General Data Protection Regulation (GDPR)


The General Data Protection Regulation (GDPR) came into effect on 25 May 2018. A key European Union legislation, it gives people more rights over what organisations can do with their personal data. It applies across all EU member states, including the UK.

Under the regulation, businesses that store and process personal data must do so lawfully, transparently, for a specific purpose and for no longer than necessary. Small businesses are not exempt - if you process any amount of personal data, you must comply with the GDPR.

Much of the new law builds on the previous data protection rules, so it may not seem radically different. However, parts of the regulation introducedĀ greater rights for EU citizens and significant new requirements for organisations that process personal data.

This guide provides a quick start for those businesses looking to better understand the GDPR. It gives a summary overview of the new regulation and more detail on some of its key features, including the lawful basis, data subject rights, consent, privacy notices, penalties and breach reporting duties.

This guide aims to help you understand GDPR and your obligations under the law, but it does not constitute legal advice. For definitive legal guidance, see the ICO's guide on GDPR or consider getting independent legal advice.