoint a DPO.

It is also suggested that, as good practice, private organisations that carry out public tasks should also appoint a DPO. This could include private companies delivering public services under an outsourced agreement such as housing maintenance companies etc.